back to article MoD laptop losses expose government data indifference

The latest data giveaway by the UK's Ministry of Defence shows that not even the most basic IT policies are being followed. There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    IT Angle

    Indifference and cluelessness:

    http://milibanddumbass.blogspot.com/

  2. Anonymous Coward
    Black Helicopters

    Its all a conspiracy

    I Keep saying this, once each government department has "lost" all the details of all of it's "Customers" then the privacy campaigners wont have a leg to stand on when ID cards are introduced!

    Pass me the TinFoil!

  3. Anonymous Coward
    Happy

    Physcial protection

    Yes maybe if someone invented some sort of cable that at one end had a loop and the other end some sort of lock. Then the cable lock end could pass trough or around something, say the seat hinge or spare wheel, through the cable loop and connect to the laptop, thus stopping any smash and grabs.

    I just can't think of why no one has thought of this simple idea before....

  4. Anonymous Coward
    Anonymous Coward

    Why can't they use a centralised database.

    It always amazes me when I read these stories, why it is that all this personal data is on a decentralised laptop.

    I work for a very small SME and even we can afford to use NetSuite (not cheap by any means) to store our customer's data on.

    This means I can take my laptop around and access our customer data from anywhere, but it isn't stored on the laptop at all.

    This Government has spent (wasted) millions on umpteen computer projects, so why they can't spend some money on a centralised database to which their users can gain access from anywhere, like we in the real world do, is beyond me.

    Regards

    Neil

  5. James Pickett
    Paris Hilton

    Parliamentary question

    One for Vince Cable, perhaps: "How many sets of personal details does HMG currently hold that it knows are still secure?"...

    Paris (looking upset) because it's unfair to suggest that even she's that clueless.

  6. Ash
    Pirate

    They don't care because they don't have to.

    We as a society have become so apathetic towards this kind of thing that they simply don't fear us anymore. We are not the empowered and informed members of society we should be. We are the impotent and weak being flogged to death slowly while being forced to watch through a rose-tinted lense.

    To paraphrase a very wise man "Go back to sleep, England. Here's 27 channels of Britney Spears being a drunken idiot. Go back to sleep, England."

  7. Anonymous Coward
    Anonymous Coward

    @Neil Briscoe

    "why they can't spend some money on a centralised database to which their users can gain access from anywhere, like we in the real world do, is beyond me."

    Prime your irony glands.

    Having spent a number of years around central government IT, I imagine it's because any IT project which involves accessing sensitive data from the big, scary internet (regardless of VPNs etc) becomes so tied up in security accreditation and arse-covering that it never gets anywhere.

    So people work around the bureaucracy by copying data to laptops.

  8. Ian

    So people work around the bureaucracy by copying data to laptops.

    One reason I permit more freedom to access the Internet from our network (~1000 users) than most one of my private nightmares is a user, thinking that they are helpfully bypassing needless security in order to work more efficiently, hooking their laptop to the raw internet via dialup. That's the problem: plenty of staff think that the company will thank them for ``getting things done'' by ignoring the petty rules of the autistic fusspots in the IT department. And sometimes they're right: management commitment to an ISMS is a variable beast.

  9. Darrell
    Coat

    Although theres no evidence

    That any of the lost data has found its way into the hands of the criminal fraternity.

    (But they are working on it. )

    Just out of interest, why are these people taking laptops full of private data home with them, not enough hours in the working day?

    You can have all the security in the world to protect your millions of customers, password protected and encrypted. As soon as it leaves the premises in the hands of a junior office worker, all that security means nothing and the government have to rely on that employee not making copies, sharing it with others (for profit or just to impress his latest girlfriend), unlocking the PC and walking away etc. etc.

    Taking a laptop out of the protected, CCTV'd, passcard entry, firewalled office is the same as not bothering with that security in the first place.

    You'd never see a bank allowing a cashier to take home a bundle of notes to count at home, so why is this data leaving the premises.

    Neil Briscoe said it very clearly. Centralised DBs are the way to go. not decentralised data!

    Getting my coat and checking my wallet!

  10. donc
    Alert

    And these people handle classified data???

    This is shocking given the requirements the MoD expects everyone else to meet. I used to work for an aerospace company that did work for the UK MoD (not BAE Systems!), mainly for the RAF, mainly on the transport aircraft, and getting access to classified data was a real pain, you had to sign the Official Secrets Act, undergo security checks, background check, criminal record check, references, etc.

    Even once that was done and MoD was happy you weren't a spy or a thief the computers used to access the data had to be in a separate room with the windows 'frosted' so people couldn't look in and see what you were doing, were not allowed to have any connections to the company networks (or the internet) and the hard drive was encrypted and had to be in a removable caddy. When you finished working on the classified data, it was encrypted, you shut down the machine and removed the hard drive caddy. This was then locked away in a big f**king safe, just to make sure someone couldn't wander along and pick it up.

    And now I get to hear the genius' at the MoD happily wander around with reams of personal data they don't really need completely unsecured. Alright, the measures above are pretty extreme but how can a Ministry that requires them be so cavalier with personal data?

    Security Guard at MoD: Oi! That laptop sir, does it have any sensitive data on it? You know, blueprints for the latest Astute submarine, access codes to GCHQ, that sort of thing?

    MoD Bod: Nah, just the bank account details for some blokes who considered joining the Royal Marines a couple of years ago...

    Security Guard: Oh, no problem. Here, let me help you with the door.....

  11. Anonymous Coward
    Unhappy

    Anyone reading here also following the SCADA thread?

    Over there, the CIA say security on SCADA networks is a possible issue and a roomfull of brainless Sun-reading MS-worshipping PC know-it-alls say it isn't.

    Someone says (paraphrased) "an externally owned visiting laptop connected to the SCADA network to 'help out' is a classic attack vector".

    Seems Ian here has a bit of sense too: "a user ... helpfully ... hooking their laptop to the raw internet via dialup". In addition to the DSL line, the laptop might also be using a 3G phone (possibly invisibly connected via Bluetooth). It might be a visiting laptop allowed on to the "corporate" LAN - could even be an employee's laptop, with inappropriate networking settings "accidentally" left on. Can't be a security issue there, surely, 'cos you can't see anything wrong? Not till it's too late, anyway.

  12. Alan Lukaszewicz
    IT Angle

    Believe me...

    This is not intended as a smack on the MoD, and it probably is a norm in the whole public sector in general (at least here in the UK).

    The premise is that people entrusted with responsibilities probably are very low skilled and much in deniance of that but rank or authority means that what is done is done. In other words one may have authority to do so even though there is an obvious lack of skills to support the basis to grant one to do so.

    In short: the public deserves better, should have better and lots of public money (in the UK) is probably squandered as these events are indicators of the skills levels and practices within the sector proper. The security issue really is , in my opinion, a manifestation of mistakes that probably extend far, far wider.

    In short: I am surprised that anyone is surprised.

    Interim conclusion:

    It is a manifestation of the Policy-Practice divide. Ideally Policy should drive practice should drive policy should drive .... but in effect for many organizations it is far more expedient to allow policy makers to do what they have to do in order to attract funding or pull down funding streams. Once that funding is there then Practice part of the organization can do what it want s without consideration or support of the policy part. I call that the Policy-Practice divide and it is the nightmare scenario of a Policy-Practice synergy.

    Personal conclusion:

    Organizations that demonstrate Policy-Practice divide should be stripped of opportunity to call down or pull down public funds full stop.

  13. Anonymous Coward
    Alien

    Bit of a non-sequitur?

    "There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea.

    Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data."

    So you're saying that if /neither/ of those steps were followed, the MoD could *not* then use encryption or set a password? Damn, that's just when I would have thought it would matter the *most*.

    Did these paragraphs get mangled in some kind of hideous subediting accident, or do you really mean that it's only possible to set a password and use encryption on a laptop if it doesn't have any sensitive information on it and if it's not being left in a car overnight? As far as I can see, those various measures are basically independent and orthogonal:

    - you can encrypt your laptop regardless of whether there is any sensitive data on it that matters if it gets stolen or not

    - you can encrypt your laptop regardless of whether or not you take good care of it or leave it in a car overnight

    and likewise for setting a password. I can't even make sense of that as saying "There's no point encrypting and setting a password unless you've taken more basic measures first", since in the lack of those first two steps, using encryption would have saved the day.

    A little clarification needed here, perhaps?

    amanfromMars icon, because the claim seems pretty ga-ga to me.

  14. b166er

    WiFi SSD

    Presumably these incidents occur because the custodians of the laptops can't be bothered/forget to take the laptop out of the car, rather than actually wanting to leave them there.

    So...take the storage out of the laptop permanently and incorporate it into something the custodians would be less likely to forget/be lazy enough to leave behind.

    How about incorporating a SSD into a wireless enabled mobile phone? Chances are the custodian won't leave their phone in the car. Then set the laptop up to boot from the network, and serve the OS over the WiFi connection from the phone.

    The point being, that the theft of the large (can't be bothered) laptop is not the problem, the problem is the theft of the small (easily portable) storage device contained within.

    As a bonus, the custodians home desktop could then also be set to boot from the same Wi-NAS, and the office desktop.

  15. Anonymous Coward
    Thumb Down

    I think were all missing the point here

    Who leaves a bloody laptop sitting in a car overnight???

    "Oh, sorry boss that new laptop you gave me with all those bank account details on it, well it got stolen last night. Yeah my car got broken into and i'd left it sitting on the front seat. Well i thought it would be safe seeing as its outside my house and all."

    Is someone looking into this "junior officers" bank account. Notice any large unaccounted for transfers yet? And even if he is clean, anyone that stupid deserves to be taken out back and shot - rid the world of one more imbecile!

  16. Andy Bright
    Pirate

    Or not..

    "With preparations like this, we should all be more than ready to hand over our personal data to the proposed national ID scheme - after all, the data can't be that personal if the government has already given it away."

    Or we could just not give them any data whatsoever, and just say we already did and they must have lost it.

  17. Kim Hancock

    Well now

    Maybe all those lost details will, via dark black market forces, find their way into another database from which some enterprising people will offer a competing ID card?

  18. Anonymous Coward
    Unhappy

    No. It is not an iceberg Minister

    In truth the recent spate of accounts demonstrate tip of the iceberg phenomena.

    The declared stuff is awful - we can only guess at the undeclared stuff? UfI? learndirect...

  19. Anonymous Coward
    Anonymous Coward

    Encrypt

    From memory the entire hard disk is encrypted up the wazoo. That way even if someone loses one nobody can get at anything. If this lot weren't doing that then they were breaking the security rules for laptops, independent of information classification.

    Physical security on laptops is a bit of a nonstarter.

  20. teacake

    @Alan Lukaszewicz

    "I call that the Policy-Practice divide and it is the nightmare scenario of a Policy-Practice synergy." [plus more feckless twaddle]

    I call that bollocky-bollocks and it is a bunch of corporate double-speak masquerading as an argument.

  21. kain preacher

    @ac

    "Who leaves a bloody laptop sitting in a car overnight???

    "Oh, sorry boss that new laptop you gave me with all those bank account details on it, well it got stolen last night. Yeah my car got broken into and i'd left it sitting on the front seat. Well i thought it would be safe seeing as its outside my house and all."

    Is someone looking into this "junior officers" bank account. Notice any large unaccounted for transfers yet? And even if he is clean, anyone that stupid deserves to be taken out back and shot - rid the world of one more imbecile!

    Or not.. "

    You think thats bad there has been a few high profile incidents of FBI agents leaving fully automatic weapons in their car, driving car home, and said car gets stolen or the guns get ripped off from the trunk.

  22. Andrew McLachlan
    Alert

    Third, which should be the first, would be to strong encrypt the stuff!

    I know plenty of people in the Home Office - nope it not encrypted most of the time when they move data around, and neither do the other companies mentioned in the press over the last year.

    How about WE, the people, start to prosecute THEM, the Government, for their incompetence. After all they actually work for us, not the other way around, which seems to have been completely forgotten.

  23. Spleen

    @Andrew McLachlan

    They work for us? What a joke. Who's got the guns? They do. Who works for whom? We work for the guys with the guns. Why? They've got guns. It's as simple and terrible as that.

  24. Anonymous Coward
    Anonymous Coward

    Identity is the bases to law and order.

    Once all the identification details which can be head in the head or communicated by speech are lost i.e date of birth, mothers maiden name, salary etc there is only one way identity management will go.

    Think it begins with B and ends with metric.

  25. I. Aproveofitspendingonspecificprojects
    Flame

    CD heaven

    I know what's happening to our CDs they are being used by George Bush and co to hide all their secrets.

    Why else would so many CDs disappear without trace? Either that or there is a mountain of them secreted about the EU.

    Yet more go astray. And that is only from mid December:

    http://news.bbc.co.uk/1/hi/uk_politics/7204399.stm

  26. Anonymous Coward
    Anonymous Coward

    Government on course to meet target

    The government today announced that it is on course to meet one of its most important targets – to lose the personal details of the entire UK population by the time of the next election.

    Following the loss last week of a laptop containing the national insurance, address and bank account details of 600,000 potential army recruits David Miliband, the Secretary of State for Defence, said last night:

    “We know this is only a small beginning. Other departments are far ahead of us on this matter – we congratulate, for example, the Department for Work and Pensions for their sterling work in losing the details of 24 million child benefit recipients. But on this matter we are determined to pull our weight, and nobody should be in any doubt that here at the MoD we will be ramping up our efforts during 2008 and beyond to show that we can lose just as many personal details as anyone else.”

    Not to be outdone, the Home Secretary Jacqui Smith announced that her department would shortly be launching a new publicly-accessible web site, “Rip Off the UK”, which would contain the electoral roll, address, banking, medical and benefit details for every man, woman and child in the country. Smith said “We are irrevocably committed to our policy of ‘total transparency’ when it comes to the personal data of UK citizens. The huge rise of identity theft in recent years shows that our policy is working.”

    British Airways has this morning announced record numbers of people booking one-way flights to leave the UK. The most popular destination so far has been ‘Anywhere else’.

  27. Alan Lukaszewicz
    Happy

    :) with apologies

    teacake by name, teacake by nature? :)

  28. SImon Hobson Bronze badge
    Thumb Down

    What is to negotiate ?

    "but the ICO is still negotiating exactly how this would work"

    Government ends it's exemption, or rather cop-out, from the DPA and funds the ICO properly. Then ICO investigates these losses and prosecutes the government/body/minister responsible - someone (senior, not a junior scapegoat) goes to jail and the rest wake up to reality.

    Of course the government will do neither of these actions - because, to paraphrase, it's got a lot to hide !

  29. RW
    Flame

    The Villain? Vile Commerce

    The repetitive data losses by UK guvmint is like an insane G&S operetta. At the top you have a bunch of utterly clueless pols who parrot whatever is the fashionable tagline of the minute, and who appear to occupy positions of authority because it's PC to put them there, not because they know what the hell the job entails.

    At the bottom, you have underpaid, demoralized grunts -- as someone said in a comment on another story, "pay peanuts, get <something>".

    In the middle you have all those lovely senior managers hired in from the business sector; in my opinion, that's where the real rot starts.

    The business world has managed to widely propagate the meme "business is everything, and someone successful in business is blessed by God." 'Tain't so. Success in the business world is generally due to luck and possession of a certain low animal cunning and in no way implies intelligence or skill.

    That meme has a variant: "run the public sector like a business." What nonsense! The public sector is not a business: it's "customers" are captive, and it has no competition, unless it's false competition fostered by the idiots described earlier. Everyone seems to have forgotten that the original of this tagline/meme was "run the public sector in a business-like way", which is a horse of an entirely different color.

    What was asked for was often nothing more than keeping proper accounts for the individual departments so you could get some sense where the money was coming from and where it was going. But this need was often dealt with by setting up Crown corporations (quangos in UK-speak), contracting out, and assorted other mistaken actions.

    What's to be done? Nothing. If you don't like it, emigrate. The stranglehold that business has on life is irrevocable. Me, I'm going to hang out in my bomb shelter the rest of the day.

  30. Alan Lukaszewicz
    Go

    Uh-huh, t'ain't so bad?

    See, in the commercial, free sector an organization is accountable and that accountability has consequence.

    When annual or periodic reports are published the free sector pitches in to buy or sell shares and the "worth" of an organization and its governance tends to be (in broadest generalities) demonstrated in its share prices.

    They go up (peer group supporting good and robust governance) or they go down (peer group supporting poor or shoddy governance). It may be different across the pond due to non-standard accountancy practices much frowned upon over recent years.

    As far as the UK goes that does not happen with publicly funded bodies.

    Should your local school be in best management it will secure funding for next year.

    Should that same UK school be in poorest management it will also secure funding for next year.

    So, in real terms: why bother?

    The budget will be the same, employees will be the same and there is no real difference between squandering or good use of public funds to many an organization.

This topic is closed for new posts.