In UK, 12M Taxpayers Lost With USB Stick

An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."

Re:How it came to be lost?

[saintm]

> This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax.

It was a private company, Atos Origin, which lost the data.

Suggestion for the new Beta Index page

We need a -dailymail option, currently I am having to use -notthebest, which isn't quite right. It does not adequately cover the feeling of anger and disappointment, nor the small amount of bile that leaps from my stomach to my mouth, at the sight of a Daily Mail article on the Slashdot homepage.

I know it's bad to regard an article as an utter fabrication, just because of where it originated. But in this case we must make an exception, because every other article the Daily Mail has ever printed has been a half-truth or outright lie.

FFS, this is the 'newspaper' that bitched about the number of Jews immigrating to Britain in the late 30's. They're not called the Daily Hate for no reason.

This sums up the Daily Mail, from the perspective of your average-Brit-with-a-clue. Seriously, please do not consider the Daily Mail as a reliable source, of anything. Ever.

Re:How it came to be lost?

[jeroen94704]

I used to work for Atos Origin (Although this was in the Netherlands, not the UK). In my experience, their insight into how security works is absolutely abysmal. When I worked there, it was no problem to reset someone else's password without their knowledge with a simple call to the help-desk.

At a later stage, they introduced a new 'lost-password' procedure for the intranet site which was positively retarded. In essence, when creating an account, you were required to enter three passwords. One of these was the actual password used to enter the site. When you had forgotten your password, you were then required to enter the other two passwords in order to reset the first one.

This was obviously intended as an implementation of the well-known "question-only-you-know-the-answer-to" challenge-response idea. The way it was done though (you had to enter both the 'answer' AND the 'question', and both were displayed as asterisks) rendered the whole system completely useless.

When I pointed this out to the helpdesk, they assured me the whole procedure was approved by very knowledgeable people, and very secure. Besides, there was absolutely no way for them to submit any problem reports to the developers responsible.