Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

In UK, 12M Taxpayers Lost With USB Stick

kdawson posted more than 5 years ago | from the and-your-little-data-too dept.

Privacy 258

An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."

cancel ×

258 comments

How it came to be lost? (5, Insightful)

Guido del Confuso (80037) | more than 5 years ago | (#25610147)

I've got a better question. I'd like to know how this memory stick came to be in the first place!

Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.

Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.

This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.

Re:How it came to be lost? (5, Insightful)

MrMr (219533) | more than 5 years ago | (#25610197)

Sorry to disappoint you, but the careless attitude appears to be entirely that of the 'corporate world'. Oversight of the subjects has long been a privatised matter in the UK.

Re:How it came to be lost? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25610255)

Hello Mr Grumpy-pants. Please put a smile back on your face with the happy news that Cute Overload is dating Slashdot [typepad.com] .

Re:How it came to be lost? (1)

ta bu shi da yu (687699) | more than 5 years ago | (#25610449)

That would be funnier if they were wearing everyone's personal data.

Re:How it came to be lost? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25610549)

I need help deciding to vote for Barack Obama or not. Mod me down if you think he's be a failure. Mod me up if you think he shits diamonds.

Re:How it came to be lost? (4, Insightful)

KGIII (973947) | more than 5 years ago | (#25610635)

This is the one of the few types of story on /. where people aren't clamoring to say that information needs to be free or that it wants to be. Alas, I must agree with you. That would have been much funnier.

How many angels can dance on the head of a pin? (1, Informative)

tomhudson (43916) | more than 5 years ago | (#25610721)

That's because what we REALLY want to know is how you fit 12 million taxpayers on a USB stick... This is the modern version of "How many angels can dance on the head of a pin?" meets "Honey, I shrunk the kids!"

"12M Taxpayers Lost With USB Stick" - or did they lose both a USB stick AND 12 million taxpayers? That must be one heck of a recession.

Or is it "M" as in metric measurement, so that taxpayers who are taller than 12 meters/metres got lost? If so, they should check with the circus or Guiness book of World Records. How DO you "lose" anyone who's almost 40 feet tall, anyway?

Re:How many angels can dance on the head of a pin? (1)

KGIII (973947) | more than 5 years ago | (#25610913)

Blender and a really very big USB stick.

Re:How it came to be lost? (4, Informative)

electrictroy (912290) | more than 5 years ago | (#25610519)

Well I'm working for a corporation, and they forbid the use of USB gadgets for this precise reason - they don't want people copying & later losing the USB drives as they carry work to their homes. It's simply not worth the risk.

Re:How it came to be lost? (5, Informative)

saintm (142527) | more than 5 years ago | (#25610211)

> This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax.

It was a private company, Atos Origin, which lost the data.

Yes, but the government will not accept defeat! (2, Funny)

Anonymous Coward | more than 5 years ago | (#25610391)

Work and Pensions Secretary James Purnell leaves red box secrets on train [mirror.co.uk]

Interesting things to note:

  • Someone uses the British rail system.
  • He's not the first: "The embarrassing gaffe comes days after civil servant Richard Jackson was fined for leaving top secret documents relating to al-Qaeda and Iraq on a train."

Re:How it came to be lost? (0)

Anonymous Coward | more than 5 years ago | (#25610513)

Heads need to roll, hefty fines imposed. Really, the private company who lost it HAS to be sacked.
There have been enough 'accidents' recently that even dumbass security people know this is wrong. Such high level access means someone in the chain buckled.The defense - we were ordered to is not good enough.
Also there are 'secure' memory sticks, but they are not.

Re:How it came to be lost? (0)

Anonymous Coward | more than 5 years ago | (#25610719)

Atos Origin? I worked for that company, in a different country though. I'll just say I'm glad to have left, and post AC....

Re:How it came to be lost? (5, Informative)

jeroen94704 (542819) | more than 5 years ago | (#25610837)

I used to work for Atos Origin (Although this was in the Netherlands, not the UK). In my experience, their insight into how security works is absolutely abysmal. When I worked there, it was no problem to reset someone else's password without their knowledge with a simple call to the help-desk.

At a later stage, they introduced a new 'lost-password' procedure for the intranet site which was positively retarded. In essence, when creating an account, you were required to enter three passwords. One of these was the actual password used to enter the site. When you had forgotten your password, you were then required to enter the other two passwords in order to reset the first one.

This was obviously intended as an implementation of the well-known "question-only-you-know-the-answer-to" challenge-response idea. The way it was done though (you had to enter both the 'answer' AND the 'question', and both were displayed as asterisks) rendered the whole system completely useless.

When I pointed this out to the helpdesk, they assured me the whole procedure was approved by very knowledgeable people, and very secure. Besides, there was absolutely no way for them to submit any problem reports to the developers responsible.

Stupid FUD, Obscurity is not Security. (1)

inTheLoo (1255256) | more than 5 years ago | (#25610215)

The article has this scare mongering:

An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'. ... Mr Erasmus, who has previously worked with Government agencies, said that the blueprint to the Government Gateway was 'invaluable' for those who would want to harvest personal details or defraud the Government.

If the technique used could be cracked, it was only a matter of time before it was discovered. Had the process been transparent from the start, better encryption techniques might have been used. Shame on this "expert" for not understanding this fundamental issue.

Your corporate world is full of this kind of expert. They make their living by checking boxes, not thinking.

Re:How it came to be lost? (1)

dintlu (1171159) | more than 5 years ago | (#25610239)

If these attitudes towards security didn't fly in the corporate world we wouldn't see weekly articles detailing the millions of customers data lost by hapless corporations.

And before making blanket statements like "good security requires redundancy," I'd like to see some statistics detailing the amount of personal data and passcodes stored in databases worldwide and the amount of personal data "stolen" annually, with the data stolen being weighted according to its usefulness for fulfilling criminal endeavors. Sreegs.

It could be that the reason we react so strongly to stories about millions of records being lost is that its a new risk, and our human risk analysis intuition hasn't yet adapted to the reality of the situation.

Re:How it came to be lost? (-1, Offtopic)

electrictroy (912290) | more than 5 years ago | (#25610537)

Time to start demanding Account numbers *separate* from you social security number. That helps minimize the damage to a minor loss of personal info at megacorp.com, rather than a loss of national identity (someone else pretending to be you with your stolen SS number).

Re:How it came to be lost? (3, Funny)

dnwq (910646) | more than 5 years ago | (#25610245)

From TFA:

An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'. The memory stick is now in the hands of the police.

I love the little quote marks around "source code". Oh my god, it's the Source Code! Anyway... from that, I daresay that the USB stick wasn't meant to provide access to the database. Probably more as a copy of the gateway system software.

This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax.

More from TFA:

The memory stick was lost by Daniel Harrington, 29, an IT analyst at computer management firm Atos Origin.

The multinational company, which boasts an annual turnover of £4billion, won the five-year £46.7million contract to manage the Government Gateway in 2006.

Hmmm.

Re:How it came to be lost? (2, Insightful)

FourthAge (1377519) | more than 5 years ago | (#25610469)

I'm not convinced about the credentials of their "security expert". Sounds like more of a "scare story expert". Quoting the article:

He said: 'We have to hope that there are not more of these out there. This is potentially the most serious data loss this country has seen in recent times... Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.

I hope none of you are using Linux, because I have the source code, and that means I can hack your system and steal all your money.

Does the Mail have a gallery of these "experts" on standby to give a comment as required for the scare of the day... "Experts say that nobody knows how many paedophiles are molesting your children at this very moment!" "Experts say you could be knifecrimed by a chav today!" "Experts say that Russell Brand might be prank-calling your grandfather RIGHT NOW."

Re:How it came to be lost? (3, Informative)

AlecC (512609) | more than 5 years ago | (#25610531)

I recently attended a lecture by Ben Goldacre, author of the Bad Science column in the Guardian and book of the same name. He regularly debunks newspaper "experts", usually in the medical/health care/nutrition area. He gave numerous examples where the newspaper's so-called experts were, as I would see it, nothing of the sort. Without commenting on the particular case, most newspaper editors are scientific illiterates who will grace with "expert" anybody who knows anything at all about the subject.

Re:How it came to be lost? (1)

Simon Brooke (45012) | more than 5 years ago | (#25610669)

Without commenting on the particular case, most newspaper editors are scientific illiterates who will grace with "expert" anybody who knows anything at all about the subject.

This particular case being the Daily Wail, there's no need to qualify 'illiterate' with 'scientific'. OK, I admit that in this case he's confounded my prejudices by publishing a story which is actually journalism... but it was probably by accident.

Re:How it came to be lost? (0)

Anonymous Coward | more than 5 years ago | (#25610541)

Daniel Harrington, 29

I guess someone's going to find it hard getting a new job...

Re:How it came to be lost? (1)

jonbryce (703250) | more than 5 years ago | (#25610247)

I'm guessing this USB drive contained an MS Word file with the passwords written in it. I'm sure it is nothing as sophisticated as a SecurID key.

Re:How it came to be lost? (1)

dnwq (910646) | more than 5 years ago | (#25610269)

Apparently not:

A spokesman for the Department for Work and Pensions insisted that the security software and passwords on the memory stick had been protected so that a stranger would not be able to access the Government Gateway easily.

She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'

Assuming she's not lying through her teeth, my impression is that what was on the USB stick was more akin to a malicious attacker stealing your /etc/shadow file. A breach, to be sure, but a long step from compromising your entire system.

Re:How it came to be lost? (3, Funny)

Anonymous Coward | more than 5 years ago | (#25610323)

Translation: MS Word file was password protected.

Re:How it came to be lost? (1)

jonbryce (703250) | more than 5 years ago | (#25610671)

Using the standard 40 bit encryption which Elcomsoft AOPB can crack in about a day.

Re:How it came to be lost? (4, Insightful)

Dan541 (1032000) | more than 5 years ago | (#25610705)

The Industry standard is unencypted.

Re:How it came to be lost? (3, Funny)

Anonymous Coward | more than 5 years ago | (#25610349)

In UK, 12M Taxpayers Lost With USB Stick

Presumably the rest of the population are lost without one.

Re:How it came to be lost? (1)

Dan541 (1032000) | more than 5 years ago | (#25610677)

Why can't we throw people in Jail for this sort of thing?

'Passcodes' not data (1)

morgan_greywolf (835522) | more than 5 years ago | (#25610849)

FTFS, what was lost was not data, by some kind of 'passcode':

The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.

My guess is that the stick contained either a file containing some passwords (bad idea), or, more likely, some sort of private key file.

All y'all harping on the people for doing this, let me as you this: How many of you carry your SSH, SSL, PGP, or other private keys on your memory stick? Yeah, ok, kettles!

Re:How it came to be lost? (1)

Cowmonaut (989226) | more than 5 years ago | (#25610889)

Tell that to TJ Max...

Re:How it came to be lost? (1)

Drasil (580067) | more than 5 years ago | (#25610941)

This is just the latest in a long line of data losses/leaks. I find it difficult to believe that these are isolated events. I am forced to ask myself what there is to be gained from such frequent blatant breaches of data security. It seems to me that this and the previous incidents will be used to justify the creation of the upcoming UK government database. This is the usual MO when a government wants to do something unpopular, it first engineers events and the public perception in such a way that when the unpopular action is taken it is welcomed by the majority.

I for one welcome our current overlords and their new and improved ministry of information![/sarcasm]

Forget how it was lost. (4, Insightful)

N1AK (864906) | more than 5 years ago | (#25610149)

"An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost." I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave. What I really want to know is how the hell that much sensitive data was doing on a USB stick in the first place.

Re:Forget how it was lost. (3, Funny)

niks42 (768188) | more than 5 years ago | (#25610503)

That's their off-site backup!

What about the lost stick that didn't get found? (1)

PolygamousRanchKid (1290638) | more than 5 years ago | (#25610591)

I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave.

Quite true ... was this one the only one they lost?

Re:What about the lost stick that didn't get found (1)

Dan541 (1032000) | more than 5 years ago | (#25610715)

Coming to a .torrent near you!

Why was the stick needed? (4, Insightful)

Jeppe Salvesen (101622) | more than 5 years ago | (#25610695)

I have witnessed how strict, inflexible security rules force people to break the security in order to get their job done.

Re:Forget how it was lost. (1)

conlaw (983784) | more than 5 years ago | (#25610871)

"An urgent investigation is now under way into how the stick ... came to be lost."

I don't think it should take much of an investigation as to how a flash stick came to be lost "in a pub car park." I think that one pint too many would be the obvious answer. It seems that investigation should focus on how and why he had the USB stick in the first place.

Bet (5, Insightful)

Sasayaki (1096761) | more than 5 years ago | (#25610217)

I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.

Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?

Re:Bet (4, Insightful)

jimicus (737525) | more than 5 years ago | (#25610363)

I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.

After the number of high-profile security breaches, the number of well-meaning people who have been treated as suspects by the police and the willingness of the media to pay for such stories, it seems that the only sensible thing to do is very quietly hand it over to a journalist.

Re:Bet (2)

Sasayaki (1096761) | more than 5 years ago | (#25610509)

Or destroy it.

Seriously, blowtorch it to ashes. What USB stick? The data isn't irreplaceable.

Re:Bet (1)

sa1lnr (669048) | more than 5 years ago | (#25610757)

"it seems that the only sensible thing to do is very quietly hand it over to a journalist."

Theft by finding?

I would imagine that if you find something and can't return it to its owner you should hand it into a police station and not a newspaper. Newspapers are not law enforcement bodies. How much do they get paid by said newspapers for handing them a story I wonder?

Re:Bet (4, Insightful)

robably (1044462) | more than 5 years ago | (#25610561)

would you trust a surveillance society that can't even keep track of its own inventory?

There isn't supposed to be any trust in a surveillance society - that's the whole reason for the surveillance.

Lost data (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25610223)

What, again?

At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.

Re:Lost data (3, Interesting)

pisto_grih (1165105) | more than 5 years ago | (#25610539)

At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.

I'm hoping that all these USB sticks are lost on purpose, in an underground campaign to show how careless the government is with our personal details, thereby increasing mistrust and fueling public backlash against a surveillance state.

Perhaps it's time for employees to stop (1)

rolfwind (528248) | more than 5 years ago | (#25610229)

taking their work home with them. This is a consequence of such a thing. Companies are even more worried about projects being lost this way, with 64GB USB sticks out now and what not. Makes you think that they should put a move onto implementing all data systems that encrypts/decrypts data only upon it syncing with a central system via an authorized route PLUS a user password ahead of time. Because once there is a malicious user within the framework, encryption alone won't stop them from selling off massive amounts of info with the 1TB+ sticks they'll have in a few years time.

Might as well hawk this while we're talking about taxes:
http://www.apttax.com/ [apttax.com]

Do we even need another one of these stories? (3, Funny)

bugbeak (711163) | more than 5 years ago | (#25610233)

I'm sure regular Slashdot readers have seen something involving misplaced private information and the UK government more than enough times...this is almost as bad as a dupe.

It would be nice if the summary was accurate! (3, Informative)

Anonymous Brave Guy (457657) | more than 5 years ago | (#25610919)

This sounds like typical hyperbole in a Slashdot summary based on a typical Daily Mail scare article. Try reading a more balanced report [bbc.co.uk] from the Beeb.

If you follow that link, you will find that the data was all encrypted, and the memory stick should never have been removed from the contractor's premises. According to the official statements, security was never compromised (though access to the government service's web interface was temporarily suspended). And it's not some nasty central database to spy on everyone, it's a useful system that allows you to do things like filing your tax return on-line rather than messing around with lots of paperwork — one of the few IT projects our government actually seems to have got right!

This was just one guy working for a contractor who screwed up by not following protocol, and assuming the data really was properly encrypted, the security procedures have done their job to mitigate the damage. There is nothing to see here. Please move along, and spend your time worrying about the numerous cases where data really has been compromised and the numerous databases that really don't need to exist.

bet carried (1, Informative)

Beer-o-clock (1309041) | more than 5 years ago | (#25610257)

agreed. this'll just disappear as soon as the tabloids find something new to focus on.
and no, this breach of security wouldn't fly in the corperate world. everywhere i've worked in the last 4 years has operated a USB lock down policey, and a "non-writable" optical drive on the desktop.
i know the average slashdotter could get round re-enabling the mass-storage usb class with their eyes closed, but these are government, and public sector companies we are talking about. who couldn't find their arse with both hands.
unfortunatly, they somehow got to the position of running the country....

the brain drain continues....

Re:bet carried (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25610417)

Your libertarianism is showing - it was a private entity that lost the data.

funny elections (-1, Offtopic)

vecteevs (1319857) | more than 5 years ago | (#25610265)

Jon Lajolie as Barrack Obama http://snipurl.com/4ul5w [snipurl.com]

Re:funny elections (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25610335)

Fuck off, you spamming douchecock.

12M Taxpayers Lost? (4, Funny)

Loibisch (964797) | more than 5 years ago | (#25610277)

Damn...that's quite a lot of people to go missing.

Re:12M Taxpayers Lost? (3, Funny)

msormune (808119) | more than 5 years ago | (#25610483)

Yeah... And think how long will it take to create them new identities, as their old ones may have been stolen... Poor people, it must feel awfully empty inside when your identity is stolen. It takes a life time to build up, after all.

Re:12M Taxpayers Lost? (-1, Redundant)

ta bu shi da yu (687699) | more than 5 years ago | (#25610555)

I know! How did they fit them all in that little device?

Re:12M Taxpayers Lost? (1)

Max Romantschuk (132276) | more than 5 years ago | (#25610703)

And it'll be a lot more when the next intergalactic bypass is completed!

The unknown (4, Insightful)

TheP4st (1164315) | more than 5 years ago | (#25610305)

This USB stick with sensitive/valuable data got returned and appropriate actions could be taken to minimize damage. But the number of incidents like this we've seen lately raise the question how many other lost USB sticks and other storage media with passwords, personal data etc that are floating around unknown to the people whose integrity and personal finances quite possibly are at stake.

Re:The unknown (1)

AlterRNow (1215236) | more than 5 years ago | (#25610327)

Whoops, incorrect mod :(

UK Government loses all data on everyone (5, Funny)

David Gerard (12369) | more than 5 years ago | (#25610313)

Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone. [today.com]

Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.

Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.

Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.

Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."

Re:UK Government loses all data on everyone (1)

David Gerard (12369) | more than 5 years ago | (#25610447)

30% "Informative"? Er, OK :-)

Re:UK Government loses all data on everyone (0)

Anonymous Coward | more than 5 years ago | (#25610475)

It was a joke from NotNews.com

Re:UK Government loses all data on everyone (1)

aproposofwhat (1019098) | more than 5 years ago | (#25610481)

LOL - great parody :o)

You missed Geoff Hoon, though - "the next thing we lose will be your liberty, for the sake of the fight against terror".

Oh, bugger - that's nearly a real quote - here's the reality [bbc.co.uk] .

That would be something! (5, Interesting)

Anonymous Coward | more than 5 years ago | (#25610339)

If they could lose taxpayers just like that, these idiots would be a lot more careful, wouldn't they? Perhaps that's the way to solve this problem: If you lose my data, then I don't pay taxes for a year.

But how .. (4, Interesting)

Idimmu Xul (204345) | more than 5 years ago | (#25610353)

Why is it that whenever something like this gets *found*, the person doing the finding always understands what's on it? If any of my typical pub going friends and relatives found this the chances of them realising what is on it is pretty slim, and it would most likely get formated.

How many other memory sticks get lost and found by people that don't realise what is on them, or why is it that every memory stick found is always found by an IT literate with the know how to work out what they contain and the immediate urge to sell their story to a tabloid ...

Re:But how .. (2, Interesting)

aproposofwhat (1019098) | more than 5 years ago | (#25610499)

I'd guess that anyone finding a USB stick who didn't realise what it was would ask their friendly local BOFH to take a look - thus ensuring the flow of beer tokens from the tabloids to said BOFH.

Re:But how .. (3, Informative)

The New Andy (873493) | more than 5 years ago | (#25610605)

Or possibly just that the story about a guy who found a usb stick and deleted everything on it didn't make it to the news.

Re:But how .. (1)

Idimmu Xul (204345) | more than 5 years ago | (#25610681)

Or possibly just that the story about a guy who found a usb stick and deleted everything on it didn't make it to the news.

How many other memory sticks get lost and found by people that don't realise what is on them

That's also one of my points!!

Re:But how .. (1)

KGIII (973947) | more than 5 years ago | (#25610691)

Any self respecting BOFH would then tell the luser that it was broken, out of date, and discard it into the "bin" for them. Bin meaning, of course, back pocket of said BOFH.

Re:But how .. (0)

Anonymous Coward | more than 5 years ago | (#25610631)

> Why is it that whenever something like this gets *found*, the person doing the finding always understands what's on it?

Well, you only hear about those. There might be 10 times more private data lying around that just nobody cared about...

Same old same old... (3, Informative)

WillKemp (1338605) | more than 5 years ago | (#25610371)

Britain's a joke. I've been living there for most of the last year and barely a week seems to have gone by without a 12-14 year old kid getting stabbed or a large batch of confidential personal data going missing from some government department or other.

It's unbelievable. When are they going to get their shit together???

(Before anyone gets too narky, i'm British - i just haven't lived there for nearly 25 years).

Re:Same old same old... (4, Funny)

duguk (589689) | more than 5 years ago | (#25610413)

Well, this is why the British government wanted to increase the terrorist detention limit to 42 days; to make sure they had enough time to gather all the information about a suspect.

They just didn't explain that most of those 42 days would be working out what bloody train they'd left their details on.

See, this is why I don't do my taxes.*
* yes, of course I do, I just do them on paper. it's actually a shorter form iirc.

Re:Same old same old... (3, Informative)

Anonymous Coward | more than 5 years ago | (#25610525)

You raise two quite unrelated issues.

I was in the USA for 2 years and barely 10 minutes goes by without someone being murdered with a gun over there. The odd knifing in the UK is basically nothing compared to this. More interesting is the media frenzy - in the UK it's actually news when a murder happens. In the US it's only news if the victim is white.

As for data losses, I don't know, it's like a piss take of epic proportions.

Re:Same old same old... (3, Insightful)

prefect42 (141309) | more than 5 years ago | (#25610583)

To an extent it's just because that's what sells papers. There are always kids being stabbed and planes crashing and data being lost. It's just if kids being stabbed becomes a hot topic, you print more stories on stabbed kids.

I really don't think much has changed, but the Mail is keen to point out that the world is ending, and it's probably Johnny Foreigner's fault.

What about the data losses that aren't reported? (1)

niks42 (768188) | more than 5 years ago | (#25610393)

If there are so many losses of data that wend their way to the Press, how many losses are there that find their way to criminal hands? I assume that if one were connected to the underworld, it would be more lucrative?

What is a doggah? (1)

red3dwarf (982204) | more than 5 years ago | (#25610415)

The screenshot in the article shows bookmarks, one of which is called 'doggahs'. What does it mean?

it's the daily mail - probably rubbish (4, Informative)

petes_PoV (912422) | more than 5 years ago | (#25610437)

Check out the daily mail's front (web) page. If you can get past the bile, hate, bias, bitterness and sensationalism, ask youself: does this publication actually have any credibility?

Re:it's the daily mail - probably rubbish (5, Funny)

Weedlekin (836313) | more than 5 years ago | (#25610551)

"If you can get past the bile, hate, bias, bitterness and sensationalism, ask youself: does this publication actually have any credibility?"

Once you get past all that, there's no content left in the Daily Mail, so its credibility or otherwise is moot.

good (0)

Anonymous Coward | more than 5 years ago | (#25610471)

Congratulations to whomever left it there. Like most leaks, this one was almost certainly completely intentional, by a disgruntled employee. Sometimes they're official - I worked in a minor civil service position and we'd "leak" information all the time, usually in the form of rumours, to shape public opinion. It works :-).

Why the need for a USB stick at all? (4, Interesting)

Phurge (1112105) | more than 5 years ago | (#25610473)

In these days of the intertubes, why do government departments even need such a massive amount of data on a physical medium? Why not transfer data from one location to the next by a dedicated enrcypted net connection?

Re:Why the need for a USB stick at all? (1)

Simon Brooke (45012) | more than 5 years ago | (#25610779)

In these days of the intertubes, why do government departments even need such a massive amount of data on a physical medium? Why not transfer data from one location to the next by a dedicated enrcypted net connection?

Seriously, the main reason for using memory sticks is to get around security. I regularly carry data into and out of a particular client's offices on a memory stick, because their firewall rules are too strict to allow it to be passed in or out by any other means. The data I am carrying is non-sensitive data that I am authorised to carry - but no-one verifies this, and (because I develop business critical systems for them) I do have access to their highly confidential business critical data.

There are two issues here:

  • It's no good having good (and necessary) network security if people can do end-runs around it with physical media;
  • If network lockdown is too tight, people will make end runs around it because they have to to get their job done.

Security that forces people to evade it is poor security, because the evasion route is necessarily unpoliced.

Re:Why the need for a USB stick at all? (0)

Anonymous Coward | more than 5 years ago | (#25610785)

The data wasn't on it. Sorry to break with tradition, I hold my head in shame but did in fact RTFA. From the reporting it seems there was no data on it. It contained source for the system and presumably MD5 or simple unix crypt hashes of system passwords. You can tell this by the way the naive PR spokeswoman claims its no security risk and that the age of the source code has any bearing on the risk...

She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'

She added that the source code was old, that the step-by-step guide to the system provided in a text file was a 'low risk', and that other items on the memory stick provided only a 'rudimentary guide' to the system.

An ex-government analyst has a more revealing opinion

However, Mr Erasmus said the source code was only a few months old and that the password encryption would be 'relatively easy' to crack, given the information on the device.

He said: 'I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information.

So, no data lost, but entire system compromised. In terms of seriousness I think this is actually very low. A complete change of the password database is inconvenient but a complete remedy.

If the source is proprietry and of use to an attacker, then the issue is one of embarrasment to the company that wrote it. If they are relying on obscurity to protect the system then they failed computer security 101, very embarrasing, much more so than losing a silly USB stick. However most ordinary people will not comprehend this issue, so the headline is about "data loss".

Surveillance Society (4, Insightful)

MrKaos (858439) | more than 5 years ago | (#25610491)

For a government that collects so much surveillance on their citizens you would expect an outcry for some accountability when private data is lost.

Re:Surveillance Society (4, Insightful)

Sasayaki (1096761) | more than 5 years ago | (#25610533)

Silly citizen. The rules apply to you, not us.

Re:Surveillance Society (1)

Joce640k (829181) | more than 5 years ago | (#25610593)

You'd think so but nobody is watching the watchers.

Re:Surveillance Society (1)

Weedlekin (836313) | more than 5 years ago | (#25610693)

There's plenty of outcry for accountability, but Witchfynder Smith has an astonishing ability to completely ignore anything that doesn't support giving more power to the government and the police.

There is a sign... (1)

barndoor101 (1289328) | more than 5 years ago | (#25610501)

...In Westminster that counts the days since the last moronic data breach. Looks like it will have to go back to zero. Good thing it only ever needs 2 digits.

Fine them! (1)

hughbar (579555) | more than 5 years ago | (#25610515)

I say we impose heavy fines on all UK government departments that have lost data. Wait a minute...maybe we'll just have create corporal discomfort using USB sticks instead.

Re:Fine them! (1)

orlanz (882574) | more than 5 years ago | (#25610663)

So in other words, lets raise taxes another 10% under the banner of fighting terrorism. I can see the lawyers and USB makers already foaming at the potential revenue.

Re:Fine them! (1)

Dan541 (1032000) | more than 5 years ago | (#25610739)

I say we impose heavy fines on all UK government departments that have lost data.

So if they lose taxpayer data the taxpayer is fined by the taxpayer with all payment made to the taxpayer!

Huh?????

A USB stick I can understand (0, Redundant)

MadMidnightBomber (894759) | more than 5 years ago | (#25610579)

But 12M taxpayers take up quite a lot of room. How on earth can you lose that many people?

Suggestion for the new Beta Index page (5, Informative)

Anonymous Coward | more than 5 years ago | (#25610589)

We need a -dailymail option, currently I am having to use -notthebest, which isn't quite right. It does not adequately cover the feeling of anger and disappointment, nor the small amount of bile that leaps from my stomach to my mouth, at the sight of a Daily Mail article on the Slashdot homepage.

I know it's bad to regard an article as an utter fabrication, just because of where it originated. But in this case we must make an exception, because every other article the Daily Mail has ever printed has been a half-truth or outright lie.

FFS, this is the 'newspaper' that bitched about the number of Jews immigrating to Britain in the late 30's. They're not called the Daily Hate for no reason.

This sums up the Daily Mail [youtube.com] , from the perspective of your average-Brit-with-a-clue. Seriously, please do not consider the Daily Mail as a reliable source, of anything. Ever.

Privacy losses (4, Informative)

Wowsers (1151731) | more than 5 years ago | (#25610597)

Why were unencrypted passwords allowed to be copied? Why are there no criminal convictions for these lapses in these companies and of government ministers responsible for these companies? More worrying is comments like this [timesonline.co.uk] from the UK's supreme leader on 02 Nov 08:

Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public. The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.

Even more worrying considering government rhetoric [guardian.co.uk] on the £20bn ID cards they want:

From 2010, the government will target young people to get an identity card on a voluntary basis "to assist them in proving their identity as they start their independent life in society", with full roll-out to all British citizens starting from 2011. "The government are kidding themselves if they think ID cards for foreign nationals will protect against illegal immigration or terrorism - since they don't apply to those coming here for less than three months. "ID cards are an expensive white elephant that risk making us less - not more - safe. It is high time the government scrapped this ill-fated project." The Liberal Democrats said the cards' "fancy design" did not detract from the fact that they remained an intrusion into people's liberty. Chris Huhne, the party's home affairs spokesman, said: "It does not matter how fancy the design of ID cards is, they remain a grotesque intrusion on the liberty of the British people. "The government is using vulnerable members of our society, like foreign nationals who do not have the vote, as guinea pigs for a deeply unpopular and unworkable policy. When voting adults are forced to carry ID cards, this scheme will prove to be a laminated poll tax."

And from the government mouthpiece the BBC [bbc.co.uk] :

SNP Home Affairs spokesman Pete Wishart MP said his party had opposed ID cards from the outset but the government's "abysmal record on data protection" was reason enough to cancel them. He said the government looked "absurd" for pushing ahead with such a costly project. "These cards will not make our communities more secure, they will not reduce the terrorist threat and they will not make public services more efficient," said Mr Wishart. Phil Booth, head of the national No2ID campaign group, attacked the roll-out of the cards as a "softening-up exercise". "The Home Office is trying to salami slice the population to get this scheme going in any way they can," Mr Booth told the BBC. "Once they get some people to take the card it becomes a self-fulfilling prophecy. "The volume of foreign nationals involved is minuscule so it won't do anything to tackle illegal immigration."

Lost Data. (1)

orlanz (882574) | more than 5 years ago | (#25610627)

I think the fact is that data can be lost by corporate or government entities, and where there is an opportunity or better yet a will, it will almost always happen. Even the most perfect system will always have the most imperfect cog, the user. The how may help us better protect future information, but the issue is that the information is out there and almost always never be retrieved back.

I love it when people say that so far "nothing bad has happened" or "the lost info isn't clear text" or something similar. They are, at best, doing a probability and risk analysis or worst no clue what they are talking about. Unfortunately, I think it makes people feel better when they hear that, and forget that... your data is still out there forever!

But I think now a days data breaches are far worse when it has something to do with the government as they usually hold more very private and static data than any single corporation. It worries me that countries like the US and UK want to aggregate and collect so much information in one place. Its just a gold mine that waiting to be picked that no amount of local or international laws are going to stop someone from trying. And the problem is, it only takes one, ONE person to breach the security and that data snapshot in time is forever out in the wild.

The more worrying factor... (-1, Redundant)

Roenax (1399265) | more than 5 years ago | (#25610643)

I don't think anybody has mentioned the flash drive had the entire source code on the drive.

It was a French company, not UK Govt. (3, Informative)

Kupfernigk (1190345) | more than 5 years ago | (#25610655)

Sorry to disappoint UK bashers, but it was a French/Belgian company, and not the British Government, that lost the data. The scandal, of course, is that so much of our IT and utilities have been hived off to non-UK companies, but for that we have to blame the City, not the Government. The people who are saying "corporates wouldn't allow it" - this mess of data loss is almost entirely caused by American, French, and German/Japanese corporates. I would love to blame Civil Servants, but I can't.

I'm afraid the solution is roughly as follows, in a simple step by step guide

  • 1. Bear down on French IT company from windward.
  • 2. Lie down between guns for protection.
  • 3. Let them fire first broadside, most of which will miss
  • 4. Taking your time, deliver devastating broadsides at close range.
  • 5. Repeat until final victory.

Worked for Nelson, anyway.

Here we are again (-1, Redundant)

Lars T. (470328) | more than 5 years ago | (#25610845)

The same people who say you can't "steal" data because it is still there will gladly say that you can lose it even if it's still there.

Ironic coming from the Daily Mail... (1)

ndixon (184723) | more than 5 years ago | (#25610893)

...when they made a similar mistake [guardian.co.uk] back in July.

(For non-UK readers, the Guardian is a well-known s*cialist newspaper; the Daily Mail emphatically isn't, and there's a long-running difference of option between those two papers; so there was a strong sense of Schadenfreude in the Guardian article)

Our government are idiots. (1)

hippie-joel (1399283) | more than 5 years ago | (#25610907)

Our government are idiots. Is this just the labour party, or England in general? See that's the problem. And on the topic of ID cards or whatever, that's another problem with this country. Gordon Brown is watching you masturbate. What's the nearest country I can run to? (preferably outside of the European union as well)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...