In UK, 12M Taxpayers Lost With USB Stick

← Back to Stories (view on slashdot.org)

In UK, 12M Taxpayers Lost With USB Stick

Posted by kdawson on Sunday November 2, 2008 @11:08PM from the and-your-little-data-too dept.

An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."

24 of 258 comments (clear)

Min score:

Reason:

Sort:

How it came to be lost? by Guido+del+Confuso · 2008-11-02 23:10 · Score: 5, Insightful

I've got a better question. I'd like to know how this memory stick came to be in the first place!
Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.
Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.
This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.
1. Re:How it came to be lost? by MrMr · 2008-11-02 23:19 · Score: 5, Insightful
  
  Sorry to disappoint you, but the careless attitude appears to be entirely that of the 'corporate world'. Oversight of the subjects has long been a privatised matter in the UK.
2. Re:How it came to be lost? by FourthAge · 2008-11-03 00:15 · Score: 2, Insightful
  
  I'm not convinced about the credentials of their "security expert". Sounds like more of a "scare story expert". Quoting the article:
  He said: 'We have to hope that there are not more of these out there. This is potentially the most serious data loss this country has seen in recent times... Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.
  I hope none of you are using Linux, because I have the source code, and that means I can hack your system and steal all your money.
  Does the Mail have a gallery of these "experts" on standby to give a comment as required for the scare of the day... "Experts say that nobody knows how many paedophiles are molesting your children at this very moment!" "Experts say you could be knifecrimed by a chav today!" "Experts say that Russell Brand might be prank-calling your grandfather RIGHT NOW."
  
  --
  The tao of democracy: the government you can vote for is not the real government.
3. Re:How it came to be lost? by KGIII · 2008-11-03 00:43 · Score: 4, Insightful
  
  This is the one of the few types of story on /. where people aren't clamoring to say that information needs to be free or that it wants to be. Alas, I must agree with you. That would have been much funnier.
  
  --
  "So long and thanks for all the fish."
4. Re:How it came to be lost? by Dan541 · 2008-11-03 00:57 · Score: 4, Insightful
  
  The Industry standard is unencypted.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
5. Re:How it came to be lost? by Anonymous Coward · 2008-11-03 01:40 · Score: 1, Insightful
  
  "This kind of careless attitude towards security wouldn't fly in the corporate world."
  That was so funny I accidentally snorted my coffee.
  I'm a systems analyst, in "the corporate world". Business "professionals" lose stuff like this all the time. We're constantly chasing down corporate buffoons that save their passwords in their Google and Yahoo accounts, USB drives, or on my personal favorite security breach, the sticky note.
6. Re:How it came to be lost? by asc99c · 2008-11-03 01:43 · Score: 2, Insightful
  
  Does the Mail have a gallery of these "experts" on standby to give a comment as required for the scare of the day...
  From that comment, I'd assume you've never read the Daily Mail. But then you seem to have a list of their recent headlines.
  Oh I see, you *think* you're being sarcastic!
7. Re:How it came to be lost? by sgbett · 2008-11-03 02:14 · Score: 3, Insightful
  
  It's insecure because the default user response to this kind of 'security' is to affix said passwords to screen using a post-it note.
  Admittedly, that isn't the system itself being insecure per se...
  
  --
  Invaders must die
8. Re:How it came to be lost? by HungryHobo · 2008-11-03 02:22 · Score: 2, Insightful
  
  The corporate world is just as bad. Hell it was a private company which screwed up on this one.
  Get this through your head:
  "corporate" does not equal "competent".
  "Government" does not equal "incompetent"
  They are both quite capable of both and both tend towards incompetent.
9. Re:How it came to be lost? by electrictroy · 2008-11-03 06:40 · Score: 2, Insightful
  
  P.S.
  Time to start demanding Account numbers *separate* from your social security number. That helps minimize the damage to a minor loss of personal info at megacorp.com, rather than a loss of national identity (someone else pretending to be you with your stolen SS number).
  
  --
  The government is not your daddy. Its purpose is not to raid middle-class neighbors' wallets and give it to you.
Forget how it was lost. by N1AK · 2008-11-02 23:11 · Score: 4, Insightful

"An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost." I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave. What I really want to know is how the hell that much sensitive data was doing on a USB stick in the first place.
Bet by Sasayaki · 2008-11-02 23:22 · Score: 5, Insightful

I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?

--
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
1. Re:Bet by jimicus · 2008-11-02 23:50 · Score: 4, Insightful
  
  I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
  After the number of high-profile security breaches, the number of well-meaning people who have been treated as suspects by the police and the willingness of the media to pay for such stories, it seems that the only sensible thing to do is very quietly hand it over to a journalist.
2. Re:Bet by robably · 2008-11-03 00:29 · Score: 4, Insightful
  
  would you trust a surveillance society that can't even keep track of its own inventory?
  There isn't supposed to be any trust in a surveillance society - that's the whole reason for the surveillance.
Lost data by Anonymous Coward · 2008-11-02 23:24 · Score: 1, Insightful

What, again?
At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.
The unknown by TheP4st · 2008-11-02 23:40 · Score: 4, Insightful

This USB stick with sensitive/valuable data got returned and appropriate actions could be taken to minimize damage. But the number of incidents like this we've seen lately raise the question how many other lost USB sticks and other storage media with passwords, personal data etc that are floating around unknown to the people whose integrity and personal finances quite possibly are at stake.

--
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Re:bet carried by Anonymous Coward · 2008-11-03 00:00 · Score: 1, Insightful

Your libertarianism is showing - it was a private entity that lost the data.
Surveillance Society by MrKaos · 2008-11-03 00:17 · Score: 4, Insightful

For a government that collects so much surveillance on their citizens you would expect an outcry for some accountability when private data is lost.

--
My ism, it's full of beliefs.
1. Re:Surveillance Society by Sasayaki · 2008-11-03 00:23 · Score: 4, Insightful
  
  Silly citizen. The rules apply to you, not us.
  
  --
  Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
Re:Same old same old... by prefect42 · 2008-11-03 00:33 · Score: 3, Insightful

To an extent it's just because that's what sells papers. There are always kids being stabbed and planes crashing and data being lost. It's just if kids being stabbed becomes a hot topic, you print more stories on stabbed kids.
I really don't think much has changed, but the Mail is keen to point out that the world is ending, and it's probably Johnny Foreigner's fault.

--
jh
Why was the stick needed? by Jeppe+Salvesen · 2008-11-03 00:55 · Score: 4, Insightful

I have witnessed how strict, inflexible security rules force people to break the security in order to get their job done.

--
Stop the brainwash
Re:How many angels can dance on the head of a pin? by cbiltcliffe · 2008-11-03 02:42 · Score: 2, Insightful

The way I read it, there was no information about taxpayers on the USB stick itself.
But there was authentication and access information about the citizen/taxpayer database, which is probably accessible over the Internet, with the correct VPN credentials, etc.
It was these VPN credentials and passwords that was on the USB stick.
Imagine the average user who writes their password on a post-it and sticks it to the bottom of their keyboard.
Now make that post-it into a giant animated billboard in Times Square, and you've kind of got the idea.
(No cars. Fsck. My analogy sucks!!)

--
"City hall" in German is "Rathaus" Kinda explains a few things......
Re:'Passcodes' not data by Bert64 · 2008-11-03 03:10 · Score: 2, Insightful

I carry a memory stick attached to my key ring, which includes encrypted copies of SSH and PGP keys, the passphrase to decrypt them is memorised...
Anyone who stole it would be more interested in stealing the car for which the key is on the same ring, or breaking into the house using the keys and stealing stuff...
Or they could just take the unencrypted episodes of tv shows from the usb key.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:Same old same old... by Candid88 · 2008-11-03 03:53 · Score: 3, Insightful

That's what reading a "newspaper" like the Daily Mail will do to you. If you read tomorrow's copy you'll find out it's all 100% due to immigrants, the EU and Gordon Brown (who "according to a source", was seen carrying out the stabbings himself).
In reality though, looking at the police stats, there's actually only been a single 14 year-old (and no one younger) who's been murdered this year in the UK. There was a clump of teen stabbings in London at the start of the year but this has reversed to actually being slightly below average over the year.
The murder rate in the UK currently stands at 1.4 per 100,000 which is only about 1/4 the US murder rate of 5.5 per 100,000 (which itself is extremely low by historical standards).
So clearly the actual statistics and reality aren't coming out in the media. My problem with this is that it's pretty hard for a rational and correct solution to be engineered when everyone's being told irrational scare stories everyday by newspapers with a clear finnancially vested interest in exaggerating facts.