×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Gov't Lost Personal Data On 4M People In One Year

timothy posted more than 5 years ago | from the of-which-they-are-aware dept.

Privacy 163

An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone. The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April. And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.)"Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified. Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs. In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents. In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

163 comments

The UK Govt. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#24702247)

Can goat my whaargarbl.

Way Offtopic (2)

MyLongNickName (822545) | more than 5 years ago | (#24703161)

Currently, if you log off of Slashdot, and go to the front page, you get to see a picture of "Little Hitler", a two year old dressed up to look like Hitler. What in the hell is wrong with Slashdot. There isn't even a story to go with it, just the freaking picture. Posted in the idle section, of course.

Has the management of Slashdot put their head so far up their ass that they have oxygen deprivation in the brain?

Another USB stick has gone missing (3, Informative)

rallymatte (707679) | more than 5 years ago | (#24702263)

Re:Another USB stick has gone missing (5, Funny)

FyRE666 (263011) | more than 5 years ago | (#24702359)

Well obviously if those 4 million people have nothing to hide, then there's nothing to worry about, right?

Re:Another USB stick has gone missing (3, Insightful)

dintech (998802) | more than 5 years ago | (#24702625)

Anyway, look on the bright side. With 4m records lost and only 60m people living here, there's bound to be some overlap so less than 4m will actually be affected.

As an alomst certain side effect, somewhere there's a very pissed off unemployed seasonal worker who's still trying to get his driving license...

so that's 56 m to go ... (0)

Anonymous Coward | more than 5 years ago | (#24703173)

so that's 56 m to go ...

Re:Another USB stick has gone missing (2, Interesting)

apathy maybe (922212) | more than 5 years ago | (#24702629)

This is a great point, and it is a pity it is being modded "funny" rather then insightful.

Even if you think you have nothing to hide from the government, and thus they can collect what they will on you, they will loose that information.

And you don't want scammers, fraudsters, identity miss-users and other people to get hold of that information.

So even if you think you have nothing to hide from the government (the people whom you should trust the least (next to corporations) out of society), you certainly wouldn't be handing over this information to your friendly neighbourhood Mafia.

(Oh, and you certainly do have something to hide from the government. Even if it is the fact that you sometimes speed or jaywalk.
In this comment I made the point about nothing to hide, http://slashdot.org/comments.pl?sid=645245&cid=24591399 [slashdot.org] and linked to this http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 [ssrn.com] paper. Read it.)

4000000? (1, Interesting)

ricebowl (999467) | more than 5 years ago | (#24702267)

The U.K. government has lost the personal information of up to four million citizens in one year alone.

That's quite impressive, I assumed it was a much larger figure given all the stories. Mind you, that's just an estimate, so it probably is a larger figure. I do wish that people entrusted with this type of data, and any other type to be honest, would have to prove competence to be trusted with it.

Re:4000000? (4, Interesting)

Vectronic (1221470) | more than 5 years ago | (#24702317)

How do you propose that they "prove competence", as far as I can tell, that seems to be what's happening, some organizations, have proved their competence, others, such as this, have failed.

Granted, information distribution isn't exactly new, however the method and/or media used to transfer the information is/has changed, and is being increasingly adopted, so they all have to figure it out.

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.

That said, I'm not really making excuses, as even 4 Million is much larger than it should be, that's what, 6 to 7% of the population? That's basically epidemic, and is certainly pandemic given that the UK isn't the only one.

Re:4000000? (5, Interesting)

joto (134244) | more than 5 years ago | (#24702489)

How do you propose that they "prove competence",

One suggestion would be to

  1. Make legislation that outlines procedures for handling privacy data that will be mandatory to follow
  2. Make everyone handling privacy data require a certificate that proves they are licensed to do so
  3. Make it illegal for somone to hire an unlicensed person to handle privacy data
  4. Make it mandatory to document whatever you do to privacy data in paper documents or electronic equivalents
  5. Enable a government bureau to periodically control these documents to see that procedures are followed
  6. And also to periodically do other kinds of tests, to test security procedures, e.g. "social engineering tests"

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.

Sure it is. You need proper procedures and regulations. Sure, if you put it on a laptop or memory-stick, and let your employees carry it around without any oversight, accidents will happen. But if you treat the information as valuables, all will be fine. Money-transports don't usually go around losing money.

The trouble is that there is no real accountability for losing data. If someone loses 4 million euros, they know somebody will be pretty unhappy. But losing the private records of 400 people, which given todays identity-theft-plagued society could easily result in damages of 4 million euros, is somehow not taken as seriously.

Re:4000000? (1, Informative)

Anonymous Coward | more than 5 years ago | (#24702669)

1) Data Protection Act 1998 2) Data Protection Act 1998 3) Data Protection Act 1998 5) Data Protection Act 1998 4 and 6 sound like good ideas that need to be implemented though.

Re:4000000? (1)

jambox (1015589) | more than 5 years ago | (#24702887)

Money-transports don't usually go around losing money.

No, because you can't fit £4m in cash into something the size of a matchbox.

YOU'VE WON AN XBOX 360! (5, Funny)

Anonymous Coward | more than 5 years ago | (#24702497)

During the employment screening process, have popup ads appear on a screen during the personality/background info/aptitude test. If the applicant clicks on one, a trap door in the floor opens and flushes them back out on to the street.

thay can and do keep data safe: when they want to (2, Insightful)

petes_PoV (912422) | more than 5 years ago | (#24702843)

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all

Sure it is. the government (any government) produces thousands of times this amount of covert data each year. Whether it's surveillance, foreign intelligence or simply military planning information.

The point is, that almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands. If they considered the loss of personal data to be important, they could easily stop all leakages except those done maliciously

Re:thay can and do keep data safe: when they want (2, Interesting)

elguillelmo (1242866) | more than 5 years ago | (#24703091)

almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands

I wouldn't be so sure. From today's news [timesonline.co.uk]: "Confidential records [...] on tens of thousands of the country's most prolific criminals have been lost in a major breach of data security [...] Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm"

And, how do you know covert data is never lost if you wouldn't even get news it was collected in the first place?

Re:4000000? (3, Interesting)

OriginalArlen (726444) | more than 5 years ago | (#24702757)

Me too, I was reading a story on El Reg the other day that asserted 29m (25m being the child benefit agency CD) - can't find it now, of course, but stumbled over this instead [theregister.com]. No wait! here it is. [theregister.com] Non-Brits may not be aware that this morning's lead story on the Beeb (radio and web) was the loss of an unencrypted flash stick with details of all current guests of Her Majesty's pleasure [bbc.co.uk] by PA Consulting. Not quite sure how the tabloids will whip up a "think of the children" angle on it, but I'm sure they will. It's great they've been picking up on these stories, but typical that they've not worked out that the answer isn't "hire more clueful contractors", but "don't have the data in the first place" (at all if possible, but if really needed - obviously child benefit records and lists of prisoners are in the "essential" category - never allow records to be pulled onto client systems. And really drill it into people that they should flag up naughty behaviour they come across - ie., inculcate a security culture. That's the trickiest bit.

Re:4000000? (0)

Anonymous Coward | more than 5 years ago | (#24703195)

erm, yeah, what i`m not getting is this. why 4mil? surely 29 million with some duplication - it wasn`t like the 25mil HRC lost was nothing. Then, we have our leading banks leaving important info in skips etc - and the latest USB key loss from the prisons...

I`m thinking a least half the country has been compromised - and continues to be.

Encryption (4, Insightful)

telchine (719345) | more than 5 years ago | (#24702275)

Encryption nowadays is so damn easy to use. Why don't they?

Hardware Encryption (1, Interesting)

Anonymous Coward | more than 5 years ago | (#24702351)

If memory serves, don't most drives have the capability in the spec to password protect the drive?

Lazy? Incompetent? (3, Insightful)

Timo_UK (762705) | more than 5 years ago | (#24702385)

Most of the civil servants are proabaly happy that they have managed to drag and drop a few files to the USB stick. They probably don't even know what encryption is.

Re:Lazy? Incompetent? (4, Insightful)

HungryHobo (1314109) | more than 5 years ago | (#24702433)

Or sending passwords over IM/Email/plaintext.
try to explain about packet sniffers and you'll get a reply along the lines of "oh security would be down like a ton of bricks on anything like that". Cause packet sniffers are easy to detect as we all know.

the standard here is "security handle that so I don't have to think about being secure" when in fact security can't handle that unless people take reasonable measures themselves.

Re:Lazy? Incompetent? (1)

CmdrGravy (645153) | more than 5 years ago | (#24702499)

Civil servants may not but I think the company involved here is the same one who's supposed to be running the goverments 'wonderful' ID card scheme so you really would hope they have the protection of data somewhere right at the top of their list of priorities. Obviously they don't.

Re:Lazy? Incompetent? (1)

Sopor42 (1134277) | more than 5 years ago | (#24703215)

I don't care about the staff doing the "work", what is the IT group doing? Where is the enforcement of security policy? If somebody was going to put passwords or encryption onto the drives themselves, it would be somebody from a back room, not the solitaire playing secretary up front.

Re:Encryption (0)

Anonymous Coward | more than 5 years ago | (#24702421)

I work at a big tech company and security here is supposed to be a big deal yet the only person I know has an encrypted drive is my manager and to get the liscenced encryption program off the companys internal software site you have to do some course and jump through a bunch of hoops and I just find myself thinking "why the hell isn't it standard for everyones drives to be encrypted" it's just so easy to use encryption software. On my home laptop I have an encrypted drive "just because" it's not like I even use it for anything important since I don't have anything important but it's not like it costs me anything.

Re:Encryption (0, Troll)

s7uar7 (746699) | more than 5 years ago | (#24702463)

Because only paedophiles and terrorists encrypt data, or so the government and law enforcement seem to think.

Re:Encryption (4, Interesting)

Spad (470073) | more than 5 years ago | (#24702473)

User resistance.

I've been involved over the last couple of months with implementing fixed disk, removable media & email encryption at an NHS trust in the UK and the amount of complaints and stupid problems we've had from users is astounding.

Most of them go straight to one of the directors to complain, before kindly informing IT that they've done it, so we'd better hurry up and fix the issue. Then staff go out of their way to find ways around the encryption, exerting far more effort than it would have taken just to use it in the first place.

Thankfully we've got a CEO & IT director who don't want to be the ones going on TV to explain how they lost X thousand unencrypted patient records and so are making sure the policy is enforced, but I can easily see how "weaker" management would allow lapses to keep staff happy and risk this kind of data leakage.

Re:Encryption (2, Informative)

xaxa (988988) | more than 5 years ago | (#24702559)

If what I half-heard on the radio last night was correct then the data *was* encrypted -- the government encrypted it when it gave it to the contractor. Then the contractor unencrypted it, dumped it onto a USB stick and lost that.

Time to press charges against the contractor (under the Data Protection Act, presumably).

Re:Encryption (1)

richard.cs (1062366) | more than 5 years ago | (#24702895)

Someone who works in an office that processes all this stuff once told me that it is encrypted - but the password is the name of the office it's being sent to.

Stupidity or Malice? (4, Insightful)

EdIII (1114411) | more than 5 years ago | (#24702279)

experienced 1,993 data breaches between 1 October last year and 24 June

That is almost 10 breaches a day. That is not a leak. That is a fucking river .

I am reminded of a pretty good saying. "Once is happenstance, twice is coincidence, and three times is enemy action". With data breaches this prevalent there needs to be investigations, firings, and serious consequences for all involved. At least fire everybody in charge at once.

Re:Stupidity or Malice? (5, Insightful)

smitty_one_each (243267) | more than 5 years ago | (#24702309)

How about minimizing the amount of individual data collected?
In the US, the Fed could leave to the states a vast swath of functions currently bogging down DC, making everyone more secure in a variety of ways.

It's principally Government incompetence. (3, Insightful)

CountBrass (590228) | more than 5 years ago | (#24702321)

It's Government incompetence: constant changes in policy, meaningless targets and, most critically, the replacement of the most senior civil servants, whose pensions and knighthoods depend on not fucking up, with a bunch of consultants on short term (typically 5 year) contracts.

This is the government that wants to have us give us our biometric data, impose the use of id cards and keep DNA records on us all.

Re:It's principally Government incompetence. (1)

kestasjk (933987) | more than 5 years ago | (#24702391)

Sounds like you're trying to blame this on pet issues. Is it really senior civil servant positions which are leaking all the data? Might the use of ID cards actually help decrease these data leaks by making the data more centralized, so they don't need to be carried on thumb-drives?

Just a couple of thoughts.

Re:It's principally Government incompetence. (1)

jimicus (737525) | more than 5 years ago | (#24702549)

Sounds like you're trying to blame this on pet issues. Is it really senior civil servant positions which are leaking all the data? Might the use of ID cards actually help decrease these data leaks by making the data more centralized, so they don't need to be carried on thumb-drives?

Just a couple of thoughts.

No, mainly because they've more or less dropped the idea of a central database; now they're focusing on the idea of just having existing databases talk to each other.

What could possibly go wrong? You thought the no-fly list was bad, just think how much fun it would be when sharing the same date of birth and name as someone could give you a criminal record, a medical history which neglects to mention your violent allergy to penicillin, inform the taxman that you are paid three times as much as you really are and tells social security that you're claiming benefits for five children that don't exist and that your driving license was taken off you six months ago.

Re:It's principally Government incompetence. (3, Insightful)

CmdrGravy (645153) | more than 5 years ago | (#24702563)

I don't expect senior civil servants would ever get their hands dirty enough to be in a position where they have any data to lose but it is there job to ensure everyone else reporting to them understands and is complying with sensible data security procedures. If they aren't doing this then it is their fault as much as it's the fault of the contractor who actually lost the USB stick.

The use of ID cards might stop this sort of data loss but I don't believe for a a second it will do. First of all I think the company who has just lost this data is one of the ones involved in the ID card scheme and they obviously don't have data security very high on their agenda. Secondly the actual database may be more centralised but the data its self is going to be available to virtually every single government employee in the country along with any private company who fancies it so the chances of that reducing the amount of data leaked out don't look very good to me.

Re:It's principally Government incompetence. (3, Insightful)

Candid88 (1292486) | more than 5 years ago | (#24702525)

Sorry, but how can someone misplacing a USB stick be attributed to any of the things you listed?

If I.T. data security needs tightening (which it obviously does) then how about actually changing something in some way related to I.T. data security?

Rather than actually fix the problem at hand though, it seems - as always - everyone would rather copy the mainstream media's cries of wolf and descend into the typical "the world's going to the dogs and it's all someone-but-me's fault" farce.

That's a great attitude to take if you want viewers and readers (everyone wants to hear about problems with someone-else to blame) but it's not very good if you actually want to fix the problem at hand.

Oh well, that's just a humble engineer's opinion, it may be a little rational for the arena of politics & popular opinion.

Re:It's principally Government incompetence. (1)

HungryHobo (1314109) | more than 5 years ago | (#24702915)

So who's fault are you saying it is?
If it's not the governments fault and it's not the contractors fault then who's is it?
You seem to be trying to say that somehow it's my fault but that's a bit silly since I'm in no way involved. or possibly you're saying that the programmers should make the systems in such a way that no matter how stupid the Minimum wage monkey the contractor hires (how do you think they save money?) that it should be impossible for them to overcome.

Re:It's principally Government incompetence. (1)

Candid88 (1292486) | more than 5 years ago | (#24703139)

Blame someone, fire someone, whatever; I couldn't care less. What I'm saying is it won't magically fix anything!

My point is that just saying the usual "it's because [name of whoever happens to be in charge] is incompentent, he should resign immediately!" mantra may help sell newspapers and help attack [name of whichever party is in office at the time] but it won't do much towards fixing the actual problem at hand.

Re:It's principally Government incompetence. (1)

HungryHobo (1314109) | more than 5 years ago | (#24703201)

the point isn't that whoever you replace him with will have magical "fix everything" powers.
It's because the guys at the top are the only ones with any real power to make much difference and they need to fear for their jobs.
If there's no chance of getting fired for not making sure the people bellow you follow security procedures then why bother?

Telling the other directors "Do a better job or be fired like that guy." will make a hell of a lot more difference than the mere act of replacing one man.

Put in place an automatc 7y jail fr unencrypt loss (0)

Anonymous Coward | more than 5 years ago | (#24702665)

and THEN I might be willing to consider their ID enforcement scam...

No accountability, then no agreement.

Yes I expect to be murdered for not glorifying authority,
in the totalitarian state we are accommodating on our countries.

Re:Stupidity or Malice? (2, Informative)

TechMouse (1096513) | more than 5 years ago | (#24702387)

The UK civil service is a joke - and I say this having had many friends and family work in all branches from local government, through the NHS right up the houses of parliament.

Once you're a permanent employee it's near impossible to get fired for incompetence, but if you're actually good at your job they will let you quit and train up someone else rather than give you a pay rise or promotion. You can imagine the environment of operational excellence this fosters.

The biggest problem is that they aren't subject to the normal pressures of industry. I've been mucked about an insane amount by various different local authorities with respect to council tax. If I get mucked about by a private company I can just vote with my feet and take my business elsewhere. If I stop paying my council tax there are legal consequences.

You can vote for your councillors, but you can't vote for their staff and they're the people who do the vast majority of the work.

Re:Stupidity or Malice? (2, Insightful)

jimicus (737525) | more than 5 years ago | (#24702451)

Once you're a permanent employee it's near impossible to get fired for incompetence, but if you're actually good at your job they will let you quit and train up someone else rather than give you a pay rise or promotion.

I can testify to this. My local NHS trust advertises jobs internally but apparently has a policy of deciding who to promote based purely on how well they present themselves at the interview - little or no attention is paid to references, line manager's opinion or past performance. A confident person who's relatively inexperienced and crap at their job is more likely to be promoted than a less confident person who's really very good.

Follow this to its logical conclusion, and you realise that the people at the top can be absolute idiots but the one thing you can be sure of is that they're supremely confident that the sun shines out of their own arse.

Now, I appreciate that this is not far from how things work in the real world for new people coming in from outside, but to make a formal policy of it for internal promotions?

Re:Stupidity or Malice? (1)

caluml (551744) | more than 5 years ago | (#24702581)

apparently has a policy of deciding who to promote based purely on how well they present themselves at the interview - little or no attention is paid to references, line manager's opinion or past performance.

I think you're not allowed to discriminate based on experience these days. In case people without much experience find it hard to get a job. Which is a problem, because experience is all I have. No degrees, no college, no nothing. Didn't waste time with all that.

Re:Stupidity or Malice? (1)

jimicus (737525) | more than 5 years ago | (#24702875)

apparently has a policy of deciding who to promote based purely on how well they present themselves at the interview - little or no attention is paid to references, line manager's opinion or past performance.

I think you're not allowed to discriminate based on experience these days. In case people without much experience find it hard to get a job. Which is a problem, because experience is all I have. No degrees, no college, no nothing. Didn't waste time with all that.

I think that's wrong. You're not allowed to discriminate based on age but that's not quite the same thing. (ICBW, IANAL etc etc)

Re:Stupidity or Malice? (1)

HungryHobo (1314109) | more than 5 years ago | (#24702933)

I think you're not allowed to discriminate based on experience these days.

Please god let that be a joke...

Re:Stupidity or Malice? (0)

Anonymous Coward | more than 5 years ago | (#24702705)

Once you're a permanent employee it's near impossible to get fired for incompetence, but if you're actually good at your job they will let you quit and train up someone else rather than give you a pay rise or promotion. You can imagine the environment of operational excellence this fosters.

Absolutely true. Where I work has terrible retention problems for good staff - both domain experts and technical staff. Well, bad retention for anyone who isn't sucked into the great whirlpool of endless strategic management strategy meetings, that is.

In which case a special role will be invented for you with just that particular combination of skills and experience that practically guarantees you are the only person in the universe who meets all the criteria. Several other unlucky candidates will waste their time being interviewed for it in order to ensure we are spending public money fairly and transparently. The successful candidate disappears into the whirlpool, rarely to be seen again.

Re:Stupidity or Malice? (0)

Anonymous Coward | more than 5 years ago | (#24702393)

And those are just the ones we know about. A good hacker/ cracker is nigh-invisible.

incompetance and money 'saving' (4, Informative)

thermian (1267986) | more than 5 years ago | (#24702405)

The UK has all but handed over the handling of citizens data to lowest bidder IT companies.

I've experienced this first hand. I worked in a hospital where total access to everything on the hospitals network was available without even typing in a password if you used certain machines which were 'configured for ease of use'. You'd think those machines weren't reachable by member of the public, or externally, but you'd be wrong.

They aren't unique either.

Re:Stupidity or Malice? (2, Interesting)

Candid88 (1292486) | more than 5 years ago | (#24702431)

"At least fire everybody in charge at once."

That's the sort of stupid, over-the-top thinking which will likely cause much, much bigger problems.

So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

I realize it's popular these days is to always blame everything on those "incompetent" people in charge of governments. But a little rationality is required.

Despite all these "data breaches" there is yet to be any evidence of misuse of this data. That doesn't mean it's OK, but to claim it's some sort of "disaster" is a little over the top.

Re:Stupidity or Malice? (5, Insightful)

EdIII (1114411) | more than 5 years ago | (#24702597)

That's the sort of stupid, over-the-top thinking which will likely cause much, much bigger problems. So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

No offense, which I am not sure goes both ways here, but your statement is the one that is a little naive and uninformed. The person responsible is the CIO, or director if you will. If you are going to have computers, databases, and information processing in any organization you need a CIO and an IT department. It is the responsibility of those people to create and enforce sensible data handling policies and to comply with any governmental regulations governing that data. Now CIO may not be the proper term, but I am sure there must be some sort of department that deals with this. There usually is, and if not, then the UK's problems are a lot bigger than I thought.

Your assertion that I am stupid, or that my recommendation to fire the CIO is stupid, is just inflammatory and does not support your position that these people should escape unscathed.

This is not the loss of a single USB stick, but rather the pervasive problem of data loss throughout the entire government of the UK . As I stated, that is about 10 incidents per day. The CIO (or equivalent) is wholly responsible. After the first couple of incidents, the CIO should of taken action through the implementation of security and data handling technology and policies.

I realize it's popular these days is to always blame everything on those "incompetent" people in charge of governments. But a little rationality is required.

Whether or not it is popular to blame the government for problems is irrelevant here. The government is responsible for safe guarding the data and it failed, and it is a spectacular failure at that. Blame is required here, and in fact, the lack of blame here would be as bad the problem itself. Your claim that is irrational to assign blame to those responsible is astonishingly irrational in of itself.

Despite all these "data breaches" there is yet to be any evidence of misuse of this data. That doesn't mean it's OK, but to claim it's some sort of "disaster" is a little over the top.

You really must be kidding here. You are not serious are you? This is a huge disaster. You are attempting to downplay the potential for harm here, while completely ignoring the massive scope and scale of the problem. Evidence of any consequences has nothing to do with problem itself. My reaction is not unique, and to say it is over the top is indicates an indifference and apathy on your part to the problem itself.

There needs to be a review of all the policies and laws pertaining to the handling of sensitive data like this. This is a big deal considering it's scale, and the "directors" do need to be removed and policies have to be created with consequences for failure.

Otherwise, as you seem to be suggesting, we just give them a slap on the wrists and say, "naughty little directors! You little buggers :) Do better or next time we might get more serious". Why would you want to treat this lightly and keep the same people, responsible for such widespread breeches, in their positions?

Re:Stupidity or Malice? (1)

Candid88 (1292486) | more than 5 years ago | (#24702699)

Well sure, the blame does likely lie with the CIO. You said however ""At least fire everybody in charge at once.""

I fail to see what the CFO or the director of human resource etc. have to do with the incident. For all you could know, they may be the best ones to have ever graced their positions. So an automatic, immediate firing of "everybody in charge" is stupid in my opinion.

Re:Stupidity or Malice? (1)

EdIII (1114411) | more than 5 years ago | (#24702881)

I think you are being deliberately obtuse here, or perhaps cleverly Trolling. Maybe, and if not, I apologize.

When I say in "charge", most people would wonder, "in charge of what?". Since we are talking about data handling and it's policies I think it would be clear that I am referring to those specifically in charge of handling said data. The CFO and Director of Human Resources could never be thought to be in charge of information systems by any reasonable person. You make it sound like I am demanding to fire the cook because the waiter brought me a dirty spoon.

So yes I could I have said, "fire everybody in senior management positions purely related to the design, implementation, and management of any sensitive information systems and/or data handling policies". However, I think I was able to simplify that in way that only a small fraction of people could possibly misunderstand (1%). It was not an oversimplification, you are just part of the 1% I guess.

So you are either Trolling or have problems with reading and comprehending the writing of others. In either case, I can only feed and attempt to educate you. I hope I was successful.

P.S - I highly doubt it was my use of grammar, or any spelling mistakes, as I was raised by a group of feral Grammar and Spelling Nazis. I still have scars from childhood.

Re:Stupidity or Malice? (1)

jimicus (737525) | more than 5 years ago | (#24702965)

Blame is required here, and in fact, the lack of blame here would be as bad the problem itself.

You really don't want to know about a certain NHS trust.

An enshrined policy stating "no blame". Ostensibly this is to prevent scapegoating - which would otherwise be a real problem because senior management are generally very good at finding some sort of a policy breach which would result in it being perfectly reasonable to sack someone lower down the pecking order for causing the problem.

Of course, such a policy has an unfortunate side effect - if the consequences of a mistake are unlikely to lead to a problem which someone might actually care about (eg. they're unlikely to result in someone dying) then there's precious little disincentive to make such mistakes.

Re:Stupidity or Malice? (1)

HungryHobo (1314109) | more than 5 years ago | (#24702957)

So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

odd...
whenever I get into a converstion about why directors get paid such insane ammounts the argument is always "because they have to take responsibility for everything that happens below them" but when it comes to the excrement hitting the rotary air impeller and it's sugested that the directors should take the responsibility and be fired it becomes "oh but you can't actually hold them responsible for what some low paid twat did, just fire the low paid twat"

Re:Stupidity or Malice? (1)

elguillelmo (1242866) | more than 5 years ago | (#24702693)

In my opinion there's a lot of stupidity involved. Folks just don't care about security.

Let me give you a petty example. At my office in a quite big IT shop there's a copier machine that's also a fax. Most faxes contain personal information. And most people sending them fail to collect the confirmation the machine spits out, which is basically a copy of the sent document.

If people are unable to care about their own personal data, how are they going to be careful with someone else's?

Re:Stupidity or Malice? (1)

EdIII (1114411) | more than 5 years ago | (#24702797)

If people are unable to care about their own personal data, how are they going to be careful with someone else's?

The answer to that is amazingly simple. When you do something with your own personal data, the only person you answer to is yourself. When you do something with someone else's data, you have to answer to your boss.

Proper policies regarding data handling can and will solve this problem. The employees that get caught not taking care of the confirmation simply need to be disciplined according to policy. I don't mean a whipping for the very first offense either. A gentle reminder, than a written warning, followed by a dock in one's pay. For those that just cannot get it and are repeatedly violating policies should not be tasked with handling that data in the first place. If that means putting them on another job, or outright firing them, then that is what needs to happen.

This problem always resided with the people at the top. That is why I recommended the immediate termination of every single director, CIO, etc. I like the Darth Vader policy here. Let the next guy in line take over the reigns with the understanding that if he let's the same problems continue, that he will be next. Some have pointed out that is a bit drastic of a response. Well we are not talking about a couple incidents of lost USB sticks and/or laptops here. What is being reported is an average of 10 incidents per day. Note, that is not records, but incidences of loosing many records. That is far more serious and represents at least several incidents of data loss per week for every single department in the UK on average. That is exactly the kind of behavior that requires decisive action that will make it clear to the rest that the consequences for continuing the behavior are dire indeed.

So I would think that the legislative bodies in the UK would consider enacting law that creates rules, regulations, policies, etc. concerning the handling of a UK citizen's data. Once that is done, it really is the responsibility of the "bosses" to create their own policies to comply, or risk termination and possibly more serious consequences themselves.

That way the people at the bottom will ultimately risk their jobs if they don't protect personal information.

Simple really.

Re:Stupidity or Malice? (1)

Jeppe Salvesen (101622) | more than 5 years ago | (#24702737)

Such a river means there may be structural problems.

My best guess is that the policies are so rigid that they will not work in the real world (and therefore cannot be enforced). USB sticks? Why don't they use truecrypt? (Maybe because USB sticks are banned altogether, and there is consequently no checks in place for whether the data is encrypted or not?)

I agree that firing those responsible for the status quo is a good idea, but the first thing to do is to determine who is responsible. Well - the senior officer in charge of security will have to go, though - this has obviously gone on for long enough for that firing to be a non-brainer. But just firing people and thinking unidentified structural problems will solve themselves once "that idiot is gone" is a very counterproductive thing to do.

Re:Stupidity or Malice? (1)

EdIII (1114411) | more than 5 years ago | (#24702945)

But just firing people and thinking unidentified structural problems will solve themselves once "that idiot is gone" is a very counterproductive thing to do.

I completely agree. I don't think that firings should be the only response to this problem. As part of the investigations it would be quite prudent to look into the "structural problems". The creation of new policies would also help immensely, I am sure.

As for your ideas about the policies being so strict they cannot be enforced, that would be untrue. If the policy required banning USB sticks and using truecrypt on portable hard drives, then that policy should also define administrative consequences as well. That can be enforced. It would depend on the department, but I know that there are more serious penalties for violations elsewhere in government. Jail time would not be out of line, depending on the circumstances and whether or not it met the definitions of criminal negligence.

In any case, my point is that you can create and enforce policies that will eliminate structural problems that you refer to. There just needs to be a motivation to do so. Hopefully, this is the motivation.

Re:Stupidity or Malice? (1)

Jeppe Salvesen (101622) | more than 5 years ago | (#24703075)

By "too strict to be enforced" I should have made it clear that I meant "so strict that enforcement would mean an unacceptable drop in productivity". I think we're in the same chapter here (maybe even on the same page).

Re:Stupidity or Malice? (0)

Anonymous Coward | more than 5 years ago | (#24703165)

At least fire everybody in charge at once.

I originally read this as:

At least fire everybody in charge at least once.

Don't worry it's only 0.7% of the population (1)

sakdoctor (1087155) | more than 5 years ago | (#24702289)

I think we can trust the government with an all powerful, all knowing national ID database hooked up to an slightly psychotic artificial intelligence now.

Re:Don't worry it's only 0.7% of the population (0)

Anonymous Coward | more than 5 years ago | (#24702761)

Given that there are 61 million [statistics.gov.uk] people in the UK, 4 million is actually 7% of the population, not 0.7%.

Of course, we don't know how many of these people are distinct.

Maybe some driving-learning child-benefit-claiming seasonal agricultural worker interested in joining the military has had his data lost four million times!

Re:Don't worry it's only 0.7% of the population (1)

chrispugh (1301243) | more than 5 years ago | (#24702839)

No, you're an order of magnitude out. 4 million losses with a population of 60 million is 7%, which is frankly terrifying.

Just you wait... (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#24702293)

The magnitude of this crisis clearly indicates that the state urgently requires expanded powers and broader scope of co-operation with private sector stakeholders in order to secure these sensitive records.

Utterly, utterly, wrongheaded; but just plausible enough to work...

Re:Just you wait... (2, Insightful)

EdIII (1114411) | more than 5 years ago | (#24702377)

Close your eyes and imagine John Hurt from V for Vendetta screaming that at the top of his lungs in a speech. Gives you tingles up your spine right?

no problem... (0)

Anonymous Coward | more than 5 years ago | (#24702301)

So they lost 4M people...who's that...Mike, Mary, Marcus, Mahew....there...4M people. Thank you gents for not telling me to jog on.

Back to dumb terminals (5, Insightful)

Tyrannicalposter (1347903) | more than 5 years ago | (#24702355)

No laptops, CDs, memory sticks, USB drives. Just a dumb terminal. That way the data can live in a secure data center. Until you piss off some rowdy geriatric mainframe hackers.

Re:Back to dumb terminals (2, Funny)

TechMouse (1096513) | more than 5 years ago | (#24702647)

It almost sounds like you're suggesting that the UK government needs some kind of information security strategy.

Madness, sheer madness.

Re:Back to dumb terminals (0)

Anonymous Coward | more than 5 years ago | (#24702829)

Absolutely, the very idea of USB drives being used to cart around sensitive data in government agencies scares the hell out of me. How about they do away with windows and office and introduce some encryption for a start, suddenly workstations would become less vulnerable to the user's incompetence (and that's heavy duty incompetence in government).
If a stolen laptop is running a locked down installation of linux then the thief in question is far more likely to reformat, install windows and flog the laptop than attempt to recover the data from it.

Re:Back to dumb terminals (1)

jimicus (737525) | more than 5 years ago | (#24702981)

Absolutely, the very idea of USB drives being used to cart around sensitive data in government agencies scares the hell out of me. How about they do away with windows and office and introduce some encryption for a start, suddenly workstations would become less vulnerable to the user's incompetence (and that's heavy duty incompetence in government).
If a stolen laptop is running a locked down installation of linux then the thief in question is far more likely to reformat, install windows and flog the laptop than attempt to recover the data from it.

I think you're trolling, and I'm far from an MS fanboi, but you're throwing the baby out with the bathwater there.

Truecrypt (or for that matter PGP if you want a supported commercial solution with centralised key management - probably a wise idea if you're a government department) both allow you to encrypt the whole damn disk and leave nothing clear apart from a rather small bootloader.

Further, Windows domain policy can easily block the use of removeable drives.

Just doing that (which, assuming you already have a fairly entrenched set of things on the desktop which require Windows - a reasonable assumption in a large organisation) would be a lot quicker and rather less hassle than setting up a suitable Linux desktop.

Re:Back to dumb terminals (1)

Rhodri Mawr (862554) | more than 5 years ago | (#24703087)

Unfortunately, we have a government who jumped into bed with Bill Gates and Microsoft at the first available opportunity. On the flip side, we have an opposition who identified the huge cost savings that are available and are advocating moving Whitehall onto Linux and other Open Source software.

Re:Back to dumb terminals (0)

Anonymous Coward | more than 5 years ago | (#24702883)

Erm, cos the links between the server and the dumb terminals are like sooo secure...

Fuck this shit (2, Insightful)

damburger (981828) | more than 5 years ago | (#24702455)

Our government hates freedom. Its desire to turn society into a perfect little machine to optimise a bunch of meaningless metrics leaves no room for free will, or dissent from the middle-class, middle-of-the-road lifestyle that we are supposed to lead.

There is no priority for this government than maintaining the status quo, at any cost. Our internet connections must be monitored, our lives recorded in minute detail, our rights before the law curtailed, just so the City can continue to gamble peoples pensions and walk home rich whatever happens.

I hate my own country.

McKinsey hates freedom (4, Insightful)

Kupfernigk (1190345) | more than 5 years ago | (#24702821)

More specifically, the preferred choice of consultant of the Government (McKinsey) is an authoritarian, secretive and elitist organisation that believes that the only fate for ordinary people is to be monitored, measured and managed. Politicians don't understand this stuff and do what they are told. The real question is how the Government sold out to a completely undemocratic organisation.

I don't hate my country, but I do dislike those aspects of the private school and class system which causes the people in power to be conformist and inward looking, and ready to believe any snake oil salesman in a Boateng suit. People mock Prince Charles, but at least he is prepared to get into trouble by listening to independent experts and then asking questions about the status quo and the desirability of corporatism. The Government appoints independent experts, and then when their conclusions conflict with those of the editors of tabloid newspapers, or McKinsey, they reject them. The inevitable result is pissed off staff and managerial incompetence. As one of my bosses used to say about organisations like McKinsey, when did you last hear of a great world manager? Taylorism takes no account of leadership, which is what gives morale and a sense of direction to organisations. And the only way to bring in things like data security is to bring back a spirit of public service - which means leadership.

Just do what I do (1)

clickety6 (141178) | more than 5 years ago | (#24702603)

I always give false names and information on government forms just to protect myself against this kind of data loss. ;-)

The pedants are revolting (1)

Harold Halloway (1047486) | more than 5 years ago | (#24702609)

The government haven't 'lost' the data; to have done that they would have to be in a situation where they did not have the data anymore. What they have done is lost media carrying copies of the data meaning that the data is potentially in the public domain or in the hands of someone who will misuse it.

I actually find it reassuring that all this data is apparently so freely available. It would be much more sinister if it were only available to a secret, select few. Publish the lot I say.

Lost? (1)

EdgeyEdgey (1172665) | more than 5 years ago | (#24702631)

They still have the data. It has not been lost. Leaked or exposed would be much better verbs to use.

Re:Lost? (1)

Arimus (198136) | more than 5 years ago | (#24702943)

Actually in the current case in the media today... it has been lost in the proper sense.

The USB stick containing details of all the current UK prison population has been lost (or if I am generous misplaced) by the contractor who had the data for analysis.

So yes the original data is intact but this copy of the data has been lost.

Sounds like a job for FLOSS (1)

BlueParrot (965239) | more than 5 years ago | (#24702675)

This is one area in which FLOSS software has a major opportunity to grow. With open protocols and standards you could set up a system where applications , per default, store and comunicate information securely. At pressent things like encryption and mandatory access control is hard to implement, and worse, difficult to get people to use. If you on the other hand had a standardised system for tagging and encrypting sensitive documents, then you could make it significantly easier to set a policy to use those techniques. Rather than trying to educate everybody on things like package sniffing you could have a standard interface for accessing and manipulating sensitive documents, and it could be implemented as plugins for your word processor web browser, e-mail client, etc... Of course, for this to work you would need to make it policy that sensitive documents are only to be manipulated and handled using software that implements the standard, which is why it needs to be open for it to work. The moment you start having to deal with multiple proprietary solutions and interaction between them you are stuffed.

Re:Sounds like a job for FLOSS (2, Insightful)

Vectronic (1221470) | more than 5 years ago | (#24702775)

No it doesn't you OSS junkie.

You spat out that long paragraph of "Free the Panda's", but encryption, plug-ins, and OSS or not, this wouldn't solve the problem, the main problem here, is data LOSS, as in "whoops, I dropped it down the drain" (stolen/lost laptops, CDs, USBs, etc) about half of the data was encrypted, which means that there is probably a 75% chance (random pseudo-statistic) that the information is secure, but that has nothing to do with the fact that they lost all that data, although identity theft is a factor, this is mostly about "What the fuck do we know now?"... re-acquiring a lot of that information could take months, sometimes years, and in other cases never happen at all.

Yes the various networks need beter security, but they also need to stop letting Bob and Diane taking their work to the cafe when they have sensitive data.

Re:Sounds like a job for FLOSS (0)

Anonymous Coward | more than 5 years ago | (#24703113)

Yes the various networks need beter security, but they also need to stop letting Bob and Diane taking their work to the cafe when they have sensitive data.

Absolutely. If you are working on sensitive data (ie people's records), you should be taking NO
writeable media into or out of your place of work.

Re:Sounds like a job for FLOSS (1)

Vectronic (1221470) | more than 5 years ago | (#24703223)

lol, although true with some organizations, in most if neither was allowed, it wouldnt function.

What should be done, is specialized equipement, like Secure Universal Serial Bus Sticks (various patents pending), or something that functions basically the same, (hotplugging and such) but has a modified connection so it doesnt use the normal USB one, and looks different without having to really inspect it to tell, and always encrypted.

Ontop of that, well layed-out and mandatory procedures for handling the data when transporting, such as a shock collar sort of thing, where if it gets to a certain distance away from the given person/transport, some warning is given, and/or specialized lock-boxes for the equipement, and for more sensitive data, probably a tracking device.

I think most of the problem is they use regular consumer devices, so naturally there is an increased risk of theft: "nice laptop, mine now", and people treating the media as just a normal CD, or USB sticks as a pack of gum, toss it on the dash, drive off, leave it on the counter and go to the bathroom, etc.

And they can't do maths either! (1)

yakumo.unr (833476) | more than 5 years ago | (#24702683)

Since when was :

25 million (child benefit records) + a positive value of X 25 million?

The 'up to' 4 million headline is WAY off.

Re:And they can't do maths either! (1)

yakumo.unr (833476) | more than 5 years ago | (#24702781)

drat, that removed the less than symbol :(

it should have read :

25 million (child benefit records) + a positive value of X < 25 million?

How many people in total? (1)

Hektor_Troy (262592) | more than 5 years ago | (#24702725)

Seriously, how many people in total have been affected by this? I don't mean "well, Johnny has had his stuff lost 500,000 times total, so it's only 3½ million" - just how many people have been affected, including the redundant ones?

The CIA World Factbook [cia.gov] says the UK has a population of 60,943,912 (July 2008 est.) people. In just one year, 6 percent of the total population have been affected by this. That's an insane number!

If that percentage is applicable to the US, that's 18 million people. In the EU it would be almost 30 million!

I suggest we have new laws and regulations put in place with regards to this:

1) Any attempt to cover up losses will result in fines equalling 10$ and 1 day in jail (to be served end to end) per person affected for ALL people involved in the cover up, from regular employee to directors, CEOs, bureaucrats and politicians.
2) Any time there is a breach involving negligence (i.e. not someone physicaly breaking into the building and running off with the equipment), the people involved from employee to directors, CEOs, bureaucrats and politicians will have ALL their data posted in every newspaper in the state they live in. Relevant data of course - if "all" that was lost was SSNs and their names, then that's posted. If it's bankstatements then it'll be that.

Yes, 10$ and 1 day in jail doesn't sound like much for your data. But it's rarely only one person affected. Mostly it's counted in thousands. The average from the article is 2,007 people, meaning a 20,000 dollar fine and 54 years in jail. The smallest incident is "190 people in 5 incidents". That'd be a small fine - 380 dollars, but still 38 days in jail for each incident. Not something to scoff at.

Re:How many people in total? (1)

zrq (794138) | more than 5 years ago | (#24703199)

1) Any attempt to cover up losses will result in fines equalling 10$ and 1 day in jail (to be served end to end) per person affected for ALL people involved in the cover up, from regular employee to directors, CEOs, bureaucrats and politicians.

After the first six months, government offices grind to a halt because three quarters of their senior staff are in prison.

2) Any time there is a breach involving negligence ... the people involved from employee to directors, CEOs, bureaucrats and politicians will have ALL their data posted in every newspaper in the state they live in

This only works once. After the first incident their information has already been published, so why worry about security after that.
"All my data has already been published, so why should I worry about any one else's data"

Data Guardians? (1)

Fleeced (585092) | more than 5 years ago | (#24702767)

Data guardians? Who guards the guardians?

Sadly, it's almost impossible for leaks not to happen - it's almost like a law of database entropy.

Perhaps this is an argument against centralisation of such vast amounts of data in the first place?

Re:Data Guardians? (2, Interesting)

fbjon (692006) | more than 5 years ago | (#24702889)

Data guardians? Who guards the guardians?

The data guards the data guardians. Simply put all their personal info in there, including credit card numbers, and suddenly the guardians will be Nazis about keeping it safe.

It was actually 29 million, not 4 million (4, Informative)

petes_PoV (912422) | more than 5 years ago | (#24702809)

They govt. also lost 25 million Child benefit records. Though it's possible/likely that there were some duplicates in all this - given that the UK population is "only" 61 million, that's still nearly half the people who live in the UK have had some personal data lost by the government

Department of Justice? (2, Insightful)

Rhodri Mawr (862554) | more than 5 years ago | (#24703051)

You *know* a country's going to the dogs when it suddenly creates a Department of Justice and puts a Muppet in charge of it. A semantic point - they didn't *lose* the data, they put it in the public domain through incompetence when the data should have been kept private.

Incompetence.. (1)

WoollyMittens (1065278) | more than 5 years ago | (#24703141)

Those bureaucrats are quite obviously too incompetent to protect us against "terrorism". Who's going to protect us against the bureaucrats?

Data Protection (2, Informative)

PinkyDead (862370) | more than 5 years ago | (#24703197)

It's all well and good to poke fun at the British Government for their consistent negligence. But the only reason this is being reported is because of the data protection laws in the UK - which basically means that if you lose someone's data, there is someone going to come down hard on you and that they have the legal capacity to do it.

Data protection, however, is not ubiquitous - so before railing hard on these guys, ask yourself if you're protected and is there someone looking after your interests? If not, then you're data could be being lost on a daily basis without you ever having any knowledge of it - and with no recourse even if you did.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...