Sponsored Links

and the government proves themselves totally incompetent again!

timeless

ULTIMATE Member
Staff member
Volunteer Mod
'Massive failure' over data loss

Ministers have been accused of a "massive failure of duty" after thousands of criminals' details, stored on a computer memory stick, were lost.

The Tories say the Home Office appears "incapable" of keeping data secure and criminals may seek compensation.

Details of 84,000 prisoners in England and Wales were lost by private firm PA Consulting. The Home Office said a full investigation was being conducted.

The information commissioner's office described it as "deeply worrying".

The missing memory stick includes un-encrypted details about 10,000 prolific offenders and data on all 84,000 prisoners in England and Wales.

'Horrified'

A Home Office spokesman said the data was lost by PA Consulting, a private contractor working for the Home Office, and was "held in a secure format on site and downloaded onto a memory stick for processing - which has since been lost".

Shadow Home Secretary Dominic Grieve said he was "absolutely horrified" by the loss and "government incompetence".

PA Consulting has searched its premises and looked at CCTV recordings in an attempt to recover the missing memory stick.

It is the latest in a string of lost data incidents for the government, including stolen laptops, lost computer discs and memory sticks and files left on trains.

The Home Office was told by PA Consulting on Monday that the data might be missing and the contractor confirmed on Tuesday it had failed to uncover the memory stick but it was not clear how it came to be lost.

'Serious consequences'

The data on the stick also includes information from the Police National Computer of some 30,000 people with six or more convictions in the last year.

Details of serving prisoners included names, addresses, dates of birth and in come cases release dates.

The transfer of further data to PA Consulting on the project has been suspended pending the investigation.

The Conservatives have accused the government of a "massive failure of duty".

Shadow home secretary Dominic Grieve said the Home Office "has a habit of doing this".

He said: "It's entrusted with a great deal of highly confidential material and it seems to be entirely incapable of keeping it secure.

"And the consequences are very serious. They're serious because it may lead to the identity of the people involved being revealed."

"One of the possible consequences is that they [criminals] will bring legal actions against the government and the taxpayer will then have to pay damages to people, who appear to be pretty undeserving, because of the government's incompetence."

'Toxic liability'

David Smith, Deputy Commissioner in the Information Commissioner's Office, said the latest loss showed that personal information could be a "toxic liability" if not handled properly.

"It is deeply worrying that after a number of major data losses and the publication of two government reports on high profile breaches of the Data Protection Act, more personal information has been reported lost," he said.

He said sensitive information, such as prisoner records, must be held securely at all times and said his office expected to be provided with a copy of the internal investigation report.

"We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information," he said.

Labour MP and chairman of the home affairs select committee Keith Vaz told BBC Radio 4's Today programme he hoped the government had put adequate safeguards in place.

"If you hand out memory sticks almost like confetti to companies and ask them to do research for you, then you have to be absolutely certain... that the company concerned has put in practice procedures which will be just as robust as the procedures that I hope the government has followed," he said.

A spokesman for PA Consulting refused to comment on the data loss.

Earlier this month the BBC apologised after a memory stick containing the personal details of hundreds of children who had applied to take part in a TV show was stolen from a vehicle.

On Tuesday, a BBC analysis found sensitive data potentially affecting more than four million people had been lost by government departments in the year to April.

Cases included the loss of the National Insurance numbers of 17,000 people and the theft of a laptop with encrypted details of 17,000 Sats markers.

The details of 25 million child benefit claimants vanished last year.

The incident led to the recommendation that government departments should give details of personal data losses.

Source: http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm

every time l see one of these news article it makes me feel less and less comfortable about this central database they are planning if they cant keep things secure how the hell can l shop online, they assure us it will only be email and domain logging but whos to know logging wont go further and put credit card details in jeopardy because some ass lost some unencrypted disks with our personal history on them?

this makes me feel very uneasy... and l wasnt feeling that comfortable about the whole issue to begin with.
 
The only good thing is the day a criminal files for (and gets) compensation over this will be another nail in Gordon Brown's coffin.

Mind you, I don't suppose it would be any better with any of the other parties - after all, it would still be the same civil servants ignoring the risks of data lost.
 
I confidently expect 84,000 claims from the criminals. All on legal aid. And all resulting in massive compensation.
 
Sponsored Links
Could also be a classical case to prove that outsourcing anything that involves peoples personal data of any type isn't as secure as the government and large companies were trying to tell the public. Perhaps a total overall of the DPA making outsorcing any persoanl DATA is needed with large compensation to the customers if this information leaves UK businessss to any thirdparty partner.
 
All this proves is outsourcing fails, it fails to deliver a high standard of protection, fails to deliver the promises of the government.. Oh wait they also fail to deliver their promises so nothing new there..

Time to rethink as I said and hand back our privacy we should have total control of our personal data and the companies shouldn't share it around without our explicit permission and not using hidden text in 40 page legal jargon..
 
The problem with the Labour party is that Tory B lIar sold us to the chimpanzee for peace in Ireland. (Peace we could have had easily years ago, had the opposition not needed the Ulster party as a sidearm and the USA supported the IRA.

He sold us out and left at the last possible moment after removing the kitchen sink and pulling the carpet out from under the new occupant.

Obviously Brown was not a member of the spin helix for it seems the cover up unit cleared off with the national disgrace it supported. So the inevitable happened and things went wrong straight away as though it had been engineered.

If Tory B Liar had given a stuff about the country do you think he would have let that happen?

Look at government from another angle and you will see the picture I am looking at.

Speed cameras were all the rage once they caught on. "Yes it is an intrusion into our privacy but the lives saved are worth it."

Then the government realised they are a cash cow and took over the revenue. All of a sudden the local councils are begining to realise that speed cameras were never as good as they had been thought to be. All of a sudden there are alternatives.

What a coincidence.

Look for coincidences and follow the money. You will soon see who is doing what and why.

Anyone who votes for a politician is going to be paying a trained liar to take their money.
 
Anyone who votes for a politician is going to be paying a trained liar to take their money.
I think I might omit the word "trained" there - properly trained liars wouldn't shoot themselves in the foot so often.
;)
 
Sponsored Links
Yes, I get on the platfom about governance crap too eaily.

The point I failed to make was that this debacle smacks strongly of the use of Windows.

For goodness sake; local government branches of things such as Job Centres and Tax offices are still using Windows 2000.

What chance has anyone got?

Linux distros are updated every 6 months or so. That means a security rewrite along with major upgrades the like of which compare to a Service Pack in XP.

And there were only three of them in the whole lifetime of that OS. That's 4 versions since it came out. And it still doesn't work properly.

And I bet the Tax and Prison Services are all using unpatched versions. The best security for it being data held on versions so old that no criminals use it.

Pity they write OSs to interoperate with legacy, ancient versions.
 
Its very little to do with the OS version they are using, the majority of cases so far have been pure incompetance, having laptops with sensitive files on, allowing peripheral devices to be attached to computers (USB sticks mainly), sending unencrypted data on DVDs, and god knows what else.

Need to sort all of that before they look into securing the systems, otherwise theres no point at all.
 
The biggest security threat to any company is it's employees.

Following on from that, the biggest threat to office security is the USB stick, simply because the possibility of taking vast amounts of data out of the office undetected and unprotected is so huge. The possibility to lose them is pretty high too.

In the last (prisoner data) breach, the politician said the data was stored securely. That may be the case in terms of encryption, restricted access etc. But if a legitimate user can copy the data to wherever they want, particularly to USB it isn't f*cking secure at all.

My own company had a couple of laptops stolen with potentially sensitive data on them. They then decided to make sure all laptops had full-drive encryption installed, and spent a fortune doing it. Fair enough. We also have seure VPN software, enough AV to keep a fleet of XP systems clean, top Firewalls etc.

I've just been issued with a 4GB USB stick. So have most people in my company. Whilst I don't have access to personnel data, I do have access to a LOT of information about upcoming products that a competitor would be very interested in.

Very secure!
 
Theres probably considerable oppertunity for IT security consultants at the moment, should anyone fancy a career change.

A company could be made reasonably secure from employees, as long as they are not too technically minded.

Disable the USB ports, and for any machine with outside access (pretty much all nowadays) you have to completly restrict what they can do.

Laptops however, are a nightmare.
 
Sponsored Links
this is the government we are on about... in essence "what is the point" once they set this unwanted database up of our usage it will be just as insecure and be used for underhand purposes.. you give public servants and councils access they will use it for purposes of spying without reason so they can profile us for voting or just find out information about us to help them get ahead.. the system WILL BE ABUSED and lm TOTALLY sure about that
 
Theres probably considerable oppertunity for IT security consultants at the moment, should anyone fancy a career change.

A company could be made reasonably secure from employees, as long as they are not too technically minded.

Disable the USB ports, and for any machine with outside access (pretty much all nowadays) you have to completly restrict what they can do.

Laptops however, are a nightmare.

Laptops shouldn't be allowed to store the data just access a central bases to use this data once switched off all data removed from laptop.
 
Laptops however, are a nightmare.

No they're not - we have a global fleet of thousands of laptops, with ALL of them fully encrypted, needing both a password (with restrictions that mean it can't be a no-brainer to guess) and a physical USB dongle to even switch on (you can have it so that the dongle isn't needed, thus allowing for disabled USB ports).

You can't even get into the BIOS without first putting the password in.

They automatically lock up after a MAXIMUM 10 minutes of inactivity (when again you need the encrypted password, not the Windows one).

Also, these things 'phone home' periodically, so if an employee nicks their laptop it can be locked easily, either when it hasn't been able to contact the server for x amount of time, of when it can connect and the server tells it to lock up.

It's quite easy (though not necessarily cheap) to secure a laptop. It's not so easy to properly (and automatically) secure data on a USB stick.

Laptops shouldn't be allowed to store the data just access a central bases to use this data once switched off all data removed from laptop.

So whoever nicks it find the idiot user has left a note of all their passwords on the desktop, giving them access to the company intranet, all of the users files etc etc.

Plus I do an awful lot of work on the road, or in customer / partner offices and I need local copies of my work with me, so it's not alwyas practical to require a connection with HQ.
 
sorry - I hit quote rather than edit
 
just password protecting data doesnt mean its secure, if l had access to the system/laptop l could render such bios protections useless in minutes with a scew driver shorting it out.. other drive protections are easily gotten through via simple procedures, keeping data safe means one must first start at keeping the actual system/disks safe!
 
Sponsored Links
Yes. That's why it's encrypted. Can't remember to what strength, but it's a minimum of 128-bit. The whole drive is encrypted, not just the data, so if anyone nicks the PC or even just the HDD it would be useless to them.

We're not stupid enough to rely on basic Windows / BIOS passwords!

Incidentally, the kit we use is Common Criteria certified - this is security certification for pretty much any IT kit, and is very hard to achieve to a decent level - I know because my company's products are also certified. It costs a fortune!
 
what type of encryption? if your talking normal SSL its still not that secure.. granted communications between systems maybe 80% secure (there is a margin for error and interception) a user can brute force logins with SSL.. generally the server will be forced to disconnect but with compatible proxies and the right tool one can gain unlawful access to data lm sure some have been following the news regarding the hacker Gary McKinnon he would have faced similar protocols nothing is impossible, as such the most secure place is not to be connected to any form of intranet or internet, as for secure media.. well you would need to keep it secure and not loose it in public to be safe, altho l will admit that its easier to protect disks than the internet..

true security isnt obtainable we can only do our best, the rest is human error.
 
SSL is a network encryption, which isn't what I'm talking about - the HDD is encrypted. We do use Secure VPN (I forget which particular software).

The point is that even with all of these security measures, it would still be p1ss easy for me to stick a load of sensitive data on a USB stick and lose it - the employee is the biggest security threat to any company!

Aside from which - all of the govt data breaches (that we know of) haven't been a very clever hacker targetting their systems - it's been some muppet jobsworth losing their laptop / USB stick or sending data through the post. Employees being idiots again.

I agree that no security is 100%, but decent security is good enough to stop the majority of breaches, and not training staff to use proper methods to send data is proving a bigger issue for the govt than electronic security.

Aside from which, even if electronic security is fallible, what would you rather the govt do? Send data through the mail or set up secure servers to transmit data securely, because the bottom line is that data does need to be transferred across long distances somehow - whether it be dept-to-dept, or between companies etc
 
Last edited:
VPNs still use SSL, a VPN is still a type of network.. altho it does make things a little different but not impossible
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6026)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2439)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules