Slashdot Mirror
UK Gov't Lost Personal Data On 4M People In One Year
An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone.
The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April.
And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.)
"Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified.
Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs.
In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents.
In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."
http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm
That's quite impressive, I assumed it was a much larger figure given all the stories. Mind you, that's just an estimate, so it probably is a larger figure. I do wish that people entrusted with this type of data, and any other type to be honest, would have to prove competence to be trusted with it.
Encryption nowadays is so damn easy to use. Why don't they?
That is almost 10 breaches a day. That is not a leak. That is a fucking river .
I am reminded of a pretty good saying. "Once is happenstance, twice is coincidence, and three times is enemy action". With data breaches this prevalent there needs to be investigations, firings, and serious consequences for all involved. At least fire everybody in charge at once.
I think we can trust the government with an all powerful, all knowing national ID database hooked up to an slightly psychotic artificial intelligence now.
The magnitude of this crisis clearly indicates that the state urgently requires expanded powers and broader scope of co-operation with private sector stakeholders in order to secure these sensitive records.
Utterly, utterly, wrongheaded; but just plausible enough to work...
So they lost 4M people...who's that...Mike, Mary, Marcus, Mahew....there...4M people. Thank you gents for not telling me to jog on.
It's Government incompetence: constant changes in policy, meaningless targets and, most critically, the replacement of the most senior civil servants, whose pensions and knighthoods depend on not fucking up, with a bunch of consultants on short term (typically 5 year) contracts.
This is the government that wants to have us give us our biometric data, impose the use of id cards and keep DNA records on us all.
Bad analogies are like waxing a monkey with a rainbow.
If memory serves, don't most drives have the capability in the spec to password protect the drive?
No laptops, CDs, memory sticks, USB drives. Just a dumb terminal. That way the data can live in a secure data center. Until you piss off some rowdy geriatric mainframe hackers.
Most of the civil servants are proabaly happy that they have managed to drag and drop a few files to the USB stick. They probably don't even know what encryption is.
Timo's Audio Software http://www.esseraudio.com
The UK has all but handed over the handling of citizens data to lowest bidder IT companies.
I've experienced this first hand. I worked in a hospital where total access to everything on the hospitals network was available without even typing in a password if you used certain machines which were 'configured for ease of use'. You'd think those machines weren't reachable by member of the public, or externally, but you'd be wrong.
They aren't unique either.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
Our government hates freedom. Its desire to turn society into a perfect little machine to optimise a bunch of meaningless metrics leaves no room for free will, or dissent from the middle-class, middle-of-the-road lifestyle that we are supposed to lead.
There is no priority for this government than maintaining the status quo, at any cost. Our internet connections must be monitored, our lives recorded in minute detail, our rights before the law curtailed, just so the City can continue to gamble peoples pensions and walk home rich whatever happens.
I hate my own country.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Home Office contractor loses entire prison population
I'm sorry if I haven't offended anyone
During the employment screening process, have popup ads appear on a screen during the personality/background info/aptitude test. If the applicant clicks on one, a trap door in the floor opens and flushes them back out on to the street.
This is a good thing, right?
I always give false names and information on government forms just to protect myself against this kind of data loss. ;-)
----------------------------------- My Other Sig Is Hilarious -----------------------------------
The government haven't 'lost' the data; to have done that they would have to be in a situation where they did not have the data anymore. What they have done is lost media carrying copies of the data meaning that the data is potentially in the public domain or in the hands of someone who will misuse it.
I actually find it reassuring that all this data is apparently so freely available. It would be much more sinister if it were only available to a secret, select few. Publish the lot I say.
They still have the data. It has not been lost. Leaked or exposed would be much better verbs to use.
[Intentionally left blank]
and THEN I might be willing to consider their ID enforcement scam...
No accountability, then no agreement.
Yes I expect to be murdered for not glorifying authority,
in the totalitarian state we are accommodating on our countries.
This is one area in which FLOSS software has a major opportunity to grow. With open protocols and standards you could set up a system where applications , per default, store and comunicate information securely. At pressent things like encryption and mandatory access control is hard to implement, and worse, difficult to get people to use. If you on the other hand had a standardised system for tagging and encrypting sensitive documents, then you could make it significantly easier to set a policy to use those techniques. Rather than trying to educate everybody on things like package sniffing you could have a standard interface for accessing and manipulating sensitive documents, and it could be implemented as plugins for your word processor web browser, e-mail client, etc... Of course, for this to work you would need to make it policy that sensitive documents are only to be manipulated and handled using software that implements the standard, which is why it needs to be open for it to work. The moment you start having to deal with multiple proprietary solutions and interaction between them you are stuffed.
Since when was :
25 million (child benefit records) + a positive value of X 25 million?
The 'up to' 4 million headline is WAY off.
Seriously, how many people in total have been affected by this? I don't mean "well, Johnny has had his stuff lost 500,000 times total, so it's only 3½ million" - just how many people have been affected, including the redundant ones?
The CIA World Factbook says the UK has a population of 60,943,912 (July 2008 est.) people. In just one year, 6 percent of the total population have been affected by this. That's an insane number!
If that percentage is applicable to the US, that's 18 million people. In the EU it would be almost 30 million!
I suggest we have new laws and regulations put in place with regards to this:
1) Any attempt to cover up losses will result in fines equalling 10$ and 1 day in jail (to be served end to end) per person affected for ALL people involved in the cover up, from regular employee to directors, CEOs, bureaucrats and politicians.
2) Any time there is a breach involving negligence (i.e. not someone physicaly breaking into the building and running off with the equipment), the people involved from employee to directors, CEOs, bureaucrats and politicians will have ALL their data posted in every newspaper in the state they live in. Relevant data of course - if "all" that was lost was SSNs and their names, then that's posted. If it's bankstatements then it'll be that.
Yes, 10$ and 1 day in jail doesn't sound like much for your data. But it's rarely only one person affected. Mostly it's counted in thousands. The average from the article is 2,007 people, meaning a 20,000 dollar fine and 54 years in jail. The smallest incident is "190 people in 5 incidents". That'd be a small fine - 380 dollars, but still 38 days in jail for each incident. Not something to scoff at.
We do not live in the 21st century. We live in the 20 second century.
Data guardians? Who guards the guardians?
Sadly, it's almost impossible for leaks not to happen - it's almost like a law of database entropy.
Perhaps this is an argument against centralisation of such vast amounts of data in the first place?
They govt. also lost 25 million Child benefit records. Though it's possible/likely that there were some duplicates in all this - given that the UK population is "only" 61 million, that's still nearly half the people who live in the UK have had some personal data lost by the government
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I don't hate my country, but I do dislike those aspects of the private school and class system which causes the people in power to be conformist and inward looking, and ready to believe any snake oil salesman in a Boateng suit. People mock Prince Charles, but at least he is prepared to get into trouble by listening to independent experts and then asking questions about the status quo and the desirability of corporatism. The Government appoints independent experts, and then when their conclusions conflict with those of the editors of tabloid newspapers, or McKinsey, they reject them. The inevitable result is pissed off staff and managerial incompetence. As one of my bosses used to say about organisations like McKinsey, when did you last hear of a great world manager? Taylorism takes no account of leadership, which is what gives morale and a sense of direction to organisations. And the only way to bring in things like data security is to bring back a spirit of public service - which means leadership.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Sure it is. the government (any government) produces thousands of times this amount of covert data each year. Whether it's surveillance, foreign intelligence or simply military planning information.
The point is, that almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands. If they considered the loss of personal data to be important, they could easily stop all leakages except those done maliciously
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
You *know* a country's going to the dogs when it suddenly creates a Department of Justice and puts a Muppet in charge of it. A semantic point - they didn't *lose* the data, they put it in the public domain through incompetence when the data should have been kept private.
almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands
I wouldn't be so sure. From today's news: "Confidential records [...] on tens of thousands of the country's most prolific criminals have been lost in a major breach of data security [...] Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm"
And, how do you know covert data is never lost if you wouldn't even get news it was collected in the first place?
Dawkins Revisited: A person is shit's way of making more shit -- Steve Barnett, anthropologist.
Those bureaucrats are quite obviously too incompetent to protect us against "terrorism". Who's going to protect us against the bureaucrats?
Currently, if you log off of Slashdot, and go to the front page, you get to see a picture of "Little Hitler", a two year old dressed up to look like Hitler. What in the hell is wrong with Slashdot. There isn't even a story to go with it, just the freaking picture. Posted in the idle section, of course.
Has the management of Slashdot put their head so far up their ass that they have oxygen deprivation in the brain?
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
so that's 56 m to go ...
It's all well and good to poke fun at the British Government for their consistent negligence. But the only reason this is being reported is because of the data protection laws in the UK - which basically means that if you lose someone's data, there is someone going to come down hard on you and that they have the legal capacity to do it.
Data protection, however, is not ubiquitous - so before railing hard on these guys, ask yourself if you're protected and is there someone looking after your interests? If not, then you're data could be being lost on a daily basis without you ever having any knowledge of it - and with no recourse even if you did.
Genesis 1:32 And God typed
It's allways handy to have an elder sibling of the male gender.
"Kill 'em all and let Root sort 'em out"
They lost all the details of their prisioners.
"The British government has admitted that a contractor lost a memory device containing information on every prison inmate in England and Wales.
The Home Office said a contractor lost the memory stick, containing the names and dates of birth of 84,000 inmates - England and Wales' entire prison population."
I'm still trying to figure this 4 million figure out. The child benefit leak alone lost personal details relating to 25 million people, and that was in October 2007 so still comfortably within a year of today. There have since been numerous other leaks, with anywhere from a few hundred to many thousand people involved. Much of the information has been highly sensitive: not just names and addresses, but classified national security information, information about criminal records, information about people applying for sensitive jobs and who has been asked to vouch for them, etc.
This whole affair is somewhat ironic for me. I have long argued against the database state and national ID cards on the basis that not only do such measures present obvious civil liberties concerns and potential for abuse, but more seriously they will be operated primarily by bored, low-paid civil servants who type thousands of names, address and so on every day into software developed by a government and contractors with a near 100% record of project failure, making accidental mistakes (which will inevitably require vastly disproportionate effort by the victim to fix) a much bigger danger to the average citizen than malicious attacks. I am reassured that the media and thus the public are finally starting to realise this. Better late than never!
Incidentally, as a point of general interest, there are now more than 61 million people living in the UK. According to statistics released yesterday by the ONS, the count is rising by about 1 million every three years, due partly to long-term migration, and partly to an increase in child birth (much of which is due to earlier migrants starting to have children).
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The losses are large and improvements need to be made.
I believe the good thing that can be reflected upon is that the departments are made to disclose this loss data. If they weren't nobody would know the scale and nobody would be pressing for solutions.
I think this has to do with their big brother mentality where they think they like Google should save all the data of people passing by a camera for any length of time, indefinitely.
All movements are recorded, then logged with algorithms to link on db to another, and then whoops, someone forgot to do an sql injection check and the info is stolen.
I wish the isle of dr.moreau had taught us better
If you want the truly lazy evil solution, the government could reclassify all the data that it collects on people open public documents and try to post it publicly ASAP. This everyone would believe would be the lazy incompetent solution, but on the bright side its actually easy to implement though it might not currently be legal. The big benefit to the government is that they can then say that have no farther problems with data breaches since its all open public data any way. ;)
For even your most evil governments, that'd work great for everything except military R&D/production type data. Heck, you might as well make all your military personnel records open public documents as well.
You'd then have the problem of trying to hide people/data in plain sight/seas of data.
Data breaches are more nuanced than the sensational numbers in a story like this would suggest. Data breach announcements and notices have a scalability problem. As the number of announcements and notices soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach claims, announcements and notices, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
I suspect hackers arent that interested in wading through all that COBOL, DD, OS/360 and 9-track tapes.
Does the Panopticon still work, even if it's a result of unintentionally building a prison so shoddy that one of the walls fell down?
Guess we'll find out.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
As always a broken system / systemic incompetence shows that as soon as the cost is spread over the masses of regular citizens (as in "quite poor"), nobody above will bother thinking that something is going wrong. Steal £1000 from a big company and "individual freedom" is at risk.
Well, various politicians need to put on a show of caring about privacy, for one thing.
For another, it strikes me that your application should not expose any information, except as part of the well-defined UI.
Just because you cannot connect the dots and do anything nefarious does not preclude a gang of thugs in Zambiniland from unsavory acts.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
... you'd think that they could lose my 1099 forms. But no.....
Have gnu, will travel.
For another, it strikes me that your application should not expose any information, except as part of the well-defined UI. Just because you cannot connect the dots and do anything nefarious does not preclude a gang of thugs in Zambiniland from unsavory acts.
Pretending that some information is confidential when it isn't is a far greater security threat than a bug in an application. That is the reason for the mess with the social security numbers and it also results in smart people using moronic phrases like 'identity theft'.
If you are a tyrannical government attempting to introduce (force) the use of ID cards then this is how you manipulate the public into accepting them. "Losing" the data can easily be organised, but informing the public over and over again is what the media do.
Join the British National Party
a far greater security threat than a bug in an application
Wouldn't dispute that a false sense of security is worse than no security at all.
The reason for the mess with SSNs is that the Federal government under FDR was as safe as Dick Cheney with a loaded firearm:
http://www.amazon.com/Forgotten-Man-History-Great-Depression/dp/0060936428/ref=sr_1_1?ie=UTF8&s=books&qid=1219261467&sr=8-1
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I liked this line from the comments:
But the differences between Fisher and Keynes seem small when compared to the differences between the policymakers and both economists. In physics, it would be like watching an academic debate over the meaning of quantum mechanics while policymakers are unable to grasp the simple concept of gravity.
... maybe.
http://rocknerd.co.uk
Excellent.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear