back to article Lost laptop exposes thousands of pension records

A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts. The missing machine was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust's computerised pensions administration system, where it was being used …

COMMENTS

This topic is closed for new posts.
  1. Winkypop Silver badge
    Thumb Up

    Great sub title

    "Quest to free all world's imprisoned data continues"

    Funny until you realise it may be true...

  2. Alan
    Unhappy

    Duh!

    My wife's details are on that laptop.

    I'd love to know why they needed to use live data for testing & training purposes...

  3. Anonymous Coward
    Thumb Down

    Used for development, training and testing?

    I hope they included those uses in the data protection information that was given to the real users when all the data was captured.. we wouldn't want any further DPA violations would we?

  4. Jason Togneri
    Alert

    Three words...

    TRUECRYPT

    TRUECRYPT

    TRUECRYPT

    Sheesh. I can't believe that these people *still* don't know the basics of securing sensitive data. I'm just glad I don't have any insurance, pension, bank accounts, or presence with the government. Hmm, where's my tinfoil hat?

  5. Richard

    Guess the password.

    "Data on the drive ........ was password protected"

    Lets's try and guess what that might be.

    pens1on

    passw0rd

    northgate1

  6. Anonymous Coward
    Black Helicopters

    data privacy rules for numpties

    1. encrypt your hard drives, esp. on laptops - password protecting Excel files does not count.

    2. transfer data on line (if you have to), not on a disk with the password on a Post-It attached to it.

    3. Reduce the number of records / fields if you have to hand it out for testing or statistical analysis.

    4. Anonymize records if you have to hand it out for testing or statistical analysis.

    There, that would have stopped 90% of the embarrassing datalosses .

    That leaves deliberate leaks and data theft.

    If you're an MP wanting to cover up expenses claims, you're F**ked.

  7. Richard Pennington
    Thumb Down

    Ever heard of testing using sanitised data?

    Testing using live data?? - "it was was being used as a database for development, training and performance testing".

    Idiots.

  8. Aitor

    Funny

    In spain, it is explicitly unlawful to use confidential data in test, development, etc. And it also a nobrainer.

  9. Chris Miller
    Thumb Down

    You couldn't make it up

    Cost of disk encryption software: <£50 (<<£50 in bulk)

    Value of not having your name splashed all over the press as the biggest bunch of incompetent wasters since the last lot: priceless.

  10. Anonymous Coward
    Anonymous Coward

    Pedans pedantis

    If the laptop was _stolen_, could the data be described as _lost_?

    (It's been a tiring day...)

  11. Anonymous Coward
    Stop

    Yeah, it's best not to test on live data ...

    ... that way there is the maximum probability of everything going wrong when the application/web-site/whatever goes live. Please let them test on live data at least a couple of days before going live.

    The other thing: why are we hearing about this kind of thing so much? Are they softening us up, getting us used to the idea of all our personal information being known by everyone, so that we learn to accept having no privacy? I can't think of any other explanation of all these announcements. Surely in decades past this kind of thing would have been hushed up?

  12. Adam Salisbury
    Unhappy

    Breach of DPA?

    Surely if the information's that sensitive, for a vendor to be able to pore through it at their leisure is a blatant and inexcusable breach of DPA!?!

    Someone had better get their faced nailed to the wall for this, but they won't

  13. teacake

    Bastards

    Having missed by only a couple of days having my details revealed in the Great Child Benefit Data Giveaway, the Pensions Trust have finally managed to do it.

    Knowing the ICO can and will do nothing more than shake their heads and say "Tut, tut, tut", is there any basis for private legal action against these muppets, or does one have to prove monetary loss?

  14. Anonymous Coward
    Unhappy

    Can we have an answer

    to the data protection act question? Can someone in Government also explain why we should trust them to run an ID card system with this track record

  15. Jimbo

    to @Aitor

    "In spain, it is explicitly unlawful to use confidential data in test, development, etc. And it also a nobrainer"

    sorry, but that's pretty silly law

    we use in special cases live production data for QA, it is in very controlled environment (special QA environment for live data) and has full production policies and controls. Sometimes it is almost impossible to use dummy or obfuscated data if you want to do really good overall QA and/or there is data backfill being done.

    it's not about not using live data in development, it's how it's controlled. Clearly they did not have good policy in place.

  16. Ascylto

    Ha ha ha!

    And STILL they want to foist ID Cards on us!

  17. Anonymous Coward
    Alert

    Good timing....

    I just got back from London having had a few pints with some of the lads from the old firm, and they mentioned they're already preparing for the forced ID card deployment. "Clean" (spotless CRB check) people are being spoken to about getting jobs with the contractors.

    The data alone is valuable, and that'll go walkabout pretty quick, but having someone on the inside savvy enough to manipulate it or install some MITM trickery and it's a "digital fucking diamond mine" as one of them put it.

  18. Chris Matchett
    Thumb Down

    Why are they running a test system on a laptop?

    Not to mention a laptop with confidential data on it.

  19. Andy Davies

    Database?

    "Data on the drive was not encrypted but it was password protected"

    It's not a *database* it's Access

    (it is isn't it?)

    AndyD 8-)#

  20. Jimbo

    Database?

    well MS Access is Database. You might have strong objections against MS Access (I do as well), but it is still a relational database

    if it was MS Access 2007, then it could be encrypted using decent ACCDE format (please note word decent, I did not use word good).

  21. Warren Free
    Stop

    Not a care about the laptop. All we care about is the data

    The comments on here are interesting as they show that all anyone really cares about is the data on the device, not the device itself.

    The data in this case isn't protected by encryption, just a password. But knowing the data is on the device, would it make any difference to the peoples perceptions that their private data is on that device?

    Surely knowing the data has been removed from the device would be a lot better? Utilising the internet or mobile phone networks you can receive this reassurance through a tool like BackStopp. The data is removed and a report is made available detailing the removal of such data. What price would the company in question pay for that functionality now?

This topic is closed for new posts.

Other stories you might like