UK Police Fined For Using Unencrypted Memory Sticks

An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."

Why are they even using USB flash drives?

[TWX]

Shouldn't they build or buy a system that allows employees to remote in? I work for a school system, and the school resource officers (which are city police officers) just VPN into their network from ours, so that they don't have to physically transport anything. Many of them even use computers provided by us instead of their highly-ruggedized but massively obsolete laptops...

Re:Why are they even using USB flash drives?

[Froggels]

"School resource officers (which are police officers)"

How orwellian can you get?

Re:Why are they even using USB flash drives?

[SimonTheSoundMan]

They have to have police officers in American schools because gun crime is so bad. In the UK two kids will hit each other, in America a kid will bring a gun to school the next day. I actually thought someone was trolling me when I first heard that American schools have armed police officers.

http://www.ifpo.org/articlebank/school_officers.html

It all fights fire with fire. Totally backwards and yes, Orwellian.

Re:Why are they even using USB flash drives?

There have always been police officers posted at schools, albeit now there are more. Still, even with all the news stories about kids shooting up other kids at schools, the actual chances of a school shooting happening at any one school are extremely low.

Why the officers are there (usually it's just one, although at my high school there were a couple (it was a huge high school)), are because it makes the parents FEEL better. One officer isn't going to be able to stop the first 10-15 people from getting blasted. Plus, maybe he'll be like New York's finest and hit bystanders while unloading.

Which brings me to the argument against having CCW holders carry inside schools. The reasoning is that they could make things worse and hit innocents. I agree with this. What CHL allows you to do is protect yourself and immediate others, not be a hero. If the gun lobby could understand this, maybe they'd have more luck. It's a constitutional argument, not a "we'll save the day" one. NBC or someone did a "study" on this and determined the same thing. Except they put in the mind of their subjects that they should try and save the day. That's not what any CHL course will tell you. Oh, but I digress.

Re:Why are they even using USB flash drives?

Are you retarded? There are cops at schools because the teachers aren't allowed to touch students at all because parents will sue

Re:Why are they even using USB flash drives?

"We have always been at war with Oceania"

bull-fucking-shit, there have NOT 'always' been kops at schools...
it IS orwellian, and it is counter-productive, and it is fascist, and it is yet another of the invisible-in-plain-sight reasons we are a militaristic society... ...and -yes- you are correct it is essentially yet another example of 'security theatre' that does little-to-nothing to keep us 'safe' (whatever that is), but certainly properly propagandizes those sheeple who roll over and give up all their rights because they are scared (by The Man, NOT by actual terrorists)...

art guerrilla
aka ann archy
eof

Re:Why are they even using USB flash drives?

[X0563511]

I seem to recall the officers used to be there in case of injuries, or catching kids smoking dope or whatnot. Nowdays they provide actual security too, it seems.

Makes sense to me, it's one of the few public offices that crams all of our children together on one place for such a long period of time. They should have been there anyway.

Re:Why are they even using USB flash drives?

[misexistentialist]

It's really just another position for unions and tax-and-spend government to fill. They are armed because police are always armed.

Re:Why are they even using USB flash drives?

[Xest]

"Makes sense to me, it's one of the few public offices that crams all of our children together on one place for such a long period of time. They should have been there anyway."

Are you actually serious about this?

You know the rest of the world handles this by, you know, simply teaching kids to get along and just not kill each other right?

Re:Why are they even using USB flash drives?

What do you expect to be needed when you cram a bunch of people into rooms who have no association with each other, aren't there with a clear motive, and only want to leave? There's another institution where we do the same thing, and it also requires jailors... whoops, guards.

Re:Why are they even using USB flash drives?

American schools have on-site police officers because of sue-happy parents. Teachers and faculty can't discipline children anymore so they just have them arrested.

Re:Why are they even using USB flash drives?

[SuricouRaven]

Maybe in the US. Here in the UK, teachers aren't allowed to touch students at all because the student could then just claim the touching was inappropriatly sexual, which would result in the immediate formation of a parental and media lynch mob followed by the rapid fireing of the accused.

Re:Why are they even using USB flash drives?

[X0563511]

Don't misunderstand me, I don't mean they should be there to keep the kids in line. I meant they should be there because kids do stupid things, and if a kid breaks a leg an officer should be around just in case.

Likewise, if some loon wanted to be a crazy, you wouldn't want them to do it in the middle of a concentration of our youths. An officer present on site has a chance of stopping such a thing before any damage could be done.

You've also got kids who get abused and might fess up to a cop, parents being crazy nutters needing escort off the property etc.

Re:Why are they even using USB flash drives?

They have to have police officers in American schools because gun crime is so bad. In the UK two kids will hit each other, in America a kid will bring a gun to school the next day.

It has nothing to do with guns or the lack thereof. It doesn't matter if the kids hit each other, steal from each other, or shoot each other. In any case, in the US, they are arrested (for assault, or assault with a deadly weapon, as appropriate) and a resource officer is on hand to do the arrestin'.

Schools in the USA are not for education. They're basically holding facilities for the underage during daylight hours, to prevent them from roaming the streets.

Re:Why are they even using USB flash drives?

[radish]

What use is a police officer if a kid breaks their leg? What you need is a paramedic. Do you have those stationed at every school as well, just in case? Or do you rely on the same 911 system everyone else does?

The problem with putting a police officer somewhere where there's nothing for them to do, is that someone will invent something for them to do.

Re:Why are they even using USB flash drives?

[X0563511]

Someone (eg parents) will be pointing the finger. An official who can claim something happened (or did not happen) would save the school a lot of trouble.

*facepalm*

[girlintraining]

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this? Some of them, twice even -- once for the loss of data, and again when they have to pay for it with their next tax return (admitedly, mere fractions of a pence, but it's the principle of the thing). That seems like a terribly effective method of teaching those officers not to leave sensitive data around! Far more effective, I think, then suspending one without pay or additional training how how to properly handle sensitive information.

Re:*facepalm*

Oh wait... isn't it the government who receives the payment for the fine? ;)

All this does is shift money. The government is just paying itself. It doesn't cost the taxpayer any more.

Re:*facepalm*

[davester666]

Yeah, fine the members of the department, so the individuals have to pay the fine. Then see how fast the situation changes.

Re:*facepalm*

[TimMD909]

Suspending without pay, expecting only trained people to handle sensitive data, and not charging the taxpayer tons of money? That's about as likely as convincing People Across the Pond they're all spelling "color" wrong....

Or is it "wroung"...

Re:*facepalm*

[_Shad0w_]

You can only suspend them if they were actually breaking the force's own rules on storing and transferring data. If they weren't then it's ultimately the force's collective responsibility for failing to put in place a proper data protection policy. You could place the blame entirely at the feet of the chief constable or the GMP Authority, however holding individuals responsible for collective failures never works well.

Re:*facepalm*

I think you've missed the meaning of the word, budget. Because the fine is coming out of their budget that's money they can't spend on other things like paper, staplers and salaries. What's the bet that the people involved will be fired or fined to recover the lost money?

Re:*facepalm*

[girlintraining]

You could place the blame entirely at the feet of the chief constable or the GMP Authority, however holding individuals responsible for collective failures never works well.

It works better than holding nobody responsible.

Re:*facepalm*

[Bert64]

Actually it does, in typical government inefficiency it will take considerable resources to process this fine, and most likely there will be banking charges involved which means at least some of the money leaks into private hands.

Re:*facepalm*

[mjwx]

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this?

Yes, an organisation that collects fines for the taxpayer has levied a 12,000 pound fine against an organisation that is funded by the taxpayer.

The greater Manchester police will now have to apply for additional (taxpayer) funding to cover the additional cost of paying a fine to the taxpayers.

All of this should have been explained in the documentary Yes Minister.

Re:*facepalm*

[Tastecicles]

how about the Official Secrets Act 1911? We are talking about *official Government documents*, after all.

Re:*facepalm*

[1u3hr]

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget

It'll come out of their budget. And in a bureaucracy, that's your status. It will certainly make the police take data security seriously, which is the point of the fine, not to collect money for the Exchequer to refund to taxpayers.

Re:*facepalm*

[PT_1]

Oh wait... isn't it the government who receives the payment for the fine? ;)

All this does is shift money. The government is just paying itself. It doesn't cost the taxpayer any more.

To some extent.

However, in the UK the police are funded partially through central government funds and partially through local council funds. People here pay income tax, which goes to central government, and a smaller amount of 'council' tax, which is for use on local services, police, fire departments etc.

What these fines do, in effect, is to take money that residents of the area have paid to police the local area and give it back to central government. The health service is currently fighting a similar £325,000 (over $500,000) fine.

These organisations should be held accountable for privacy breaches, but taking money away from residents and patients is not the answer.

Re:*facepalm*

[SimonTheSoundMan]

Is the IT contracted out? I'm guess GMP will try to recoup the fines from the private contractors.

Re:*facepalm*

[dave420]

If we use that logic, a parking ticket is an official government document.

Re:*facepalm*

[drinkypoo]

Yes, the taxpayers will continue to pay twice until they vote for someone who will fix the problem. This is supposed to be an inducement to the taxpayer to vote for someone else. Unsurprising but dismaying that you don't get this.

Re:*facepalm*

[Ash+Vince]

These organisations should be held accountable for privacy breaches, but taking money away from residents and patients is not the answer.

No, the answer is clearly to fire someone over this and make sure they also forfeit their pension. Fat chance of that happening though since the coppers in the UK operate completely above the law, any attempt to chastise them via the IPCC or whatever is really just window dressing.

Re:*facepalm*

[Suferick]

Not exactly. The police force's overall budget will not be increased, so the taxpayer won't fork out any more, and the money will have to be found from elsewhere, such as the overtime budget for beat officers. It will thus hurt the force a little, and perhaps hurt the public because of the decreased level of service provided.

How can we ensure that the people responsible are the ones who actually carry the can in cases like this?

Re:*facepalm*

[Tastecicles]

strictly speaking, it is. Fixed penalty revenues go to the Treasury.

Re:*facepalm*

[DM9290]

Actually it does, in typical government inefficiency it will take considerable resources to process this fine, and most likely there will be banking charges involved which means at least some of the money leaks into private hands.

So this is basically a make work project for already wealthy lawyers and bankers. Fascism at its best.

Re:*facepalm*

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this?

Officers who cost the city tax money eventually (it takes too long) get pushed out. A better way would be to have the officer's grouped, pension funds fined for officer misconduct. Onlyt hat will stop this thin blue line crap. If a cop's partner kills an unarmed suspect, well, he probably had it coming, and he's a good guy otherwise, so why punish the cop, he'll think. But if my partner is costing me $20 a week from my pension, I'll get his dumb ass kicked out a lot quicker.

That's the way to solve this, the free market at work. How we get there from the plutocracracy we have, I don't know.

Sneakernet?

[bmo]

Really?

In 2012?

copy data from police computers and work on it away from the department.

Really? Aren't there such things as encryption and networks and the data staying on the bloody server?

--
BMO

They should have fined the individual officers

[opus_magnum]

instead of offloading the cost back on the community.

Re:They should have fined the individual officers

[_Shad0w_]

I suspect the Police Federation's argument would be that their members were just using the tools made available to them by the GMP. Unless the officers have been using personal devices to carry out police work, but in that case you'd have to check the rules didn't explicitly state they couldn't, otherwise the GMP almost certainly still has vicarious liability.

remoteing systems cost more then takeing data home

[Joe_Dragon]

remoteing systems cost more then taking data home on a usb key.

  computers provided my then has cost as well.

no way the union will let that happen

[Joe_Dragon]

no way the union will let that happen and they will likely not even let the officers take the blame.

Any ways what is there story it was the only way to get there work done and the official way was not in place or there was none?

*facepalm* indeed

How effective it will be will depend on whether the police department is unionized or somehow protected by UK law against their own screwups. If not, people can actually be fired for this type of thing - and yes, that's effective.

Re:*facepalm* indeed

[Tastecicles]

SOCPA 2005 section 71 gives Police Authorities and Police Forces ("Services") immunity from prosecution if they turn evidence in any other proceeding; since this is a blanket immunity, then it's practically impossible to prosecute the Police by any other than charges at Common Law (ie, rape, robbery or murder).

HOWEVER:

This case describes the first case decided on SOCPA sections 71 through 75; basically it allowed an individual to plead down, on appeal, by turning evidence in an ongoing case. His sentence went from 17 years for (among other things) drug possession to 3.

To date, no police officer in the UK has ever been prosecuted for the wrongful death of another. All they have to do is turn evidence in a lesser crime like cannabis possession, and they're off!

Re:remoteing systems cost more then takeing data h

[TWX]

I've got to think that remoting systems cost less than the labor to disinfect office computers from viruses brought in by USB flash media from home computers...

What's the solution (for Linux)?

[Compaqt]

Is there a way to (easily) turn off USB flash device ability in Linux (particularly Debian variants)?

All this while also preserving the ability to use USB mice and keyboards?

Re:What's the solution (for Linux)?

[dutchwhizzman]

Various automounters can be made to only mount read-only. Without root or sudo, such a thing would be easy to implement. Also, (auto)mounting could be made something only root would be allowed to do. Device permissions could be defaulted to root only, the list goes on and on.

Re:What's the solution (for Linux)?

You could blacklist the fat drivers, which would account for most of them. (Unless police are somehow intelligent enough to format their USB keys in ext2/3/4, etc.)

If you were feeling particularly mischievous you could setup a UDEV rule for USB mass storage devices that erases their partition table(s) before kicking them off the bus.

Re:What's the solution (for Linux)?

[Bert64]

Remove the usb-storage module, or blacklist it so that it cannot load.

Other classes of usb device have their own modules, which you can either leave alone or remove at your leisure if you want to use them (printers etc)...

You could also just disable the automount service, then no removable media will get mounted and you would need root in order to access it manually.

It's actually much easier than the various hoops people jump through to try and implement the same on windows.

Re:What's the solution (for Linux)?

[jimicus]

There's hoops in earlier versions of Windows, but Server 2008 introduces a group policy object that makes it pretty easy:

http://www.techrepublic.com/blog/datacenter/disable-removable-media-through-windows-server-2008s-group-policy-configuration/452

Re:What's the solution (for Linux)?

[Bert64]

Great, only group policies are more for convenience rather than security, a lot of them are implemented very insecurely and are easily bypassed so that turning them on actually does more harm than good by creating a false sense of security.

I for one find this story hilarious.

A burglar invaded an officers home.
You'd expect the officer to have some form of protection. :D

Re:I for one find this story hilarious.

[SuricouRaven]

Most policing is focused not on actively preventing crime, but on catching the criminal after the act - and making sure that any potential criminal knows that their eventual capture is probable, thus removing the incentive towards crime.

Re:remoteing systems cost more then takeing data h

Remote terminals come out of the capital budget, virus removal comes out of the operations budget.

but but but...

[slashmydots]

But a Kanguru encrypted flash drive is like $29! (US) That's A LOT of money for police officer equipment, lol.

Re:but but but...

[cbhacking]

I get that you're going for a joke, but the sad thing is, this really shouldn't cost anything at all. Assuming the police are using a volume-licensed edition of either Win7 (sadly, it's quite possible that they're still on XP but I would truly hope not), they can use Bitlocker To Go, which is full-volume encryption for removable storage. It's typically protected with a passphrase (though you can use any of a number of things, including multi-factor auth with smartcards and the like as well) and utilizes very strong encryption. Aside from a few minutes to enable the encryption, and needing to enter the passwords when the drives are mounted, there's no extra cost. It's read-only on XP (since XP doesn't natively support Bitlocker) but otherwise, it's just about perfect for this situation.

There's also Truecrypt and GPG or some other PGP/openpgp implementation. Not as user-friendly as BL2Go, perhaps, but no requirements of OS version. That's just staying within the bounds of free (gratis) software; there are of course more options if they want to spend some cash. Hell, even using encrypted ZIP files would be an improvement...

Re:but but but...

If they are using the same supplier as the rest of the Government, they will be running XP and IE6. Sad but true.

The cabal that supplies IT to the UK Gov makes G4S look good.

There is a Gov approved product for encryption and control of removable media which I won't disclose here, but it is often bypassed as it is 'fiddly' for the end user.

Anon for obvious reasons.

Re:but but but...

Maybe you are better off buying an encryptstick for $39,95 It works on every stick and has multi platform support, it even includes key and data backup facilities.
They just released 5.2 and it is a big step forward.

Re:but but but...

[Inda]

Would that be a suitable solution? Honestly?

The users around here, even if they managed to enter a password in Truecrypt, would just as happly click "password-hint.exe". And for that reason alone, I'm out.

We still burn CDs here ffs. It's the default answer to moving files around. We have 10,000 users on the network. A netwrok designed to move files around.

usually flash drives have fat filesystems

Unless you format the flash stick with another file system, or put encrypt all of the data, flash shows up without needing passwords. There are a lot of encryption algorithms floating around. Truecrypt is good, Skipjack is still ok.

Standard...

[Bert64]

The problem is that there is simply no standard for encrypted removable storage... It seems every vendor of "encrypted" flash drives ships their own proprietary, usually windows-only binaries on the stick which may or may not work, and may or may not require various levels of privilege in order to install, and may or may not be full of all manner of security holes.
Pity the poor consultant carrying a windows laptop that contains all these various encryption drivers installed because he never knows what proprietary encryption scheme the next client will be using.

USB storage is a good standard, you can plug such a device into almost anything and it will be mounted and read... What we need is a similar standard for encrypted storage where you can plug it into almost anything, enter a password and it mounts without having to install any non standard drivers.

Re:Standard...

What about Bitlocker?

Re:Standard...

[stepdown]

Would TrueCrypt be a good candidate?

I'm sure we'd need some way of enforcing vendors to use it though.

Re:Standard...

[jimicus]

Not really. Ideally you need a system which marries some degree of security with a mechanism to recover lost keys. Few organisations will accept "you lost the password to your encrypted drive? Then you're stuffed. Not even MI5/NSA/FBI/B&Q can help."

Most commercial encryption products include one or more "user has forgotten their password" recovery mechanisms for exactly this reason.

Re:Standard...

[Dr_Barnowl]

TrueCrypt offers this feature ; you back up the key block (which at that time has a password known to the administrator), and just restore it in the event of a user password loss incident. It even has the appropriate UI to let you do it.

The commercial product we've used implements this feature by storing redundant key blocks encrypted with the administrators password, which is much less secure - once you know that password, you can access the files on any system.

The other method of key recovery it supports is giving the users access to the key escrow server online, where they can answer a "security question" and receive some kind of backup hash or password for a redundant key block .. for which they need a working system. Which they don't have, because they're locked out, so they have to collar a colleague and monopolize their system for 5 minutes. Which favours the poor IT department, not having to actually do their job, but is probably an overall saving in time - the last resort is that someone cooks a recovery floppy (! no USB option !) and visits your machine personally (with a USB floppy drive, of course, because none of our machines have one any more).

TrueCrypt could probably benefit from some of those extra convenience features for market penetration reasons, but you can still do key escrow with it.

Re:Standard...

[jimicus]

It does, but AFAICT last time I checked, TrueCrypt makes it relatively easy for the end user to change the encryption key that's used and you can't stop the user from doing this. As soon as they do, the backup key block is useless.

I accept that commercial products that implement other key recovery tools are by definition less secure; what I don't accept is that they are so much less secure you may as well not bother with them in the first place.

Re:Standard...

[L4t3r4lu5]

That isn't true. The key used to encrypt the container is different to the key used to unlock the container. When you supply the password / keyfile to TrueCrypt, it searches for the word "TRUE" in a portion of the container file reserved for this check. If this the case, the password and keyfile are used to decrypt the container key, which is then used to decrypt the volume. If "TRUE" isn't found, the key is incorrect and the container key is not decrypted.

When you change the password, you change the only the password used to encrypt the container key. The container key doesn't change, which is why you don't need to decrypt and re-encrypt the volume every time you change the password. TrueCrypt offers this as a way to recover a lost volume password; Overwrite the container key with the backed-up key, enter your original password, and you will be able to decrypt the container key (which remained unchanged) and therefore mount the encrypted volume.

Sorry this is a little garbled, but it's difficult to explain. I hope it's clear enough.

Re:Standard...

I actuallly use that EncryptStick application that some else mentioned here for all HR and Payroll data. Often at the end of the month we do a lot of overtime and the compters of the HR departent are not connected to the internet so remote access won't do. Encryptstick runs on the Mac at my house and the PC in the office. Previously I used TrueCrypt for this but the problem was that when I walk away and forget to dismount it, any person coming to my computer can view the data and copy it. Encryptstick times out automatically after a set time so when I am interupted I am not afraid that someone can quickly copy all my data.

Re:Standard...

The problem is that there is simply no standard for encrypted removable storage...

What about Opal?

http://en.wikipedia.org/wiki/Opal_Storage_Specification

Re:Standard...

[davidshewitt]

Obligatory xkcd: http://xkcd.com/927/

Re:Standard...

[SuricouRaven]

You'd just end up with the browser codec fight over again. Microsoft would refuse to build any open standard into Windows if they could possibly help it, and no-one else (Maybe Apple) would be willing to license Microsoft's own technology.

Re:Standard...

GOd mdanit ! "m so sick of the FUCKING M$ MICROF$OFT $HILL$ at this site. Go away M$% Bob

Re:Standard...

[jabelli]

You know TrueCrypt has a timeout setting as well, right?

You also don't need to pay TrueCrypt every time you upgrade your drive.

"Please Note: Your Encrypt Stick license cannot be transfered to a different drive once activated"

Re:Standard...

If there is no standard for encrypted removable storage then it makes it harder to hack and also makes it harder for the owner of the encrypted removable storage device.

Re:Standard...

[radish]

The problem is that people are still using removable storage. In my organization it's been banned for years - there's simply no justification for the huge risk involved in letting your data literally walk out the door, encrypted or not (and that doesn't even consider what walks back in on those sticks the next morning). VPN & remote desktop setups are cheap and easy. Use them.

Re:Standard...

[Bert64]

No it doesn't, security through obscurity doesn't work.

People use standard algorithms for encryption, that doesn't make them any easier to hack.

With a widely used standard, it would be thoroughly audited by many people and organisations...

With all manner of proprietary crap, how do you know that the one you pick won't have gaping flaws? Take a look at http://www.digit-labs.org/files/presentations/sec-t-2010.pdf and some of the other stuff on digit-labs.org for examples of flaws in proprietary encryption products...

Thoughtless

That's hardly the point, it wasn't a question of money obviously - it was lack of thought.

Very Common Problem

[GumphMaster]

Back in the 90s my home in Canberra (Australia's capital and a government town) was burgled. The first, and I mean very first, thing the police asked on arrival was, "I there any classified information involved?" I was standing there in my Air Force uniform, so I guess it was a reasonable question. Nothing I was working at the time could even remotely be considered safe to take home, encrypted or not, so the answer was a no-brainer. I guess I was dismayed that the event was common enough that the automatic response had kicked in though. Some things, it seems, don't change.

How about...

[Tastecicles]

...guaranteed general population jail time for ANY police officer found to be responsible for ANY data leak?

It would surely be incentive to properly secure data and make sure it fucking stays that way!

Re:How about...

Not only efficient but also cheap. 'Cause you know, no police officer would ever be found responsible...

YAY! Let's crack down!

[Savage-Rabbit]

Yeah, fine the members of the department, so the individuals have to pay the fine. Then see how fast the situation changes.

I am firmly convinced that draconian punishments are counter productive and belong in places like North Korea. Why not just fix the problem? There clearly is a need for carting data around on USB sticks despite other options, else people would not be doing it. How about issuing only laptops/desktops with an OS that has been fixed so as to be unable to export data to anything other than hardware encrypted USB sticks like Iron Key and then make officers responsible for their USB key like officers are responsible for their fire arm if they carry one (and yes I have spent enough time in the UK to know most cops there don't carry a gun). Alternatively one could issue only computers incapable of mounting external storage.

Re:YAY! Let's crack down!

[davester666]

"and then make officers responsible for their USB key like officers are responsible for their fire arm if they carry one "

I would expect officers would be fined and/or suspended w/o pay for losing their firearms. So, this would fall under the 'fine the officers directly for losing these USB sticks' that I suggested.

Yes, there is a whole training/configuration component, which may or may not have taken place already, but I'm sure there is still some need for access to unencrypted USB keys, so just disabling their use probably won't be useful.

This is the same thing that the medical system also has to [or should already have] deal with. All the parts are there to do it, it just takes somebody to keep slapping people until they actually do it, every time.

Worth digging a little deeper

[jimicus]

Every single time I've heard about a large fine like this being imposed for breach of data protection law, there's been background information - usually aggravating circumstances that make the transgression rather worse.

And so it is here:

The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.

This wasn't one rogue officer breaching policy, this was a complete failure by management to implement a policy some two years after it had become pretty obvious that such a policy needed to exist.

You're not taking into account "government" price

[Dr_Barnowl]

They really should have known better - the National Health Service has been lambasted on several occasions for similar data leaks and has thoroughly learned it's lesson. We are not permitted to mount unencrypted USB volumes any more.

But the encrypted drives we are required to use if we need to transfer data are purchased from a central contract - and cost us £64 ($103) for a 2GB flash unit. I'm not surprised if there is a certain reluctance amongst the police to purchase that kind of deal.

When I first saw that price I assumed they were some kind of military grade unit with a hardware encryption controller. They are not, they're just partitioned, with a custom driver in the first, plaintext, partition. So they are taking units that were probably about £5 (at the time) and making a very substantial mark-up.

Our standard advice on what to do with an encrypted drive after we're done with it is not to just wipe the key block, making the data into worthless noise, but to physically destroy it. I'm willing to bet that our friendly encrypted storage vendor thought that one up.

As you quite rightly say, there are other options. I estimated that I could knock together a solution using TrueCrypt - including all the features that the current solution has, like key escrow - and sell them for about £15 a go. You can't even *buy* 2GB flash drives at my usual retailer any more, or even 4GB units, so they'd have to put up with having 4 times the capacity. But I'd still be making a good margin - those 8GB drives are now around £5 retail. And the TrueCrypt solution has the advantage of working on every platform, not just Windows.

Someone should start a log

and collect every story when a goverment institution mishandles peoples private information. Should be good ammunition for every debate about new laws and regulations that takes away your freedom to be left alone.

wrong?

[HarryatRock]

The correct spelling of "honour", "colour" etc. is clearly given in the ENGLISH dictionary, The words "honor" etc. are not English, but "American", Mr. Webster and his ilk have a lot to answer for, especially their failure to use "Z" in words such as enterprize.

Re:wrong?

[mcgrew]

If British English is so superior to American English, then why to you spell "trunk" b-o-o-t? I don't keep anything in boots except feet and socks, but trunks were around in carriages since before America was even discovered.

Re:wrong?

If British English is so superior to American English, then why to you spell "trunk" b-o-o-t?

If American English is so superior to British English, then why do you spell "do" t-o?

Re:wrong?

Just because it's "superior" does not mean any of us actually know how to spell it. As a native speaker of American English, even I have to wonder what the hell some people are talking about. Ever hear street talk/slang/idiocy? Trust me, it makes us all wince.

Bad title.

Title: UK Police Fined For Using Unencrypted Memory Sticks

Summary: "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."

Question: did whoever posted, and whoever read, and approved this 'story' bother to check the eye-ball catching headline with the contents of what is in reality in the article, presented in a hum-drum, why is this news, already? kind of a way?

Just so you know, a FINE is not the same as being SUED. Get it right, guys. You just look stupid otherwise.

Memory sticks

When I read that headline, I thought "You can purchase encrypted DDR system memory?", then I realized they were talking about FLASH drives. Now that we're including FLASH drives into memory sticks, I think it's only fair that harddrives fall under this umbrella. I've always wanted to install a 4TB memory stick into my computer.

Re:Memory sticks

[gumpish]

Actually Memory Stick is a Sony trademark for their proprietary flash media.

per wikipedia

If you refer to DIMMs as "memory sticks" you're just as guilty as the submitter and editor are of promulgating confusion.

Wait a second

[Frontier+Owner]

My concern isn't so much that the officer had the information on an unencrypted memory stick. Whats more concerning is people in the UK are so safe that a POLICE OFFICERS home was burglarized! Thieves have absolutely NOTHING to fear.

Re:Wait a second

[Xest]

What makes you think the thief even knew it was a police officers home and didn't just carry out a random burglary?

Re:Wait a second

[SuricouRaven]

Most policing is focused not on preventing crime, but catching the criminals after the act. The high risk of capture than acts as a deterrent to commiting crime. In this case, you can be confident that the full force of the police is going to be thrown into this investigation - they've probably got people searching ebay for items matching those stolen, people collecting all the footage from CCTV cameras in the area and forensics studying the place in their white suits looking for evidence. All the intensive, expensive stuff that an ordinary burglery wouldn't merit.

Re:Wait a second

[radish]

What's so special about a cop's house? I live in the US, there's a police officer lives down the block from me. Now obviously, as a burglar, I wouldn't try and break in while he's home (cruiser parked out front) - but if he's not? House isn't anything special, doesn't even look like it has an alarm.

force encryption on removable media

There's hoops in earlier versions of Windows, but Server 2008 introduces a group policy object that makes it pretty easy:

http://www.techrepublic.com/blog/datacenter/disable-removable-media-through-windows-server-2008s-group-policy-configuration/452

And more usefully, starting with Windows 7, you can force the use of BitKeeper on removable media via Group Policy:

http://www.windowsnetworking.com/articles_tutorials/using-bitlocker-encrypt-removable-media-part2.html

Re:force encryption on removable media

[Bert64]

And thus make your removable media unusable on anything other than a modern windows box... Hence the need for standards.

Virgin Mobile

I thought Virgin Mobile has root level access to every memory stick in the U.K. Why doesn't Virgin Mobile simply encrypt the data for them?

Is this Top Secret Bond 007 files?

Most Police's/Cop's files on USB Stick is public files that citizens can make a request to obtain the files. I think this is a job for Bond 007. Maybe 007 can track and find the individuals that broke into someone's home and resolve the problem(s).

You're optimizing for the incorrect factors.

You forgot about the kickbacks^Wcosts of pursuing new business required to successfully land such a contract.

What would the per-unit price be if you had to hire a newly-retired NHS exec as your business' figurehead CEO?

How much does it cost to hire former NHS execs as "consultants" to act as liaison with NHS as they write the bid specifications? Carefully crafted bid requirements can ensure that only a single vendor is able to tender a bid that satisfies the requirements.

Want to ensure that your cheap-ass, software encryption-only, crap USB stick can be sold for an obscene markup? Simple: make certain through the "consultation process" that there is a bid requirement added to stipulate that the hardware/software be compatible with Win95 SR2 or something of that ilk. (Bonus if you later meet the 'compatibility' requirement by making a 4KB autorun program that can run in Win95 but merely displays a dialog that says the device can only be used in an XP or later system)

Naturally, these matters are best discussed at the highest levels, with your consultants taking the NHS execs to Ibiza. If your consultants play their cards right they can probably even secure a subsequent directive mandating physical destruction of the USB sticks instead of erasure...