Slashdot Mirror
In UK, 12M Taxpayers Lost With USB Stick
An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."
I've got a better question. I'd like to know how this memory stick came to be in the first place!
Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.
Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.
This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.
"An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost." I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave. What I really want to know is how the hell that much sensitive data was doing on a USB stick in the first place.
I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
What, again?
At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.
taking their work home with them. This is a consequence of such a thing. Companies are even more worried about projects being lost this way, with 64GB USB sticks out now and what not. Makes you think that they should put a move onto implementing all data systems that encrypts/decrypts data only upon it syncing with a central system via an authorized route PLUS a user password ahead of time. Because once there is a malicious user within the framework, encryption alone won't stop them from selling off massive amounts of info with the 1TB+ sticks they'll have in a few years time.
Might as well hawk this while we're talking about taxes:
http://www.apttax.com/
I'm sure regular Slashdot readers have seen something involving misplaced private information and the UK government more than enough times...this is almost as bad as a dupe.
agreed. this'll just disappear as soon as the tabloids find something new to focus on.
and no, this breach of security wouldn't fly in the corperate world. everywhere i've worked in the last 4 years has operated a USB lock down policey, and a "non-writable" optical drive on the desktop.
i know the average slashdotter could get round re-enabling the mass-storage usb class with their eyes closed, but these are government, and public sector companies we are talking about. who couldn't find their arse with both hands.
unfortunatly, they somehow got to the position of running the country....
the brain drain continues....
Damn...that's quite a lot of people to go missing.
This USB stick with sensitive/valuable data got returned and appropriate actions could be taken to minimize damage. But the number of incidents like this we've seen lately raise the question how many other lost USB sticks and other storage media with passwords, personal data etc that are floating around unknown to the people whose integrity and personal finances quite possibly are at stake.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone.
Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.
Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.
Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.
Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."
http://rocknerd.co.uk
If they could lose taxpayers just like that, these idiots would be a lot more careful, wouldn't they? Perhaps that's the way to solve this problem: If you lose my data, then I don't pay taxes for a year.
Why is it that whenever something like this gets *found*, the person doing the finding always understands what's on it? If any of my typical pub going friends and relatives found this the chances of them realising what is on it is pretty slim, and it would most likely get formated.
How many other memory sticks get lost and found by people that don't realise what is on them, or why is it that every memory stick found is always found by an IT literate with the know how to work out what they contain and the immediate urge to sell their story to a tabloid ...
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Britain's a joke. I've been living there for most of the last year and barely a week seems to have gone by without a 12-14 year old kid getting stabbed or a large batch of confidential personal data going missing from some government department or other.
It's unbelievable. When are they going to get their shit together???
(Before anyone gets too narky, i'm British - i just haven't lived there for nearly 25 years).
Work and Pensions Secretary James Purnell leaves red box secrets on train
Interesting things to note:
If there are so many losses of data that wend their way to the Press, how many losses are there that find their way to criminal hands? I assume that if one were connected to the underworld, it would be more lucrative?
The screenshot in the article shows bookmarks, one of which is called 'doggahs'. What does it mean?
Check out the daily mail's front (web) page. If you can get past the bile, hate, bias, bitterness and sensationalism, ask youself: does this publication actually have any credibility?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Congratulations to whomever left it there. Like most leaks, this one was almost certainly completely intentional, by a disgruntled employee. Sometimes they're official - I worked in a minor civil service position and we'd "leak" information all the time, usually in the form of rumours, to shape public opinion. It works :-).
In these days of the intertubes, why do government departments even need such a massive amount of data on a physical medium? Why not transfer data from one location to the next by a dedicated enrcypted net connection?
I'll see your hokum and raise you a boondoggle.
For a government that collects so much surveillance on their citizens you would expect an outcry for some accountability when private data is lost.
My ism, it's full of beliefs.
...In Westminster that counts the days since the last moronic data breach. Looks like it will have to go back to zero. Good thing it only ever needs 2 digits.
I say we impose heavy fines on all UK government departments that have lost data. Wait a minute...maybe we'll just have create corporal discomfort using USB sticks instead.
On y va, qui mal y pense!
But 12M taxpayers take up quite a lot of room. How on earth can you lose that many people?
"It doesn't cost enough, and it makes too much sense."
We need a -dailymail option, currently I am having to use -notthebest, which isn't quite right. It does not adequately cover the feeling of anger and disappointment, nor the small amount of bile that leaps from my stomach to my mouth, at the sight of a Daily Mail article on the Slashdot homepage.
I know it's bad to regard an article as an utter fabrication, just because of where it originated. But in this case we must make an exception, because every other article the Daily Mail has ever printed has been a half-truth or outright lie.
FFS, this is the 'newspaper' that bitched about the number of Jews immigrating to Britain in the late 30's. They're not called the Daily Hate for no reason.
This sums up the Daily Mail, from the perspective of your average-Brit-with-a-clue. Seriously, please do not consider the Daily Mail as a reliable source, of anything. Ever.
I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave.
Quite true ... was this one the only one they lost?
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public. The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.
Even more worrying considering government rhetoric on the £20bn ID cards they want:
From 2010, the government will target young people to get an identity card on a voluntary basis "to assist them in proving their identity as they start their independent life in society", with full roll-out to all British citizens starting from 2011. "The government are kidding themselves if they think ID cards for foreign nationals will protect against illegal immigration or terrorism - since they don't apply to those coming here for less than three months. "ID cards are an expensive white elephant that risk making us less - not more - safe. It is high time the government scrapped this ill-fated project." The Liberal Democrats said the cards' "fancy design" did not detract from the fact that they remained an intrusion into people's liberty. Chris Huhne, the party's home affairs spokesman, said: "It does not matter how fancy the design of ID cards is, they remain a grotesque intrusion on the liberty of the British people. "The government is using vulnerable members of our society, like foreign nationals who do not have the vote, as guinea pigs for a deeply unpopular and unworkable policy. When voting adults are forced to carry ID cards, this scheme will prove to be a laminated poll tax."
And from the government mouthpiece the BBC:
SNP Home Affairs spokesman Pete Wishart MP said his party had opposed ID cards from the outset but the government's "abysmal record on data protection" was reason enough to cancel them. He said the government looked "absurd" for pushing ahead with such a costly project. "These cards will not make our communities more secure, they will not reduce the terrorist threat and they will not make public services more efficient," said Mr Wishart. Phil Booth, head of the national No2ID campaign group, attacked the roll-out of the cards as a "softening-up exercise". "The Home Office is trying to salami slice the population to get this scheme going in any way they can," Mr Booth told the BBC. "Once they get some people to take the card it becomes a self-fulfilling prophecy. "The volume of foreign nationals involved is minuscule so it won't do anything to tackle illegal immigration."
Take Nobody's Word For It.
I think the fact is that data can be lost by corporate or government entities, and where there is an opportunity or better yet a will, it will almost always happen. Even the most perfect system will always have the most imperfect cog, the user. The how may help us better protect future information, but the issue is that the information is out there and almost always never be retrieved back.
I love it when people say that so far "nothing bad has happened" or "the lost info isn't clear text" or something similar. They are, at best, doing a probability and risk analysis or worst no clue what they are talking about. Unfortunately, I think it makes people feel better when they hear that, and forget that... your data is still out there forever!
But I think now a days data breaches are far worse when it has something to do with the government as they usually hold more very private and static data than any single corporation. It worries me that countries like the US and UK want to aggregate and collect so much information in one place. Its just a gold mine that waiting to be picked that no amount of local or international laws are going to stop someone from trying. And the problem is, it only takes one, ONE person to breach the security and that data snapshot in time is forever out in the wild.
I'm afraid the solution is roughly as follows, in a simple step by step guide
Worked for Nelson, anyway.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I have witnessed how strict, inflexible security rules force people to break the security in order to get their job done.
Stop the brainwash
Coming to a .torrent near you!
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
That's because what we REALLY want to know is how you fit 12 million taxpayers on a USB stick... This is the modern version of "How many angels can dance on the head of a pin?" meets "Honey, I shrunk the kids!"
"12M Taxpayers Lost With USB Stick" - or did they lose both a USB stick AND 12 million taxpayers? That must be one heck of a recession.
Or is it "M" as in metric measurement, so that taxpayers who are taller than 12 meters/metres got lost? If so, they should check with the circus or Guiness book of World Records. How DO you "lose" anyone who's almost 40 feet tall, anyway?
FTFS, what was lost was not data, by some kind of 'passcode':
The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.
My guess is that the stick contained either a file containing some passwords (bad idea), or, more likely, some sort of private key file.
All y'all harping on the people for doing this, let me as you this: How many of you carry your SSH, SSL, PGP, or other private keys on your memory stick? Yeah, ok, kettles!
My blog
...when they made a similar mistake back in July.
(For non-UK readers, the Guardian is a well-known s*cialist newspaper; the Daily Mail emphatically isn't, and there's a long-running difference of option between those two papers; so there was a strong sense of Schadenfreude in the Guardian article)
Oh, how convenient: a theory about God that doesn't involve looking through a telescope.
Our government are idiots. Is this just the labour party, or England in general? See that's the problem. And on the topic of ID cards or whatever, that's another problem with this country. Gordon Brown is watching you masturbate. What's the nearest country I can run to? (preferably outside of the European union as well)
This sounds like typical hyperbole in a Slashdot summary based on a typical Daily Mail scare article. Try reading a more balanced report from the Beeb.
If you follow that link, you will find that the data was all encrypted, and the memory stick should never have been removed from the contractor's premises. According to the official statements, security was never compromised (though access to the government service's web interface was temporarily suspended). And it's not some nasty central database to spy on everyone, it's a useful system that allows you to do things like filing your tax return on-line rather than messing around with lots of paperwork — one of the few IT projects our government actually seems to have got right!
This was just one guy working for a contractor who screwed up by not following protocol, and assuming the data really was properly encrypted, the security procedures have done their job to mitigate the damage. There is nothing to see here. Please move along, and spend your time worrying about the numerous cases where data really has been compromised and the numerous databases that really don't need to exist.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Requiem for the American Dream
Apparently.
Why does a system that spans everything from parking tickets to tax information exist in the first place?? If information is power, that's rather a lot of power to focus in one point of failure. It was a disaster waiting to happen.
I'm no security expert, but aren't passwords meant to be hashed on collection? Why did plaintext passwords need to be stored at all?
Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public.
The British Taxpayers association has made a frank admission that the taxpayers CANNOT guarantee that income & VAT taxes would be paid by its 1.8 million members.
...that the cards would allow people to "easily and securely prove their identity".
"We want to be able to prevent those here illegally from benefiting from the privileges of Britain," she said
The British Citizens Association is proposing a "compulsorily voluntary" ID card for public servants and MPs starting from January 1, 2009. The president of the association has stated "...this is to prevent brain-damaged MPs and low IQ civil servants from grabbing power, and to ensure the safety and security of all citizens against illegal elections.". he further stated that the cards would be a bright Pink, with a large 24-point number indicating the holder's IQ score.
All campaign advertisements should carry the image of the card to enable citizens to make an "informed" judgement about the person standing in election.
"This is to prevent the riff-raff and the dumb people from being elected.", he said.
"Doing what i can, with what i have." ~ Burt Gummer
Not happy with leaking like a seave, let's remember they have lost data over this year on multiple occasions, the Govermnent is about to sneakily put in motion the whole Biometric ID system so they can loose it too. Furthermore what really enrages me is their attitude and specially Gordon Brown saying "It is a human error, those kind of mistakes happen" is just unacceptable, any CIO would have lost his job if this was about to happen on corporation.
It's a freaking memory stick... bout the size of a pack of Wrigley's gum... If it were the size of a suitcase it wouldn't have fallen out of a pocket... There's your solution... Gov't systems now have special jacks that only allow data to be transferred to suitcase sized storage mediums... I'm surprised they don't have a proprietary form of transfer medium anyways.
flinging poop since 1969
that the heinous terrorist responsible for finding the stick and returning it is in custody.
Losing a USB stick in a car park is nowhere near as cool as the old days of losing a station wagon full of tapes. But would be even better is losing a station wagon full of tapes at a car park.
Abusive use of electronics with no public oversight.
Electronic Voting
Electronic Banking
Electronic Identity
Electronic Crowd Control
Electronic Surveillance
Throw these fuckers out of their offices. It's the only way.
Crap, sorry mod me down :-(
I need to learn to read all the way to the end of the story. Looks like, for some reason, some guy at the company named Daniel Harrington was keeping a USB stick full of passwords, security notes, and source code.
Now...I didn't RTFA, but how did they manage to fit 12M people into a flash drive?
At first I just assumed that they had lost personal data on 12M people...but damn. Actually losing 12M people? Irresponsible.
The stick held passwords that gave access to the data.
It's not about them losing keys to such important private data. It's about them having it in the first place. I don't think I should be obligated to give abusable information to an idiot third party who, before giving it to them, I know is eventually going to lose it. Then the more important question comes.... why the hell do we have data that is so easily abusable? There is an inherent lack of security throughout this whole system.
The member stick just contained a text file grocery list.
Just by chance the government was in the habit of picking passwords like:
eggs
shampoo
bread
for high security systems since no one could remember kwf7dDk@a!4n
I see the racists are getting the hang of full stops and capital letters now. It's almost grammatical - well done.
I had a customer (I work IT at a university) come up the other day with a massive spyware infection on his laptop saying, "Hey, is it a problem that I've got people's personal data on here? SSNs, financial information, etc..".
Same thing. Why the hell does everyone keep personal data on portable devices/storage media that leave a fairly secured environment. This sort of stuff should never be on secondary storage outside of a secured server.
That being said....
An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.
...Easily solved.
1) Guy who works for gov't gets off work.
2) Guy goes to pub for a beer.
3) Guy inadvertantly drops flash drive out of pocket while drunkedly grabbing car keys in parking lot.
4) Gov't find stick and freak right the fuck out.
5) ???
6) Profit.
12M Taxpayers Lost With USB Stick
I know this concept has been theorized, but I wasn't aware that current tech actually allows fitting 12,000 people on a USB flash drive! Most impressive compression technology.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Because they were careless idiots?
Suggestion: make them CRIMINAL careless idiots. Fine the possessor a HUGE fine. And the person who gave it to him a HUGE fine.
And use that fine money to create a whistleblower / reward system: Anyone who turns in a memory stick, hard drive, PC, or laptop with citizen or taxpayer information (which is supposed to be secured) gets a HUGE reward (far more than the stick or PC or even the personal information could be worth).
Yes, this will create a whole lot of thieves, but hey, that's okay too. If it's secured, they can't steal it, right? If it's encrypted, it doesn't matter if they did, right?
Or ... just give up this silliness about ANYTHING in your life, your communications, your financial history being private. Because it isn't, you know; it's probably already been compromised a dozen times over.
Oh, by the way ... check out this neat flash drive. Found it sticking out of some guy's laptop when he got up to get a cup of coffee. Couldn't hide the laptop, but the flash drive was easy :-) Want it? Twenty bucks, it's yours.
Toad
Real men don't back up anything, they let the world mirror it.
Resistance is futile. Reactance buggers it up.
This is the one of the few types of story on /. where people aren't clamoring to say that information needs to be free or that it wants to be. Alas, I must agree with you. That would have been much funnier.
Information wants to be free just as nature abhors a vacuum.
If a vacuum exists, it takes effort and energy to keep it present, otherwise matter rushes in to fill it. In the same way if you have a "place" where information exists and where it does not exist, it takes effort and energy to prevent the information from spreading to those places where it is not yet known.
Once you create information it can become difficult to keep it contained.
This is why it is better to not have these types of databases: if the information is not created in the first, it cannot be spread.
The same people who say you can't "steal" data because it is still there will gladly say that you can lose it even if it's still there.
The same people have mod points and are willing to abuse them, it seems.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
...and the only reason we're even hearing about it is because a government organisation is suffering the consequences. Rather than often hearing about how governments make this kind of mistake, I'd really like to get a much better idea of how prevalent it is in the corporate world. The unfortunate thing is that there's not much of a mechanism in place to prevent it from being swept under the rug in these cases.
I'd be interested to know whose decision it was to store this data on a memory stick at all, as well as why the passwords were ever stored anywhere (as opposed to a hash of the passwords). My guess is that it was the private company, although you could argue that the government organisation should still be monitoring how its contractors carry out their business.
I currently work for a government department (not US or UK) and we're very security conscious about the data we handle exactly because we know there would be so much scrutiny if and when anything happens. (This may partly be due to certain local legislation which requires government organisations to be relatively open with how they work.) Private companies don't fall under the same microscope.
It was a joke, I'm glad that people discovered for themselves how illogical it was! I probably should have made it more joke-like though.
On y va, qui mal y pense!
"In UK, 12M Taxpayers Lost With USB Stick"
Even in the best case scenario, there were 60M taxpayers in the UK before this catastrophe struck - with only 48M taxpayers left it is difficult to see how the UK is ever going to pull out of the current credit crisis. And how do you go about losing 12M people "with USB stick" anyway - is this a special brand of USB stick that has been planted by aliens to beam people up to the mothership, a locator device of some sort? Oh my god it's Flash Voyager isn't it? I am so screwed when they finally work down the list to my own country . . .
sigs are hazardous to your health
Yeah, I'm sure there are only about 20 people who use this site, but they have about 30 accounts each and spend their time modding themselves up and modding anyone who disagrees with them down.
How will a minority voice ever be heard when you can't even post more than once a day!!
The interoperability problem is the point. It is also less expensive than losing the information in the long run... loss of trust in ones govt is very costly.
flinging poop since 1969
You were modded down because your did not provide any reasoning for your whining opinion.
Clue for you. There's a big difference between confidential data & Britney Spear's latest single. What is it you ask? One is widely disseminated & one isn't. You fucking retard.
IOW you admit I was right.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck