Slashdot Mirror

← Back to Stories (view on slashdot.org)

In UK, 12M Taxpayers Lost With USB Stick

Posted by kdawson on from the and-your-little-data-too dept.

An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."

10 of 258 comments (clear)

  1. How it came to be lost? by Guido+del+Confuso · · Score: 5, Insightful

    I've got a better question. I'd like to know how this memory stick came to be in the first place!

    Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.

    Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.

    This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.

    1. Re:How it came to be lost? by MrMr · · Score: 5, Insightful

      Sorry to disappoint you, but the careless attitude appears to be entirely that of the 'corporate world'. Oversight of the subjects has long been a privatised matter in the UK.

    2. Re:How it came to be lost? by saintm · · Score: 5, Informative

      > This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax.

      It was a private company, Atos Origin, which lost the data.

    3. Re:How it came to be lost? by jeroen94704 · · Score: 5, Informative

      I used to work for Atos Origin (Although this was in the Netherlands, not the UK). In my experience, their insight into how security works is absolutely abysmal. When I worked there, it was no problem to reset someone else's password without their knowledge with a simple call to the help-desk.

      At a later stage, they introduced a new 'lost-password' procedure for the intranet site which was positively retarded. In essence, when creating an account, you were required to enter three passwords. One of these was the actual password used to enter the site. When you had forgotten your password, you were then required to enter the other two passwords in order to reset the first one.

      This was obviously intended as an implementation of the well-known "question-only-you-know-the-answer-to" challenge-response idea. The way it was done though (you had to enter both the 'answer' AND the 'question', and both were displayed as asterisks) rendered the whole system completely useless.

      When I pointed this out to the helpdesk, they assured me the whole procedure was approved by very knowledgeable people, and very secure. Besides, there was absolutely no way for them to submit any problem reports to the developers responsible.

      --
      He who laughs last, thinks slowest.
    4. Re:How it came to be lost? by hedwards · · Score: 5, Funny

      Of course that's very secure. It means that anybody who loses their password is completely unable to log in ever again. That's possibly the most secure way of handling things.

      My only complaint is that they allow users to log in in the first place. Perhaps they could try encasing all the input devices and CPUs in some sort of rigid plastic case. Or better yet fill the power connections with some sort of epoxy.

  2. Bet by Sasayaki · · Score: 5, Insightful

    I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.

    Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?

    --
    Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
  3. UK Government loses all data on everyone by David+Gerard · · Score: 5, Funny

    Annual reports from Whitehall departments show that the government has lost all data it ever held on anyone.

    Losses have occurred through couriered unencrypted disks, misplaced memory sticks, lost laptops, briefcases left on trains and files falling down the side of the tea machine. "The real scandal is that a train was running for them to lose a case on," said a source whose name has been lost.

    Treasury minister Jane Kennedy said the HM Revenue and Customs breaches did not necessarily result in data losses, or at least any that they have records of. HMRC said it takes data losses and security breaches "very seriously" and thoroughly investigates any breach that it does not lose track of.

    Information Commissioner Richard Thomas has served enforcement notices on various departments for their data losses, but the departments in question could not find their office addresses to accept the notices. They noted, however, that Mr Thomas' call was very important to them, and that he had been placed in a queue.

    Home Secretary Jacqui Smith reassured citizens that plans for an all-encompassing ID card linked to biometric passports and a universal medical record with the NHS would not change because of these losses. "We won't even be thinking about them."

    --
    http://rocknerd.co.uk
  4. That would be something! by Anonymous Coward · · Score: 5, Interesting

    If they could lose taxpayers just like that, these idiots would be a lot more careful, wouldn't they? Perhaps that's the way to solve this problem: If you lose my data, then I don't pay taxes for a year.

  5. Re:it's the daily mail - probably rubbish by Weedlekin · · Score: 5, Funny

    "If you can get past the bile, hate, bias, bitterness and sensationalism, ask youself: does this publication actually have any credibility?"

    Once you get past all that, there's no content left in the Daily Mail, so its credibility or otherwise is moot.

    --
    I'm not going to change your sheets again, Mr. Hastings.
  6. Suggestion for the new Beta Index page by Anonymous Coward · · Score: 5, Informative

    We need a -dailymail option, currently I am having to use -notthebest, which isn't quite right. It does not adequately cover the feeling of anger and disappointment, nor the small amount of bile that leaps from my stomach to my mouth, at the sight of a Daily Mail article on the Slashdot homepage.

    I know it's bad to regard an article as an utter fabrication, just because of where it originated. But in this case we must make an exception, because every other article the Daily Mail has ever printed has been a half-truth or outright lie.

    FFS, this is the 'newspaper' that bitched about the number of Jews immigrating to Britain in the late 30's. They're not called the Daily Hate for no reason.

    This sums up the Daily Mail, from the perspective of your average-Brit-with-a-clue. Seriously, please do not consider the Daily Mail as a reliable source, of anything. Ever.