Slashdot Mirror
In UK, 12M Taxpayers Lost With USB Stick
An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."
I've got a better question. I'd like to know how this memory stick came to be in the first place!
Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.
Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.
This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.
"An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost." I dont particularily care how it was lost, people will always manage to lose things and expecting otherwise is very niave. What I really want to know is how the hell that much sensitive data was doing on a USB stick in the first place.
I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
I'm sure regular Slashdot readers have seen something involving misplaced private information and the UK government more than enough times...this is almost as bad as a dupe.
Damn...that's quite a lot of people to go missing.
This USB stick with sensitive/valuable data got returned and appropriate actions could be taken to minimize damage. But the number of incidents like this we've seen lately raise the question how many other lost USB sticks and other storage media with passwords, personal data etc that are floating around unknown to the people whose integrity and personal finances quite possibly are at stake.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone.
Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.
Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.
Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.
Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."
http://rocknerd.co.uk
If they could lose taxpayers just like that, these idiots would be a lot more careful, wouldn't they? Perhaps that's the way to solve this problem: If you lose my data, then I don't pay taxes for a year.
Why is it that whenever something like this gets *found*, the person doing the finding always understands what's on it? If any of my typical pub going friends and relatives found this the chances of them realising what is on it is pretty slim, and it would most likely get formated.
How many other memory sticks get lost and found by people that don't realise what is on them, or why is it that every memory stick found is always found by an IT literate with the know how to work out what they contain and the immediate urge to sell their story to a tabloid ...
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
Britain's a joke. I've been living there for most of the last year and barely a week seems to have gone by without a 12-14 year old kid getting stabbed or a large batch of confidential personal data going missing from some government department or other.
It's unbelievable. When are they going to get their shit together???
(Before anyone gets too narky, i'm British - i just haven't lived there for nearly 25 years).
Work and Pensions Secretary James Purnell leaves red box secrets on train
Interesting things to note:
Check out the daily mail's front (web) page. If you can get past the bile, hate, bias, bitterness and sensationalism, ask youself: does this publication actually have any credibility?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
In these days of the intertubes, why do government departments even need such a massive amount of data on a physical medium? Why not transfer data from one location to the next by a dedicated enrcypted net connection?
I'll see your hokum and raise you a boondoggle.
For a government that collects so much surveillance on their citizens you would expect an outcry for some accountability when private data is lost.
My ism, it's full of beliefs.
At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.
I'm hoping that all these USB sticks are lost on purpose, in an underground campaign to show how careless the government is with our personal details, thereby increasing mistrust and fueling public backlash against a surveillance state.
We need a -dailymail option, currently I am having to use -notthebest, which isn't quite right. It does not adequately cover the feeling of anger and disappointment, nor the small amount of bile that leaps from my stomach to my mouth, at the sight of a Daily Mail article on the Slashdot homepage.
I know it's bad to regard an article as an utter fabrication, just because of where it originated. But in this case we must make an exception, because every other article the Daily Mail has ever printed has been a half-truth or outright lie.
FFS, this is the 'newspaper' that bitched about the number of Jews immigrating to Britain in the late 30's. They're not called the Daily Hate for no reason.
This sums up the Daily Mail, from the perspective of your average-Brit-with-a-clue. Seriously, please do not consider the Daily Mail as a reliable source, of anything. Ever.
Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public. The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.
Even more worrying considering government rhetoric on the £20bn ID cards they want:
From 2010, the government will target young people to get an identity card on a voluntary basis "to assist them in proving their identity as they start their independent life in society", with full roll-out to all British citizens starting from 2011. "The government are kidding themselves if they think ID cards for foreign nationals will protect against illegal immigration or terrorism - since they don't apply to those coming here for less than three months. "ID cards are an expensive white elephant that risk making us less - not more - safe. It is high time the government scrapped this ill-fated project." The Liberal Democrats said the cards' "fancy design" did not detract from the fact that they remained an intrusion into people's liberty. Chris Huhne, the party's home affairs spokesman, said: "It does not matter how fancy the design of ID cards is, they remain a grotesque intrusion on the liberty of the British people. "The government is using vulnerable members of our society, like foreign nationals who do not have the vote, as guinea pigs for a deeply unpopular and unworkable policy. When voting adults are forced to carry ID cards, this scheme will prove to be a laminated poll tax."
And from the government mouthpiece the BBC:
SNP Home Affairs spokesman Pete Wishart MP said his party had opposed ID cards from the outset but the government's "abysmal record on data protection" was reason enough to cancel them. He said the government looked "absurd" for pushing ahead with such a costly project. "These cards will not make our communities more secure, they will not reduce the terrorist threat and they will not make public services more efficient," said Mr Wishart. Phil Booth, head of the national No2ID campaign group, attacked the roll-out of the cards as a "softening-up exercise". "The Home Office is trying to salami slice the population to get this scheme going in any way they can," Mr Booth told the BBC. "Once they get some people to take the card it becomes a self-fulfilling prophecy. "The volume of foreign nationals involved is minuscule so it won't do anything to tackle illegal immigration."
Take Nobody's Word For It.
I'm afraid the solution is roughly as follows, in a simple step by step guide
Worked for Nelson, anyway.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I have witnessed how strict, inflexible security rules force people to break the security in order to get their job done.
Stop the brainwash
This sounds like typical hyperbole in a Slashdot summary based on a typical Daily Mail scare article. Try reading a more balanced report from the Beeb.
If you follow that link, you will find that the data was all encrypted, and the memory stick should never have been removed from the contractor's premises. According to the official statements, security was never compromised (though access to the government service's web interface was temporarily suspended). And it's not some nasty central database to spy on everyone, it's a useful system that allows you to do things like filing your tax return on-line rather than messing around with lots of paperwork — one of the few IT projects our government actually seems to have got right!
This was just one guy working for a contractor who screwed up by not following protocol, and assuming the data really was properly encrypted, the security procedures have done their job to mitigate the damage. There is nothing to see here. Please move along, and spend your time worrying about the numerous cases where data really has been compromised and the numerous databases that really don't need to exist.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The way I read it, there was no information about taxpayers on the USB stick itself.
But there was authentication and access information about the citizen/taxpayer database, which is probably accessible over the Internet, with the correct VPN credentials, etc.
It was these VPN credentials and passwords that was on the USB stick.
Imagine the average user who writes their password on a post-it and sticks it to the bottom of their keyboard.
Now make that post-it into a giant animated billboard in Times Square, and you've kind of got the idea.
(No cars. Fsck. My analogy sucks!!)
"City hall" in German is "Rathaus" Kinda explains a few things......
I carry a memory stick attached to my key ring, which includes encrypted copies of SSH and PGP keys, the passphrase to decrypt them is memorised...
Anyone who stole it would be more interested in stealing the car for which the key is on the same ring, or breaking into the house using the keys and stealing stuff...
Or they could just take the unencrypted episodes of tv shows from the usb key.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Crap, sorry mod me down :-(
I need to learn to read all the way to the end of the story. Looks like, for some reason, some guy at the company named Daniel Harrington was keeping a USB stick full of passwords, security notes, and source code.
As others have pointed out, it was passcodes on the USB stick not 12 million people's records.
However, you can now get 64Gb USB sticks, which should be enough to hold that many records.
(It also comes with TrueCrypt)
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.