Slashdot Mirror
UK Gov't Lost Personal Data On 4M People In One Year
An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone.
The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April.
And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.)
"Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified.
Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs.
In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents.
In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."
http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm
Encryption nowadays is so damn easy to use. Why don't they?
That is almost 10 breaches a day. That is not a leak. That is a fucking river .
I am reminded of a pretty good saying. "Once is happenstance, twice is coincidence, and three times is enemy action". With data breaches this prevalent there needs to be investigations, firings, and serious consequences for all involved. At least fire everybody in charge at once.
The magnitude of this crisis clearly indicates that the state urgently requires expanded powers and broader scope of co-operation with private sector stakeholders in order to secure these sensitive records.
Utterly, utterly, wrongheaded; but just plausible enough to work...
How do you propose that they "prove competence", as far as I can tell, that seems to be what's happening, some organizations, have proved their competence, others, such as this, have failed.
Granted, information distribution isn't exactly new, however the method and/or media used to transfer the information is/has changed, and is being increasingly adopted, so they all have to figure it out.
Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.
That said, I'm not really making excuses, as even 4 Million is much larger than it should be, that's what, 6 to 7% of the population? That's basically epidemic, and is certainly pandemic given that the UK isn't the only one.
It's Government incompetence: constant changes in policy, meaningless targets and, most critically, the replacement of the most senior civil servants, whose pensions and knighthoods depend on not fucking up, with a bunch of consultants on short term (typically 5 year) contracts.
This is the government that wants to have us give us our biometric data, impose the use of id cards and keep DNA records on us all.
Bad analogies are like waxing a monkey with a rainbow.
No laptops, CDs, memory sticks, USB drives. Just a dumb terminal. That way the data can live in a secure data center. Until you piss off some rowdy geriatric mainframe hackers.
Most of the civil servants are proabaly happy that they have managed to drag and drop a few files to the USB stick. They probably don't even know what encryption is.
Timo's Audio Software http://www.esseraudio.com
The UK has all but handed over the handling of citizens data to lowest bidder IT companies.
I've experienced this first hand. I worked in a hospital where total access to everything on the hospitals network was available without even typing in a password if you used certain machines which were 'configured for ease of use'. You'd think those machines weren't reachable by member of the public, or externally, but you'd be wrong.
They aren't unique either.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
Our government hates freedom. Its desire to turn society into a perfect little machine to optimise a bunch of meaningless metrics leaves no room for free will, or dissent from the middle-class, middle-of-the-road lifestyle that we are supposed to lead.
There is no priority for this government than maintaining the status quo, at any cost. Our internet connections must be monitored, our lives recorded in minute detail, our rights before the law curtailed, just so the City can continue to gamble peoples pensions and walk home rich whatever happens.
I hate my own country.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
One suggestion would be to
Sure it is. You need proper procedures and regulations. Sure, if you put it on a laptop or memory-stick, and let your employees carry it around without any oversight, accidents will happen. But if you treat the information as valuables, all will be fine. Money-transports don't usually go around losing money.
The trouble is that there is no real accountability for losing data. If someone loses 4 million euros, they know somebody will be pretty unhappy. But losing the private records of 400 people, which given todays identity-theft-plagued society could easily result in damages of 4 million euros, is somehow not taken as seriously.
During the employment screening process, have popup ads appear on a screen during the personality/background info/aptitude test. If the applicant clicks on one, a trap door in the floor opens and flushes them back out on to the street.
Me too, I was reading a story on El Reg the other day that asserted 29m (25m being the child benefit agency CD) - can't find it now, of course, but stumbled over this instead. No wait! here it is. Non-Brits may not be aware that this morning's lead story on the Beeb (radio and web) was the loss of an unencrypted flash stick with details of all current guests of Her Majesty's pleasure by PA Consulting. Not quite sure how the tabloids will whip up a "think of the children" angle on it, but I'm sure they will. It's great they've been picking up on these stories, but typical that they've not worked out that the answer isn't "hire more clueful contractors", but "don't have the data in the first place" (at all if possible, but if really needed - obviously child benefit records and lists of prisoners are in the "essential" category - never allow records to be pulled onto client systems. And really drill it into people that they should flag up naughty behaviour they come across - ie., inculcate a security culture. That's the trickiest bit.
Everything I needed to know about life, I learnt from Blake's Seven
No it doesn't you OSS junkie.
You spat out that long paragraph of "Free the Panda's", but encryption, plug-ins, and OSS or not, this wouldn't solve the problem, the main problem here, is data LOSS, as in "whoops, I dropped it down the drain" (stolen/lost laptops, CDs, USBs, etc) about half of the data was encrypted, which means that there is probably a 75% chance (random pseudo-statistic) that the information is secure, but that has nothing to do with the fact that they lost all that data, although identity theft is a factor, this is mostly about "What the fuck do we know now?"... re-acquiring a lot of that information could take months, sometimes years, and in other cases never happen at all.
Yes the various networks need beter security, but they also need to stop letting Bob and Diane taking their work to the cafe when they have sensitive data.
They govt. also lost 25 million Child benefit records. Though it's possible/likely that there were some duplicates in all this - given that the UK population is "only" 61 million, that's still nearly half the people who live in the UK have had some personal data lost by the government
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
I don't hate my country, but I do dislike those aspects of the private school and class system which causes the people in power to be conformist and inward looking, and ready to believe any snake oil salesman in a Boateng suit. People mock Prince Charles, but at least he is prepared to get into trouble by listening to independent experts and then asking questions about the status quo and the desirability of corporatism. The Government appoints independent experts, and then when their conclusions conflict with those of the editors of tabloid newspapers, or McKinsey, they reject them. The inevitable result is pissed off staff and managerial incompetence. As one of my bosses used to say about organisations like McKinsey, when did you last hear of a great world manager? Taylorism takes no account of leadership, which is what gives morale and a sense of direction to organisations. And the only way to bring in things like data security is to bring back a spirit of public service - which means leadership.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Sure it is. the government (any government) produces thousands of times this amount of covert data each year. Whether it's surveillance, foreign intelligence or simply military planning information.
The point is, that almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands. If they considered the loss of personal data to be important, they could easily stop all leakages except those done maliciously
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Data guardians? Who guards the guardians?
The data guards the data guardians. Simply put all their personal info in there, including credit card numbers, and suddenly the guardians will be Nazis about keeping it safe.
True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
You *know* a country's going to the dogs when it suddenly creates a Department of Justice and puts a Muppet in charge of it. A semantic point - they didn't *lose* the data, they put it in the public domain through incompetence when the data should have been kept private.
almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands
I wouldn't be so sure. From today's news: "Confidential records [...] on tens of thousands of the country's most prolific criminals have been lost in a major breach of data security [...] Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm"
And, how do you know covert data is never lost if you wouldn't even get news it was collected in the first place?
Dawkins Revisited: A person is shit's way of making more shit -- Steve Barnett, anthropologist.
Currently, if you log off of Slashdot, and go to the front page, you get to see a picture of "Little Hitler", a two year old dressed up to look like Hitler. What in the hell is wrong with Slashdot. There isn't even a story to go with it, just the freaking picture. Posted in the idle section, of course.
Has the management of Slashdot put their head so far up their ass that they have oxygen deprivation in the brain?
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
It's all well and good to poke fun at the British Government for their consistent negligence. But the only reason this is being reported is because of the data protection laws in the UK - which basically means that if you lose someone's data, there is someone going to come down hard on you and that they have the legal capacity to do it.
Data protection, however, is not ubiquitous - so before railing hard on these guys, ask yourself if you're protected and is there someone looking after your interests? If not, then you're data could be being lost on a daily basis without you ever having any knowledge of it - and with no recourse even if you did.
Genesis 1:32 And God typed
I'm still trying to figure this 4 million figure out. The child benefit leak alone lost personal details relating to 25 million people, and that was in October 2007 so still comfortably within a year of today. There have since been numerous other leaks, with anywhere from a few hundred to many thousand people involved. Much of the information has been highly sensitive: not just names and addresses, but classified national security information, information about criminal records, information about people applying for sensitive jobs and who has been asked to vouch for them, etc.
This whole affair is somewhat ironic for me. I have long argued against the database state and national ID cards on the basis that not only do such measures present obvious civil liberties concerns and potential for abuse, but more seriously they will be operated primarily by bored, low-paid civil servants who type thousands of names, address and so on every day into software developed by a government and contractors with a near 100% record of project failure, making accidental mistakes (which will inevitably require vastly disproportionate effort by the victim to fix) a much bigger danger to the average citizen than malicious attacks. I am reassured that the media and thus the public are finally starting to realise this. Better late than never!
Incidentally, as a point of general interest, there are now more than 61 million people living in the UK. According to statistics released yesterday by the ONS, the count is rising by about 1 million every three years, due partly to long-term migration, and partly to an increase in child birth (much of which is due to earlier migrants starting to have children).
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
There is no point fining the government in these circumstances, because when they lose almost half the population's details, those people just pay themselves and everyone else effectively gets fined. I didn't vote for for the b*****ds in the first place, and neither did most other people, so I would consider such a fine to be rather unethical on several counts!
IMHO, the only effective response in cases like this is personal liability: someone in charge has to have personal consequences that directly and seriously affect them in the event of a breach. I'm not necessarily talking about jail time or million pound fines for accidental breaches, but something equivalent to barring them from holding any public office, or in the private sector from acting as a company director, for a significant period of time would seem appropriate. Deliberate breaches are a different matter, and I have no problem with major fines or jail time for anyone who deliberately and maliciously abuses access to personal information. Data protection is a serious issue, identity theft is one of the fastest growing crimes there is and also one that is deeply unpleasant and inconvenient for the victim, and it's about time our legal system stopped treating it like a minor misdemeanour.
I believe there should also be a law requiring that any government procedure that can compel a citizen to provide information and/or money or other material goods must come with a corresponding appeal procedure that provides for correcting errors quickly, easily and at no cost to the victim, under judicial oversight, and again with direct personal penalties for anyone responsible for setting up a system that gets things wrong without making adequate provision for correcting the inevitable mistakes.
Bottom line: heads have to roll at high levels before anything will change. As long as anyone who screws up still gets to go to work tomorrow and hide behind corporate responsibility or crown immunity, nothing will change.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You sure seem to have a lot of faith in laws.
The reason they are not more careful with the data is they don't have to be. The government isn't hurt when it looses your data. They aren't even hurt when they loose your money. I forget what State it is now but they had peoples SSN numbers up on one of their web sites plain as day.
Government bureaucrats are NEVER accountable for anything. (even if they did loose 4 million euros) The best you can do is sue the branch of government and then they will pay that with YOUR tax money.
The real solution is to not collect the information in the first place. Yes, I am really implying that government does not need to know who you are and deal in every aspect of your life.. and that would require a lot fewer bureaucrats around too.
Bringing liberty to the masses. - http://freetalklive.com/
... you'd think that they could lose my 1099 forms. But no.....
Have gnu, will travel.
If you are a tyrannical government attempting to introduce (force) the use of ID cards then this is how you manipulate the public into accepting them. "Losing" the data can easily be organised, but informing the public over and over again is what the media do.
Join the British National Party