Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Gov't Lost Personal Data On 4M People In One Year

Posted by timothy on from the of-which-they-are-aware dept.

An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone. The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April. And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.) "Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified. Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs. In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents. In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."

6 of 163 comments (clear)

  1. Re:Stupidity or Malice? by smittyoneeach · · Score: 5, Insightful

    How about minimizing the amount of individual data collected?
    In the US, the Fed could leave to the states a vast swath of functions currently bogging down DC, making everyone more secure in a variety of ways.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  2. Back to dumb terminals by Tyrannicalposter · · Score: 5, Insightful

    No laptops, CDs, memory sticks, USB drives. Just a dumb terminal. That way the data can live in a secure data center. Until you piss off some rowdy geriatric mainframe hackers.

  3. Re:Another USB stick has gone missing by FyRE666 · · Score: 5, Funny

    Well obviously if those 4 million people have nothing to hide, then there's nothing to worry about, right?

    --
    Code, Hardware, stuff like that.
  4. Re:4000000? by joto · · Score: 5, Interesting

    How do you propose that they "prove competence",

    One suggestion would be to

    1. Make legislation that outlines procedures for handling privacy data that will be mandatory to follow
    2. Make everyone handling privacy data require a certificate that proves they are licensed to do so
    3. Make it illegal for somone to hire an unlicensed person to handle privacy data
    4. Make it mandatory to document whatever you do to privacy data in paper documents or electronic equivalents
    5. Enable a government bureau to periodically control these documents to see that procedures are followed
    6. And also to periodically do other kinds of tests, to test security procedures, e.g. "social engineering tests"

    Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.

    Sure it is. You need proper procedures and regulations. Sure, if you put it on a laptop or memory-stick, and let your employees carry it around without any oversight, accidents will happen. But if you treat the information as valuables, all will be fine. Money-transports don't usually go around losing money.

    The trouble is that there is no real accountability for losing data. If someone loses 4 million euros, they know somebody will be pretty unhappy. But losing the private records of 400 people, which given todays identity-theft-plagued society could easily result in damages of 4 million euros, is somehow not taken as seriously.

  5. YOU'VE WON AN XBOX 360! by Anonymous Coward · · Score: 5, Funny

    During the employment screening process, have popup ads appear on a screen during the personality/background info/aptitude test. If the applicant clicks on one, a trap door in the floor opens and flushes them back out on to the street.

  6. Re:Stupidity or Malice? by EdIII · · Score: 5, Insightful

    That's the sort of stupid, over-the-top thinking which will likely cause much, much bigger problems. So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

    No offense, which I am not sure goes both ways here, but your statement is the one that is a little naive and uninformed. The person responsible is the CIO, or director if you will. If you are going to have computers, databases, and information processing in any organization you need a CIO and an IT department. It is the responsibility of those people to create and enforce sensible data handling policies and to comply with any governmental regulations governing that data. Now CIO may not be the proper term, but I am sure there must be some sort of department that deals with this. There usually is, and if not, then the UK's problems are a lot bigger than I thought.

    Your assertion that I am stupid, or that my recommendation to fire the CIO is stupid, is just inflammatory and does not support your position that these people should escape unscathed.

    This is not the loss of a single USB stick, but rather the pervasive problem of data loss throughout the entire government of the UK . As I stated, that is about 10 incidents per day. The CIO (or equivalent) is wholly responsible. After the first couple of incidents, the CIO should of taken action through the implementation of security and data handling technology and policies.

    I realize it's popular these days is to always blame everything on those "incompetent" people in charge of governments. But a little rationality is required.

    Whether or not it is popular to blame the government for problems is irrelevant here. The government is responsible for safe guarding the data and it failed, and it is a spectacular failure at that. Blame is required here, and in fact, the lack of blame here would be as bad the problem itself. Your claim that is irrational to assign blame to those responsible is astonishingly irrational in of itself.

    Despite all these "data breaches" there is yet to be any evidence of misuse of this data. That doesn't mean it's OK, but to claim it's some sort of "disaster" is a little over the top.

    You really must be kidding here. You are not serious are you? This is a huge disaster. You are attempting to downplay the potential for harm here, while completely ignoring the massive scope and scale of the problem. Evidence of any consequences has nothing to do with problem itself. My reaction is not unique, and to say it is over the top is indicates an indifference and apathy on your part to the problem itself.

    There needs to be a review of all the policies and laws pertaining to the handling of sensitive data like this. This is a big deal considering it's scale, and the "directors" do need to be removed and policies have to be created with consequences for failure.

    Otherwise, as you seem to be suggesting, we just give them a slap on the wrists and say, "naughty little directors! You little buggers :) Do better or next time we might get more serious". Why would you want to treat this lightly and keep the same people, responsible for such widespread breeches, in their positions?