Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Government Loses 15 Million Private Records

Zonk posted more than 6 years ago | from the that's-gotta-hurt dept.

Security 339

bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


25 million now... (4, Informative)

Sirch (82595) | more than 6 years ago | (#21421607)

Or so says The BBC [bbc.co.uk]...

Re:25 million now... (5, Funny)

Slashidiot (1179447) | more than 6 years ago | (#21421661)

Aiming for the World Record of record losing!

Re:25 million now... (1)

DaedalusHKX (660194) | more than 6 years ago | (#21422267)

Weren't these the same idiots who just passed a law to "punish irresponsible data loss"? So I guess the rule is as always "trust us with your safety, even if we let the enemy into your house, keep waiting for us to save you, keep submitting, obey, and all will be well... we promise, you can trust us. Don't you dare do anything without permission. Trust us, we'll take care of you."

And the results, as I'm forced to keep saying... "are very very visible, and completely predictable."

Re:25 million now... (0, Insightful)

Anonymous Coward | more than 6 years ago | (#21422437)

You'd probably appreciate this bit of tinfoil hatterness... I'm willing to suggest that this is an end run to lock down the banks to prevent a bank run in the event of the US credit shit spilling over the seas.

Obviously, they'll have to block everyone from taking money out of their bank accounts in order to ensure that the bad guys who stole the account numbers can't take money out. What's that, your bank is going out of business because it bought billions in US mortgages? Well, give us 6 months for us to clear your identity, and then we'll let you draw a check... if your bank is still around.

Re:25 million now... (-1)

Sanat (702) | more than 6 years ago | (#21422797)

Please mod parent up.. it is insightful... paranoid, but insightful.

If this was your own idea then you are definitely thinking outside of the box.

Re:25 million now... (4, Informative)

Bloke down the pub (861787) | more than 6 years ago | (#21422791)

Weren't these the same idiots who just passed a law to "punish irresponsible data loss"?
No, that would be Parliament. The people who lost the data were HM Customs & Revenue. These are two different bunches of idiots.

Re:25 million now... (3, Interesting)

ilovegeorgebush (923173) | more than 6 years ago | (#21421685)

Indeed. I was going to post the same thing. I'm absolutely shocked they could be so careless. Apparently, it was sent via normal post, without recorded delivery. There's a full summary from the BBC on Alistair Darling's announcement here [bbc.co.uk].

Of particular interest is the fact that it was sent twice. Once again, by recorded delivery, after the initial package was lost in transit.

Re:25 million now... (2, Interesting)

Billosaur (927319) | more than 6 years ago | (#21422015)

How can you be shocked? This is government we're talking about... doesn't matter the country. As soon as you give one group of people anywhere the power to run the whole show, they break down into three categories:

  1. Power Brokers - the people who actually run things (and not necessarily having been elected to do so)
  2. Bureaucrats - the paper pushers, who created the red tape that keeps anyone from actually know what's going on or where the money came from/went to
  3. Grunts - the people who do the actual work, usually for very little money compared to 1) and 2), who will do things the way that's easiest, despite the rules

I think this mess happened due to 3):

"Contrary to all HMRC standing proceedures two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the National Audit Office by HMRC's internal postal system operated by the courier TNT.

"The package was not recorded or registered."

Some guy/gal knew the data had to get out and couldn't be bothered to send it via courier or registered mail. Plopped the discs in an envelope, licked it, stamped it, and dumped it in the post.

Three times! (5, Insightful)

Dr_Barnowl (709838) | more than 6 years ago | (#21422023)

The first time this happened was in March - the discs were not lost, and were returned to sender after use, not that that actually makes any difference, since the data could easily have been copied.

The real WTFs here are
  • That the database was being sent in it's entirety to the audit office when they only asked for a sample.
  • That the whole data was sent when they only wanted a subset of the fields.
  • That junior officers in the civil service have enough access to dump entire databases.
  • That they trusted a third-party courier instead of delivering it by hand.
  • That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).

Ok, it's probably worse than that though.

Re:Three times! (1)

caluml (551744) | more than 6 years ago | (#21422169)

That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).
Although doesn't WinZip now use AES for its encryption - which is perfectly adequate for symmetric (password) encryption.

Re:Three times! (1)

caluml (551744) | more than 6 years ago | (#21422211)

Replying to myself, but yes, it does. WinZip AES [winzip.com]. Better than nothing. (Assuming they used WinZip). Hope they're not meaning a "hold the Shift key down while opening the Access Database 'password'"

Re:Three times! (5, Funny)

Anonymous Cowpat (788193) | more than 6 years ago | (#21422325)

no no, why would you think that the people in the UK government would be that incompetent? The files were no doubt secured with a 30 character password, with no dictionary words or contiguous number sequences, a mixture of capitals and lower-case, numbers & other characters with not a single person's mother's maiden name in sight. Obviously, with such a complicated password, it would have to be included on a post-it note with the disc so that the audit office could actually use them.

Re:Three times! (0)

pegr (46683) | more than 6 years ago | (#21422227)

You want worse than that? Take a step back... If 25 million records were lost and the entire population of the UK is 60 million, that means darn near half the population is "on the dole."

I think that fact is significantly more important than some silly old data leak...

Re:Three times! (3, Informative)

Anonymous Coward | more than 6 years ago | (#21422373)

This is 25 million people who receive child benefit, which is a small amount paid to people with children under the age of 16. So what it really means is that nearly half the population has children.

Re:Three times! (2, Informative)

amw (636271) | more than 6 years ago | (#21422439)

I know such a thing would require effort, but if you were to read TFA you may notice that the loss covers _child_ benefit, not _unemployment_ benefit. Take a step forward. And then note that when the information was first lost, they simply sent a second copy ...

Re:Three times! (1)

Jaseoldboss (650728) | more than 6 years ago | (#21422481)

half the population is "on the dole."

Receiving child benefit you mean. ie. you have at least one child.

Irrespective, I wonder how long before we can expect to see the .torrent on TPB!

Re:Three times! (1)

Quboid (11402) | more than 6 years ago | (#21422631)

There are plenty of benefits that would not be considered to be "the dole" such as child benefit which is paid to all parents/guardians. There are also various tax credits which merely reduce the amount of tax paid rather than causing an actual payment to the recipient.

Re:Three times! (1)

Ed Avis (5917) | more than 6 years ago | (#21422455)

Also - that they were sending it by post at all instead of transferring it electronically (encrypted of course)...

Re:25 million now... (1)

afc_wimbledon (1052878) | more than 6 years ago | (#21421723)

And these are the clowns I'm supposed to trust with all my personal information in their joined-up-mega-database-and-ID-card scheme?

Re:25 million now... (2, Insightful)

keithius (804090) | more than 6 years ago | (#21422311)

And these are the clowns I'm supposed to trust with all my personal information in their joined-up-mega-database-and-ID-card scheme?


And this is precisely the point that needs to be made. Whenever governments start throwing around words like "central" and "database," you need to point to events like this and ask "have we fixed this sort of thing yet?"

Until the answer is a resounding (and verifiable) "YES," I'd ask my government to keep their noses out of my personal information, thank-you-very-much.

Re:25 million now... (5, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#21422515)

That was my first thought. The one good thing about this kind of disaster is that there is now a strong concrete example of why it is a bad idea to give the government any more data than they absolutely need. Whenever someone suggests a massive central database we can say 'you lost 15 million private records, why should we trust you with any more?'

Re:25 million now... (1)

AvitarX (172628) | more than 6 years ago | (#21421863)

That is extraordinary.

I am simply amazed, this is half the population of the UK. What an amazingly mind bogglingly large number to loose at once.

Re:25 million now... (0)

Anonymous Coward | more than 6 years ago | (#21422323)

I am simply amazed, this is half the population of the UK. What an amazingly mind bogglingly large number to loose at once.

I don't know. Loosing 25 million hounds at once would probably be more impressive than merely loosing the number '25 million'.

Re:25 million now... (0)

Anonymous Coward | more than 6 years ago | (#21422443)

Point taken.

Re:25 million now... (1)

mikael (484) | more than 6 years ago | (#21422501)

UK population is 65 million people, with 28 million households. But, 25 million people on benefits? Half the population is below or at the poverty level? No wonder taxes are so high.

But it's fairly easy to lose that amount of data. The actual amount of information for each person could easily be stored within 256 bytes. Even uncompressed, that would only be around 6 gigabytes of data, which could be stored on a couple of DVD's, which is probably what they lost.

Re:25 million now... (1)

Winckle (870180) | more than 6 years ago | (#21422781)

Bloody hell, you may be ignorant of how child benefit works, but you could at least not complain about taxes in my country.

You receive child benefit if you have a child. That's it, not about being poor.

Re:25 million now... (1)

aproposofwhat (1019098) | more than 6 years ago | (#21421897)

Poor Alistair.

He's having a shit week, what with Northern Rock potentially costing taxpayers half a billion, and now this fiasco.

How do you lose 15 million sets of personal data in the post?

Don't the government have couriers for this sort of thing?

However, I don't think he'll be doing the honourable thing and resigning - none of these second-rate ministers ever seem to take responsibility for anything done under their 'leadership'.

The only time they resign is when they're caught shagging or with suspect finances, and even then some of them have the brass neck to remain in office (looking at you, Two Jags, and you, Tessa Jowell).

yeah, it'll weigh on them (2, Interesting)

Nursie (632944) | more than 6 years ago | (#21421639)

And the government will give itself a nice fat getout clause so that it's immune when it loses everyone's data, but any company or individual outside the government is in trouble.

Just watch and wait.

Re:yeah, it'll weigh on them (0)

moderatorrater (1095745) | more than 6 years ago | (#21421953)

I'm just happy they forced the responsible person to resign. Data security isn't taken seriously enough by most people. Who would think of putting all that information on a disc in the first place unless it were a backup? Who would think of putting a backup in a place that people could get to it without some serious security measures getting in the way? This is just ridiculous.

Re:yeah, it'll weigh on them (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21421967)

The government department responsible is likely to be punished with a severe fine.

Three months later it will be discovered that the department is unable to provide the politician-promised and legally mandated level of service due to an unbudgeted severe shortfall of funds, so emergency funding will be provided.

Re:yeah, it'll weigh on them (5, Funny)

paeanblack (191171) | more than 6 years ago | (#21422033)

At that time, they refused to say 'on security grounds' whether the information was encrypted.

That should read 'on job security grounds' ...

And they expect us to trust them... (5, Insightful)

ditoa (952847) | more than 6 years ago | (#21421651)

With a nationwide DNA database? Please. They can't be trusted with anything.

Re:And they expect us to trust them... (4, Funny)

magarity (164372) | more than 6 years ago | (#21421841)

Ah, but with a national database of everything, the missing disks could be located with a simple search query!

Re:And they expect us to trust them... (1)

dintech (998802) | more than 6 years ago | (#21422729)

Ah, but with a national database of everything, the missing disks could be located with a simple search query!

And one of these? [badscience.net]

UK Tag? (0)

Anonymous Coward | more than 6 years ago | (#21421659)

USA stuff gets a USA tag. Lets be fair...

If I were Enlish (1)

Apple Acolyte (517892) | more than 6 years ago | (#21421697)

I'd be mighty upset with the Crown right now. Perhaps this will serve as a cautionary example to other countries who are considering going down similar paths as far as lack of privacy is concerned.

Re:If I were Enlish (1)

Goffee71 (628501) | more than 6 years ago | (#21422035)

When the missing envelope turns up on someone junior tosspot's desk will the head of customs unresign himself? That's what happens to most 'missing' post around here. Or will it turn up in 53 years time and be an 'amusing' article at the end of the news?

Re:If I were Enlish (0, Troll)

laddiebuck (868690) | more than 6 years ago | (#21422163)

What on Earth has this got to do with the Crown? Are you just an American highschooler who hasn't gotten past the War of Independence in your history classes?

Re:If I were Enlish (1)

TheRaven64 (641858) | more than 6 years ago | (#21422559)

The phrase 'The Crown' is often used in British English to refer to any government departments. It's a phrase that dates back some hundreds of years to when the crown was the central symbol of authority and other parts of government only acted via powers delegated by the crown. If you read the BBC then you will see this use quite often.

And, as an Englishman, I am absolutely delighted with the crown on hearing this news. I couldn't have created a better argument about a national ID database if I'd tried.

No... (-1, Troll)

DaedalusHKX (660194) | more than 6 years ago | (#21422629)

Are you perhaps a British Subject who hasn't gotten past the part where your mighty armies surrendered to those sissy Americans, roughly after the REAL warriors, the Hessian Mercenaries fighting on behalf of the Crown, threw the fight by not being prepared for a Christmas day ambush? (Remember that little fairy tale told about Washington proudly crossing the Delaware? It was more like fleeing accross and sneaking back with more men... either way, it wasn't the BRITISH who were winning at the time, it was the German Mercs from Hess. That basically means that as soon as the mercs were out of the picture, British arms were far less effective, and far more easy to convince to give up.)

Yeah, seems it wasn't the Brits that were winning the revolutionary war... it was the German Mercs (from Hess), which reinforces my concept that the English have only been good at butchering defenseless populations, even if sometimes it was their own, throughout their entire history. Even in India, America, etc. Throughout history, Brits only won when the other side wasn't capable of fighting or ran out of banker finances. I seem to recall that the British were miserably lost until Americans bailed their asses out in both World Wars. Interesting, eh? Personally I think a little German rule would've been wonderful for Britain. Put things into perspective and all that.

And while we're on the subject, "the Crown" refers to a lot more than just the queen and some jewels...

Then again, when have the majority of English been anything but docile authority worshippers, the vast majority who werent, always left for other lands, I happen to have met quite a few in modern day America, just here on the East Coast, I recognize those funky accents when I run into them out and about? Gods only know how many more are elsewhere in the USA.

As for "jolly ole england..." just deserts, all aorund, as far as I care. You get what you pay for, and in the case of government abuse, socialists pay a lot, and get their money's worth as always :)

Hmmm... (1)

spungo (729241) | more than 6 years ago | (#21421699)

So, they're benefit recipients, are they? Sounds like an unfortunate accident to me.

15 or 25? (1)

kevmatic (1133523) | more than 6 years ago | (#21421701)

Hm, must be something in the English-Metric conversion, because TFA says there's 25 million lost.

Anyway, Names and phone addresses aren't really that hard to get, but to have your bank account information compromised must SUCK.

Of course, banks should require more than that to allow a withdrawal. Its a lot easier to put money into an account than to take it out.

Re:15 or 25? (1)

Gregb05 (754217) | more than 6 years ago | (#21421819)

Once you have bank account numbers, presumably with the bank involved, I assume it would be trivially easy to phish people by sending emails with correct bank names and REAL names, so large amounts of login credentials wouldn't be too hard to gain with the rest of this information, sadly.

Of course, this is assuming that there isn't enough data lost to allow people to clean out the accounts.

Re:15 or 25? (1)

Captain Hook (923766) | more than 6 years ago | (#21422269)

Hm, must be something in the English-Metric conversion, because TFA says there's 25 million lost.

The confusion is because the HMRC lost 15,000 personal records on a CD last month; and now in a seperate incident the same department has lost another 25,000,000 personal records also on CD

The 2 news stories are getting mangled into a single issue.

lolercaust (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21421705)

LOL. Thats what you faggots that use the word Yank get.

We all know you like to yank your dicks all day and now your private records are public information.

Faggot Brits.

Trust them with the national ID card program now? (2, Insightful)

Gandalf_the_Beardy (894476) | more than 6 years ago | (#21421713)

15,000 records for the pension provider and now somewhat like a third of all peopl in the UK sent on what appears to be unencrypted discs. When I queried this with Standard Life they said that they had no choice but to accept the data like that and that the Govt refused to encrypt it. This being the same Govt that wants to hold all of our medical records in one national database, along with all of the ID card details. For the US peope reading, the National Insurance number is synonmous with your SSN, although not of quite as much use for fraud. It's still not something that you want to allow out into the wild.

Re:Trust them with the national ID card program no (0)

Anonymous Coward | more than 6 years ago | (#21422257)

That's nothing. Under the new NHS IT system, health records are sent unencrypted over the open internet, because they never got round to specifying a security standard before it went in. There *should* be heads rolling over this, but everybody's up to their neck in it.

Re:Trust them with the national ID card program no (1)

saintsfan (1171797) | more than 6 years ago | (#21422907)

this is not directly inline with what you mentioned, but something i have been thinking about lately is the usefullness of encryption with information this valuable. sure, it needs to be used to mitigate in the event of lost data, but consider this- in many instances, and across industries where personal information is stored or transported, there is an encryption standard. for arguements sake let's say 128 is the standard for many things now, i.e. "the least they are supposed to use". now lets consider the future advances of computing and math. i have a bad feeling that a lot of us are going to outlive the usefullness of these encryption standards. so whats the problem? well, many current encryption standards may be considered weak or trivial in 5-10 years, but if I'm alive my SS#, birthdate, name, and possibly even my bank account number won't change, so the information may still be good. sure you can monitor your credit and whatnot, but really thats just to detect having already been taken advantage of and does not account for medical, employment, criminal, civil, voting, donating, and the like.

Trust the Government (5, Insightful)

Vanders (110092) | more than 6 years ago | (#21421735)

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector. Apparently they were being sent to the Audit Office, but why the Audit Office needed an off line copy of the data, and a complete copy at that, isn't addressed: no doubt some ridiculous bureaucratic idiocy that makes Brazil look sane.

The idea of burning an unencrypted copy of your sensitive data to a DVD and handing it to a random delivery company should horrify even the most incompetent sysadmin or DBA. Apparently no one in HM Customs & Revenue thought anything of it.

These are the sorts of people who want to build a massive database of all our personal details and tie them to ID cards. They tell us the data will be "perfectly safe". I wouldn't trust them to run a mail server.

Re:Trust the Government (0)

Anonymous Coward | more than 6 years ago | (#21421943)

At least the data was encrypted this time - or at least 'password protected' according to the Beeb article.

Re:Trust the Government (1)

tttonyyy (726776) | more than 6 years ago | (#21422595)

At least the data was encrypted this time - or at least 'password protected' according to the Beeb article.
"two password protected discs" does not necessarily imply the use of encryption.

What we do know is that the individual(s) that sent the discs weren't overly concerned about the security of the data they contained. Pure speculation, but if the same individual(s) also chose the password, it probably isn't very strong either (and probably wasn't delivered to the recipient in a safe way).

Odds are its one of these:

http://www.eribium.org/wp-content/uploads/2007/01/common_passwords.txt [eribium.org] ...or at least crackable by brute force within a reasonable timeframe, especially given enough computing power (botnet, anyone?)

Given that identity verification often consists of as little as "what's the first line of your address?", "what's your date of birth?" or "what's your wife's name?" this presents a very serious breach of privacy/security indeed.

Re:Trust the Government (2, Insightful)

MrNemesis (587188) | more than 6 years ago | (#21422857)

Password protected? I think that's soon to become NewSpeak for "we didn't use proper encryption". Knowing what I know of some of the incredibly ridiculous levels of beauracracy inside the UK public sector (although I've never been invloved with anything outside of legal) I wouldn't be surprised if this amounted to anything as secure as a password protected zip file, with a short password at that.

But the fact that the whole fecking database went out in the mail is utterly inexcusable. This is akin to me emailing a dump from the financials systems via my hotmail account.

And, just to re-confirm my stance on the UK national ID card along with everyone else, how they expect the public to believe that they can keep a database as huge and sprawling as everyones fingerprints, retinas, tax records, benefits, medical history, travel history and criminal record secure I don't know. I'm not even sure that some of them know the meaning of "secure".

The UK government is many things, but they've proved time and time and time again that, collectively*, they know absolutely fuck all about designing (or rather, outsourcing the design to the lowest bidder), maintaining and running any sort of large scale computing project. All of the ones I can remember throughout my lifetime have been late, massively over-budget and unreliable, and some have even been scrapped way before their EOL due to just plain not working.

On a related note, it's at times like this I wish Google did government consultancy. If anyone can keep a colossal distributed database on track, it's them. And as evil as they might be, I trust them more than I trust Capita or EDS**

*I've met some very smart people working for the government but they're bogged down in a stultifyingly inert beauracracy, worse than anything I've experienced in the private sector. Wouldn't be surprised if Gilliam saw Brazil as a documentary

**Governmental favourites for LCD IT outsourcing with a similar illustrious track record for incompetence

As someone who's worked in the public sector... (0)

Anonymous Coward | more than 6 years ago | (#21422739)

...I don't think technical competency overall is the core issue, there's a lot of good people there who are there because of job stability, often after being made redundant in the rather insecure world of private sector IT employment.

The real issue is apathy as I know all too well having worked there. When wages are low and managers simply don't care about attempts by these workers to improve and modernise IT systems and procedures then these so-called juniors that are getting the blame are probably so utterly demoralised it's foolish and naive to trust them with so many records in the first place.

As an example, we tried implementing the BS7799 security recommendations including a 5 minute inactivity lockout only to be told to undo the whole lot because some people were annoyed at having to unlock their computer every 5 minutes, when we tried to resist and refuse citing the importance of security we were basically told to do it or face disciplinary action.

The real problem as usual is those at the top being unwilling to run a professional service in the public sector. This is why I feel bad for those juniors who sometimes are often pretty clever people but who are the ones who will likely lose their jobs over this when in fact they were the ones who no doubt tried to push change only to be told by management that they can't implement this change for whatever reason i.e. because it meant management would actually have to do some work and actually know about the field they were employed to manage for for once.

Listen up, Brits (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21421741)

OK poofters, I'll give it to you straight. I'll apologize in advance if I offend any of you, but I'm a sharp minded insightful speaker unlike the typical Brit. Oh, and I brush my teeth.

American will celebrate Thanksgiving in two days, and for us that is primarily a celebration of getting you anal retentive, meddling poofters out of our hair. Jesus, what a relief. How's that whole monarchy thing going for you? Great, eh? It would be like America picks a random family, Sally Q. Public, and buys them a sprawling estate and pays for all wants and their outlandish lifestyle. What exactly is the fucking point? Good luck with that.

But anyway, you'll notice Slashdot gets a little less busy over the next few days. Don't worry, we'll be back poofters, after enjoying the severing of ties with "Great" Britain.

Re:Listen up, Brits (4, Funny)

Anonymous Coward | more than 6 years ago | (#21422209)

Not offended old bean, we were more than pleased to get rid
of that bunch of God-bothering homophobic nutjobs. Enjoy the

Toodle pip!

Re:Listen up, Brits (1)

benito27uk (646600) | more than 6 years ago | (#21422809)

We're anal retentive! As Robin Williams said:

Than the Puritans broke away from the Calvinists, our ancestors, people so uptight, the English kicked them out.

How anal do you have to be for the English to go: "Get the fuck out!" "Take your pimp shoes and go!"

The moral of the story? (0)

Anonymous Coward | more than 6 years ago | (#21421777)

Don't use number tokens to prove identity. It's the same reason using the same password for all your logins is a bad idea, because once someone knows, everyone knows. The solution isn't more government regulation, it's not tying the concept of identity to a couple commonly known pieces of information like date of birth or SSN.

Where's the Backup? (2, Funny)

digitaldc (879047) | more than 6 years ago | (#21421807)

Didn't anyone learn ANYTHING from the last 5,000 years of record keeping?

Re:Where's the Backup? (2, Insightful)

Billosaur (927319) | more than 6 years ago | (#21421889)

Yes... destroy all the records! Leave 'em guessing!

Seriously, it's preposterous to talk of data retention strategies and forcing people to be part of national data banks when there's absolutely no talk about how you're going to make it secure. I would like to think a data center where personal data for users/citizens is kept would be run more like Fort Knox than the McDonald's Drive-Thru.

Re:Where's the Backup? (1)

Gregb05 (754217) | more than 6 years ago | (#21421955)

The backup isn't important, the real question is 'Who has the data'.

The loss of the data isn't important, the gain of the data by people who probably shouldn't have access to banking information and home addresses is a problem, though.

Re:Where's the Backup? (1)

larien (5608) | more than 6 years ago | (#21422007)

It's marginally misleading - I read it as "lost, gone forever", but it sounds more like they sent a copy of the data to another department and it disappeared somewhere in the post.

Not quite as bad, but still very careless and possibly in violation of data security laws.

This give us hope (3, Funny)

owlnation (858981) | more than 6 years ago | (#21421869)

We've been heading towards the totalitarian Peoples Democratic Republic of (formerly Great) Britain for some time now. This kind of thing is actually encouraging.

In a country where you are watched by security camera most of the day, and can be detained without charge for longer than anywhere on Earth, it is reassuring to note that the UK Government is so incredibly incompetent that there will always be a way to escape. No need for tunnels, gliders, or under the floor of a Trabant -- it should be pretty much possible to just walk through the border with a library card altered in crayon.

Re:This give us hope (0)

Anonymous Coward | more than 6 years ago | (#21422551)

"We've been heading towards the totalitarian Peoples Democratic Republic of (formerly Great) Britain for some time now."

The PDRB? No, everybody knows its official name is "Airstrip One" [wikipedia.org]. In fact, it has always been called that.

This public notice is brought to you by the Ministry of Truth.

Re:This give us hope (1)

Wanoah (943464) | more than 6 years ago | (#21422885)

Personally, I don't find it all that comforting that the only guarantee of our civil liberties is the continued incompetence of government departments. I mean, one day, they might actually get their shit together and we'll all be living in a police state.

Yeah, you're right. Never going to happen. What was I thinking?

Clearly a Slashdot experiment (1)

Thanshin (1188877) | more than 6 years ago | (#21421887)

Whoever uses 15 instead of 25 in the reply will get an instant karma loss.

Insidious AND subtle.

The disks password protected (1)

Diamonddavej (851495) | more than 6 years ago | (#21421909)

It was briefly mentioned on Sky News and the BBC that the disks are "password protected". Is this true, if so what's the encryption and password strength? Maybe the data cannot be accessed.

Re:The disks password protected (1)

fox1324 (1039892) | more than 6 years ago | (#21422069)

My guess? an excel spreadsheet with the password option checked.

Either way, what is the appropriate recourse when a government proves itself so grossly incompetent?

Re:The disks password protected (0)

Anonymous Coward | more than 6 years ago | (#21422103)

More likely it's an unencrypted Excel spreadsheet with a password that a child can bypass

Re:The disks password protected (1)

Dr_Barnowl (709838) | more than 6 years ago | (#21422113)

I'd lay odds that "password protected" means "password protected ZIP file", in other words, virtually unprotected, especially since there are enormous numbers of cribs in a data sample containing so many names and addresses.

The debate in parliament was using the words "encrypted" and "password protected" but at no time was the lost data ever accused of being "encrypted". This suggests that they are aware of the correct usage and that the data concerned was not encrypted using any strong algorithm.

Re:The disks password protected (1)

sa1lnr (669048) | more than 6 years ago | (#21422117)

I bet the password is "childbenefit"

Re:The disks password protected (1)

Slashidiot (1179447) | more than 6 years ago | (#21422173)

That would be stupid. I'm pretty sure we can trust the government to have a better password than that. Like "password", or "123". Something witty.

BBC (1)

ch-chuck (9622) | more than 6 years ago | (#21421931)

This would make an excellent episode of "Yes Minister" - of course Sir Humphrey would come up with some kind of solution.

Offering 100,000 - 1 odds it was clear text (5, Insightful)

lena_10326 (1100441) | more than 6 years ago | (#21421949)

At that time, they refused to say 'on security grounds' whether the information was encrypted.
Then it wasn't. If it had, the first thing out of their mouths would have been "relax, it was all encrypted".

Re:Offering 100,000 - 1 odds it was clear text (1)

Slashidiot (1179447) | more than 6 years ago | (#21422119)

It's funny when the government behaves so childishly:

- You lost 25 million private records???? The data was encrypted, wasn't it???
- Hmmm... I cannot tell you...
- WHY??
- Just in case the bad guys cannot read the plaintext data and think it is encrypted and discard it... or something... dunno...
- That's plain stupid.

Re:Offering 100,000 - 1 odds it was clear text (4, Funny)

TheRaven64 (641858) | more than 6 years ago | (#21422601)

I strongly suspect that this doesn't mean what you think it means...

Re:Offering 100,000 - 1 odds it was clear text (3)

Zelos (1050172) | more than 6 years ago | (#21422303)

Exactly - all they'd have to say is "it's encrypted using AES-256/whatever, everyone whose details are on the disk will be dead by the time it's decrypted".

Although, considering that the government is using the time taken to break decryption as an excuse to raise the time they can hold 'terrorists' without charge, they probably want to avoid mentioning that.

Re:Offering 100,000 - 1 odds it was clear text (0)

Anonymous Coward | more than 6 years ago | (#21422657)

Encrypting with AES 256 means little. AES is just a link in a chain. Its similar to safecracking 101. It doesn't matter what the safe as much as what the lock on the safe is like.

Without having a secure password, then a secure means of hashing the password (look at how TrueCrypt does things to see how this can be done right. TrueCrypt never stores the password in a volume, but hashes the password multiple times, and decrypts a value to see if the right answer comes up.

Another reason for the bank account monitoring ??? (0)

Anonymous Coward | more than 6 years ago | (#21422077)

How can the public sector cost our country so much and yet be so damn incompetent ?

There are some other rumors circling ... one of which is that the bank account monitoring they are talking about, is actually just an excuse to slow transactions down / prevent them, as there are soon to be further bank runs, as fall out from the credit crunch (Northern Rock et al) continues.

Re:Another reason for the bank account monitoring (1)

jweatherley (457715) | more than 6 years ago | (#21422765)

'How can the public sector cost our country so much and yet be so damn incompetent ?'

I think the clue is in the question.

Remedy (1)

ackthpt (218170) | more than 6 years ago | (#21422147)

The only way to remedy this sort of thing is a long prison sentence. Put the buggers in with scum drug dealers from the estates.

Of course (1)

Zelos (1050172) | more than 6 years ago | (#21422159)

This is from the bureaucracy that thought putting confidential personal details in a public folder on a web server was secure as long as they didn't tell anyone they were there:

http://www.channel4.com/news/articles/society/health/exclusive+junior+doctors+details+exposed+online/469137 [channel4.com]

and that's currently £6.2bn over budget on implementing a medical record database:

http://www.theregister.co.uk/2006/06/16/nhsit_budget_overrun/ [theregister.co.uk]

Why are UK government IT projects always doomed to failure?

Re:Of course (2, Insightful)

RegularFry (137639) | more than 6 years ago | (#21422375)

Why are UK government IT projects always doomed to failure?

Because civil servants have no idea how to protect themselves from getting shafted by software suppliers, and no financial incentive to learn, essentially. Also, the government has an extreme aversion to suing its suppliers, so the same suppliers do the same thing every time.

Re:Of course (1)

ditoa (952847) | more than 6 years ago | (#21422423)

Because MP's are not IT project managers and they don't employ skilled IT project managers. They treat all projects as the same so you get somebody who thinks they know about computer as they once wrote an Excel macro and give them some fancy job title.

Oh please. (4, Insightful)

Harold Halloway (1047486) | more than 6 years ago | (#21422191)

"The Chancellor will try to evade responsibility..." In what way could be held responsible? The data was copied and sent in clear breach of the agency's (and the Government's) rules. The last time I checked, it wasn't the Chancellor's responsibility to monitor personally all packages sent by Government agencies. Had the security breach happened due to actions which did NOT breach any rules then I might agree with you, however this is not the case here. Put it this way: If ministerial resignation (and that is what you are implying should happen) is to follow every breach of security then that is a green light to every ne'er-do-well and Tory malcontent working in Government to start posting confidential data left, right and centre.

Re:Oh please. (0)

Anonymous Coward | more than 6 years ago | (#21422413)

So you're saying the employees should be criminally liable? I agree that Darling shouldn't resign over this. He should resign over the misappropriation of public money in order to prop up a private bank!

Anyway, this'll never happen with the 'ID card' or medical database. The government will have strict "rules and procedures" in place making it impossible for a leak of this nature to occur... and I'm Elvis Presley!

fiasco (0, Offtopic)

pasm (697457) | more than 6 years ago | (#21422223)

Have your say: [bbc.co.uk] I love this comment: "Will they guarantee any losses to people through fraud? They guarantee other risky ventures." Which of course refers to the British Government guarantees to Northern Rock.
Certainly ID cards, which this government pushes with all its might, would have done nothing here since it was not 25m individuals sending they data insecurely but 1 individual with a database and a stamp!

This is very worrying. (1)

ResistanceIsIrritati (808817) | more than 6 years ago | (#21422307)

If the head of the organisation has felt it necessary to resign then there must be a whole lot more to be revealed. After all no one in the UK resigns just because they or their department is merely incompetent any more.

Re:This is very worrying. (1)

ditoa (952847) | more than 6 years ago | (#21422491)

He should have got his department to kill somebody, that way he could have kept his job!

Just wait till it's our DNA and Fingerprints (2, Informative)

MrSteveSD (801820) | more than 6 years ago | (#21422721)

At some point, if the UK government gets its way, everyone will have their DNA and fingerprints stored in a central database. How long will it be before some backup hard drive goes missing with all the data?

refused to say 'on security grounds' (1)

CranberryKing (776846) | more than 6 years ago | (#21422805)

"At that time, they refused to say 'on security grounds' whether the information was encrypted."

Which means it wasn't.

Just trying to help (4, Funny)

ZorbaTHut (126196) | more than 6 years ago | (#21422837)

Did they look behind the couch?

That's where I always lose things.

They might be there.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account