Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Government Staff Caught Snooping On Citizen Data

Posted by samzenpus on from the lets-have-a-look dept.

An anonymous reader writes "More than 1,000 UK government staff have been caught snooping on citizen data — including criminal records, social security, and medical records. From the article: 'The U.K. government is haemorrhaging data — private and confidential citizen data — from medical records to social security details, and even criminal records, according to figures obtained through Freedom of Information requests. Just shy of 1,000 civil servants working at the Department for Work and Pensions (DWP), were disciplined for accessing personal social security records. The Department for Health (DoH), which operates the U.K.’s National Health Service and more importantly all U.K. medical records, saw more than 150 breaches occur over a 13-month period.'"

36 of 120 comments (clear)

  1. Shocker by trout007 · · Score: 5, Insightful

    Give someone access to people's private information and it will be abused. Here I'm giving you this box that contains pure awesomeness. Please don't open it.

    --
    I love Jesus, except for his foreign policy.
    1. Re:Shocker by jimicus · · Score: 3, Informative

      And any half-decent auditing system would catch you very quickly indeed.

      The thing is I'm absolutely sure in my own mind that despite the fact that the means to develop half-decent auditing systems has existed for years, I don't think they're terribly widely deployed. And if they are, I don't think very many organisations have processes in place to make sure that action is taken when the audit blows the whistle on someone.

      This is based mostly on speculation rather than having any hard evidence, though. Would welcome comments from someone who does IT security professionally.

    2. Re:Shocker by Anonymous Coward · · Score: 5, Informative

      Auditing systems only work to stop legitimate users of a database from making inappropriate queries, the database and system administrators, and in most cases network administrators have carte blanche access to anything and everything they are responsible for, and it is always a simple procedure to bypass any audit traps that may be in place.

      Take the example of an Oracle DB on a Unix system, it is a pretty trivial task to make a copy of the entire hard disk (and database contained therein) without leaving a trace of your actions. These systems are both too simple and too complex to prevent access from a lower level of abstraction.

      We put a huge amount of trust in system operators, and there is really no other way. At the end of the day, someone needs lowlevel access to the system to run diagnostics and perform maintenance, even in some security enhanced configuration like IBM AIX or z/OS, there is going to be a hardware maintenance mode, if not accessible by the site admin, it will be accessible by someone at IBM.

    3. Re:Shocker by Theophany · · Score: 2

      I'm pretty sure the vast majority of the data accessed is nothing like a box containing pure awesomeness. In fact, given the people that I see only my daily commute it would be like the Ark of the Covenant, except when you open it pure boredom comes out and melts your face off.

    4. Re:Shocker by niftydude · · Score: 5, Informative

      Not just private information. I used to consult to a roads authority that I'll keep nameless for now.

      They had remote controllable ccd cameras all over the place to keep track of traffic flow etc.

      Whenever I went in, one of the cameras would almost always be pointing at the girl who used to sunbathe in her back yard in a property very close to a major intersection.

      Incredibly creepy.

      --
      You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
    5. Re:Shocker by Sique · · Score: 3, Interesting

      It's pretty easy to overcome audits. Open a trivial case against the person you want to snoop on (littering or something), pull the data, and then close the case with "no further investigation". So everything looks legitimate, and the audit doesn't ring any alarms.

      --
      .sig: Sique *sigh*
    6. Re:Shocker by am+2k · · Score: 2

      And you didn't bother to figure out who it was and tell her? Or file a complaint with management?

      Yeah, he might even have managed to make the superior glare in a very annoying way at the people controlling the camera!

    7. Re:Shocker by Joce640k · · Score: 2

      Don't worry. The government leaves an up-to-date copy of that in the back of random taxi every few months to make sure the scammers don't miss out.

      --
      No sig today...
  2. Re:ugh by TheInternetGuy · · Score: 3

    Ugh? You are aware of what country Obama is president of right?

    --
    If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
  3. "Disciplined" says it all by oobayly · · Score: 5, Insightful

    Just shy of 1,000 civil servants ... were disciplined ...

    WTF, how about sacking these people, they clearly can't be trusted in their position. Better still, make it a criminal offence (if it isn't already) and charge them.

    I worked for the Ordnance Survey in Southampton after Uni. During training we were shown examples of where people had altered maps (someone wrote "HI" in land tiles in the North Sea, and a building was labled "Kate's cradle of filth"). It was explained to us that all work was logged. If caught we would be sacked. If we'd already left, we'd be chased up under the Official Secrets Act.

    Whether it was all a threat, I don't know. But I certainly didn't risk finding out. Neither did any of my friends.

    1. Re:"Disciplined" says it all by Spad · · Score: 5, Insightful

      This is the public sector we're talking about, you can't just fire people for gross misconduct, that would be discriminating against people who violate your policies.

      I have personal experience of this, contracting for an NHS trust where one of the people in my team abused their access to snoop through peoples' emails, documents & web logs to try and find information that they could use to blackmail them into giving them perks & preferential treatment. We caught it within a couple of days and had witnesses and audit logs showing what they'd been doing (they weren't too bright when it came to covering their tracks) and handed the whole lot over to HR.

      It took nearly 3 months before they even suspended him; almost 2 years later they had botched everything so badly that they had to pay this person off to leave quietly and not take them to an employment tribunal.

      That anyone ever gets fired from a public sector role without having broken some pretty major laws is nothing short of a miracle.

  4. Nothing to fear... by yotto · · Score: 5, Insightful

    These people, though, were doing nothing wrong so they have nothing to fear from these unelected civil servants poking through their personal information, right?
     
    ...right?

    --
    Pulp Audio Weekly - Geek News and Reviews
  5. Re:Mrs May you're useless! by mwvdlee · · Score: 2

    Mrs May, you and your departments can piss off if you think you getting any more my info!

    How are you going to stop them?

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  6. Lack of information by abigsmurf · · Score: 5, Interesting

    The problem I have with these figures is that they give no details of the nature of the offences.

    Were these all "I want to find embarrassing data on my ex or a celebrity!"? Were some of them just "staff member legitimately needed to access an account and should've waited for his boss to authorise first".

    How many of them were procedural mistakes and how many were genuine cases of snooping? A high number of the former would paint a very different picture and asks different questions to a higher number of the latter. But then Dispatches is a horribly sensationalist program so I doubt they care.

  7. Fining local authorities is stupid. by Anonymous Coward · · Score: 2, Insightful

    TFA:

    The penalties for a criminal offence go up to £5,000 ($7,900) in a lower magistrates court, or an unlimited fine in a higher Crown court. Some British politicians even called for some extreme data breaches to result in prison sentences — something dismissed by other parliamentary committee members. Rarely does the fine rise to five-figures, let alone six. Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches — the highest fine imposed by the courts to date.

    When you fine the government, they just increase taxes. We need some personal accountability here.

    1. Re:Fining local authorities is stupid. by abigsmurf · · Score: 2

      You mean like staff being disciplined?

  8. Like it will just be civil servants... by Coisiche · · Score: 3, Insightful

    The FOI request revealled the number of civil servants who had done it but private enterprise is not subject to that act. The same thing will go on but it will never be publicised.

    And I'm not going to buy any arguments that private enterprise security procedures would prevent it.

  9. 0% procedural, 100% Murdoch by Anonymous Coward · · Score: 5, Insightful

    These are disciplinary actions, not administrative errors. Verbal ticking offs don't get listed. So they'll all real breaches.

    “unauthorised disclosures of official, sensitive, private and/or personal information”,
    I wonder how many of these are civil servants handing data over to Murdoch's newspapers & TV interests, given we know his newspapers even hacked telephones, buying info from civil servants about celebrities and politicians seems extremely likely. I wouldn't be surprised if a large percentage of those leaks were to Murdochs lot.

    But the big revelation is that there are 200,000 civil servants approved to access the databases. That's an insane number! What did they expect, 200,000 possible leak points, the system is designed to leak private data like a sieve.
    Most likely these are only the leaks that CAN BE CLEARLY IDENTIFIED as leaks. I think that's the TIP OF THE ICEBERG, since most of the data leakers would NEVER GET CAUGHT.

  10. England != UK by monktus · · Score: 3, Informative

    If true, this is a Bad Thing (though not terribly surprising). TFS is a bit wrong though. The Department of Health is not responsible for the NHS across the UK, and never has been. It has only ever been responsible for health in England and Wales, with the latter being devolved to the Welsh Assembly in 1999. Arrangements for social services are a little dfferent, but again this isn't necessarily relevant to all of the UK. Not that civil servants in devolved departments are perfect, but this is just another example of the UK stopping at the M25 (don't worry America, it's not just you, the British MSM and Westminster politicians do it all the time).

    --
    Weaseling out of things is important to learn. It's what separates us from the animals... except the weasel."
    1. Re:England != UK by MrMickS · · Score: 2

      If you read the linked article you will see:

      Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches — the highest fine imposed by the courts to date.

      Furthermore the summary was quoting the original article, hence the quotation marks, so don't take it out on the summary.

      --
      You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
  11. List of UK data loses by Azarman · · Score: 4, Interesting

    Sadly this will never get the attension it needs, the goverment will keep pushing for a single centrizied database either for the children for under the need to stop terrorisum, even with their track record of data fail. But we are just numbers right so who cares

    WIkilink to list of UK data loses we know about http://en.wikipedia.org/wiki/List_of_UK_government_data_losses
    http://news.bbc.co.uk/1/hi/7103566.stm

    We know the goverment can track cars in real time, intercept sms and phone calls in real time, and after the centerized commications they will be able to cross ref that with your internet habbits. All in one super database to stop terrorisum.

    I wrote to my MP who is a tory, I had a bit of a rant about the Goverment U-turning on this retraining data as it is one of the reasons i personally voted for them. The guy replied but it was like reading BBC news, a sales pitch that was all fluff and no content. It was all about stopping terrorisum it was just pure propaganda to push an ageneder that I personally did not think this MP was even aware of, it just seemed he was given a press release, told this is what he is going to be doing and refusing to look at anything else. The funny thing was I also wrote to my councilers and they also sent him letters along the same lines as mine all to be met with the same reply. Everyone is against this, and MPs are not even listening to their own people to pushing their own agenders.

    L

    1. Re:List of UK data loses by Dominic · · Score: 2

      You realise that absolutely everything the Tories said to get elected was a lie, not just that? Same old Tories.

    2. Re:List of UK data loses by Azarman · · Score: 2

      Yes I do, sadly however it is only recently that I started seeing just how much of our political history is just on repeat. And how little it changes. Example in the 1960-1970s there was an enquiry in to the amount of Freemasons in the met office, and while goggling for some more information I find this, http://www.guardian.co.uk/media/2011/jun/08/phone-hacking-scandal-jonathan-rees I am not some conspiracy nut here there is a direct link between Government and MET office via freemasons lodges. There have also been some freemasons who have become prime minister such as Churchill who was rather proud of this connection (tho his family now state he left the lodges in 1912) and rumours are that Blair is also one. Did you know that 4 weeks before Blair got voted in he joined the world exclusive club of the Bilderbergers in the USA? It was reported at the time but very little of this now remains findable

      Regardless of their ties I don’t think we have had a government in a long time that cares for the people. Labour and Tory both help their friends first or however gives them the most money or the biggest platform to sell their warez from (newsCorpDiggHere) . Anyway if anyone is still reading here is some fun links http://en.wikipedia.org/wiki/Political_scandals_in_the_United_Kingdom funny. Also this has amused me http://en.wikipedia.org/wiki/List_of_Freemasons look how many prime ministers there are all over the world :/

      Truth be told let’s get the Pirate Party going, its working in Germany and Sweden it’s time to merge Labour and Tories in to the same party because they have been for the same party for a while. I think Libdems are cheerleaders and a bad attempt to pull in the younger voters. I think if we could get the younger voters awake then we could start knocking out labour and tories from local MP seats in the next election. My hope is after the recent TPB block the PPUK website got a lot more more views (http://www.reddit.com/r/worldnews/comments/tt26k/as_a_direct_result_of_the_pirate_bay_ban_the/). I beg to god, the Creator, and The man running the matrix, that this is the start of a change that will put a government back in the role of serving the people instead of serving businesses and banks. Because at this rate the government will spend so much money that if I ever have children they will be in the same place I am, paying for debts that the generations before me racked up

      L

  12. Re:ugh by SuricouRaven · · Score: 2

    I've seen greater ignorance. When the government's plans to increase surveilance capability were announced, a lot of people blamed the Queen.

  13. Re:Mrs May you're useless! by coastwalker · · Score: 4, Informative

    I have come to the conclusion that it isn't the politicians that are the problem. Its the Civil Service. Governments are just a passing inconvenience to them, all the policies floated by the last government that were called out as being hated by the people are steadily being re-introduced by the current government. It seems that the reforming Tories in power actually have no power at all. So there is no point ranting at an individual politician because they may as well not be there for all the good it will do.

    --
    Facts are history now plebs have politics for religion on social media.
  14. The arrival of Big Brother, finally ? by Taco+Cowboy · · Score: 5, Insightful

    Many decades ago I read that book "1984", I have to admit that I were scared shitless at the thought of the all-knowing big brothers controlling every single bit of my life.

    But at that time, - decades ago, - even the worst government (East Germany, North Korea, China, Russia, to name just a few) just couldn't have the mean to know everything about every single citizen under their control

    Oh yes, those bastard governments employed a lot of spooks and collected volumes of data, but determined citizens always found ways to defeat even the most draconian measure

    No more

    With the advent of computers and high speed network, not only they (the governments) get to collect all types of data, they can data-mine the data so much so that they can get to understand us more than we understand ourselves

    We might not know where we might go, or what we might do, tomorrow, for example - by simply referencing our daily/weekly/monthly routines, our health data, our financial data, the people that we are in contact with, etc, - the government might be able to predict, with a certain degree of accuracy, what we might do, where we might go, a few days from now

    This is scary !!

    Way more scary than the scenario outlined in "1984"

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:The arrival of Big Brother, finally ? by TheRaven64 · · Score: 5, Interesting

      The Stasi, like the Gestapo, relied on informers. They both worked in a situation where everyone was doing something illegal and an accusation was about all the evidence that was required. If they wanted to intimidate or eliminate someone, they just needed to pressure a neighbour or acquaintance into informing on them. This meant that they were intrinsically limited. Both were relatively small organisations and it would take several weeks of several agents' time to get one person. Their power came from the fear that they generated: everyone knew someone who knew someone who had been arrested on trumped-up charges and never seen again. It was unlikely to happen to you, but it could.

      The problem with this kind of database and monitoring is that it means that any Stasi-like organisation can be run efficiently. Want to eliminate everyone in a certain category of political undesirables? There's an app for that...

      --
      I am TheRaven on Soylent News
  15. Re:ugh by TheRaven64 · · Score: 2

    I blamed the queen for signing the RIP Act. She is supposed to be a last-stop constitutional safeguard, who can reset the system if the government goes completely hatstand. She didn't.

    --
    I am TheRaven on Soylent News
  16. and that's just the breaches... by Tastecicles · · Score: 2

    ...that we already know about, never mind the ones they've so far managed to bury.

    The simple fact of the matter is, there is no system-level security. It's a system of trust where the ones with access cannot be trusted. They are, to put it mildly, and without exception, un-trust-worthy.

    --
    Operation Guillotine is in effect.
  17. Re:ugh by TheRaven64 · · Score: 5, Insightful

    But it would have to be taken away with the consent of the electorate. I suspect a speech by the queen about why she refused to sign RIPA would have resulted in a lot of MPs looking for a new career...

    --
    I am TheRaven on Soylent News
  18. Re:Mrs May you're useless! by tomtomtom · · Score: 3, Insightful

    One might posit that weak politicians (of all parties) who are unable to stand up to civil servants are a bigger part of the problem. Somehow the skills that seem to be required to get elected (and, as importantly, selected by a party to stand for a seat) just don't seem to include this skill set.

  19. Re:Mrs May you're useless! by reboot246 · · Score: 2

    It's that way in the U. S., too, and worse. And a lot of our public sector workers are unionized which means they're nearly impossible to fire. They demand more money and benefits from the politicians who are more than happy to oblige them in exchange for union campaign donations. Most work for 25 years and then retire with big pensions and cushy benefits.

    Until we get a handle on that we're screwed.

  20. Re:ugh by Goose+In+Orbit · · Score: 3, Insightful

    US: Jump!
    UK: How high?

    That's how "special" the relationship is...

  21. Re:ugh by busyqth · · Score: 2

    You forgot the appropriate converse: UK: Ok, now you jump for me, old pal. US: Shove it.

  22. Re:ugh by cybernanga · · Score: 2

    MP == Member of Parliament

    --
    www.Buy-Proxy.com - A "buyer-driven" global marketplace.
  23. Move Along by pkinetics · · Score: 2

    Yawn... this happens in the USA too. Anywhere you have personal records, there will be an employee who will access them for purposes other than intended. Do you think the people at the DMV haven't used their access to check on people that they have no business checking? How about the people that manage passports? There was that mess a few years ago.