Slashdot Mirror
UK Police Fined For Using Unencrypted Memory Sticks
An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."
Shouldn't they build or buy a system that allows employees to remote in? I work for a school system, and the school resource officers (which are city police officers) just VPN into their network from ours, so that they don't have to physically transport anything. Many of them even use computers provided by us instead of their highly-ruggedized but massively obsolete laptops...
Do not look into laser with remaining eye.
Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this? Some of them, twice even -- once for the loss of data, and again when they have to pay for it with their next tax return (admitedly, mere fractions of a pence, but it's the principle of the thing). That seems like a terribly effective method of teaching those officers not to leave sensitive data around! Far more effective, I think, then suspending one without pay or additional training how how to properly handle sensitive information.
#fuckbeta #iamslashdot #dicemustdie
Really?
In 2012?
copy data from police computers and work on it away from the department.
Really? Aren't there such things as encryption and networks and the data staying on the bloody server?
--
BMO
instead of offloading the cost back on the community.
remoteing systems cost more then taking data home on a usb key.
computers provided my then has cost as well.
no way the union will let that happen and they will likely not even let the officers take the blame.
Any ways what is there story it was the only way to get there work done and the official way was not in place or there was none?
I've got to think that remoting systems cost less than the labor to disinfect office computers from viruses brought in by USB flash media from home computers...
Do not look into laser with remaining eye.
Is there a way to (easily) turn off USB flash device ability in Linux (particularly Debian variants)?
All this while also preserving the ability to use USB mice and keyboards?
I'm not a lawyer, but I play one on the Internet. Blog
A burglar invaded an officers home. :D
You'd expect the officer to have some form of protection.
Remote terminals come out of the capital budget, virus removal comes out of the operations budget.
But a Kanguru encrypted flash drive is like $29! (US) That's A LOT of money for police officer equipment, lol.
The problem is that there is simply no standard for encrypted removable storage... It seems every vendor of "encrypted" flash drives ships their own proprietary, usually windows-only binaries on the stick which may or may not work, and may or may not require various levels of privilege in order to install, and may or may not be full of all manner of security holes.
Pity the poor consultant carrying a windows laptop that contains all these various encryption drivers installed because he never knows what proprietary encryption scheme the next client will be using.
USB storage is a good standard, you can plug such a device into almost anything and it will be mounted and read... What we need is a similar standard for encrypted storage where you can plug it into almost anything, enter a password and it mounts without having to install any non standard drivers.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Back in the 90s my home in Canberra (Australia's capital and a government town) was burgled. The first, and I mean very first, thing the police asked on arrival was, "I there any classified information involved?" I was standing there in my Air Force uniform, so I guess it was a reasonable question. Nothing I was working at the time could even remotely be considered safe to take home, encrypted or not, so the answer was a no-brainer. I guess I was dismayed that the event was common enough that the automatic response had kicked in though. Some things, it seems, don't change.
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
...guaranteed general population jail time for ANY police officer found to be responsible for ANY data leak?
It would surely be incentive to properly secure data and make sure it fucking stays that way!
Operation Guillotine is in effect.
SOCPA 2005 section 71 gives Police Authorities and Police Forces ("Services") immunity from prosecution if they turn evidence in any other proceeding; since this is a blanket immunity, then it's practically impossible to prosecute the Police by any other than charges at Common Law (ie, rape, robbery or murder).
HOWEVER:
This case describes the first case decided on SOCPA sections 71 through 75; basically it allowed an individual to plead down, on appeal, by turning evidence in an ongoing case. His sentence went from 17 years for (among other things) drug possession to 3.
To date, no police officer in the UK has ever been prosecuted for the wrongful death of another. All they have to do is turn evidence in a lesser crime like cannabis possession, and they're off!
Operation Guillotine is in effect.
Yeah, fine the members of the department, so the individuals have to pay the fine. Then see how fast the situation changes.
I am firmly convinced that draconian punishments are counter productive and belong in places like North Korea. Why not just fix the problem? There clearly is a need for carting data around on USB sticks despite other options, else people would not be doing it. How about issuing only laptops/desktops with an OS that has been fixed so as to be unable to export data to anything other than hardware encrypted USB sticks like Iron Key and then make officers responsible for their USB key like officers are responsible for their fire arm if they carry one (and yes I have spent enough time in the UK to know most cops there don't carry a gun). Alternatively one could issue only computers incapable of mounting external storage.
Only to idiots, are orders laws.
-- Henning von Tresckow
Every single time I've heard about a large fine like this being imposed for breach of data protection law, there's been background information - usually aggravating circumstances that make the transgression rather worse.
And so it is here:
The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
This wasn't one rogue officer breaching policy, this was a complete failure by management to implement a policy some two years after it had become pretty obvious that such a policy needed to exist.
They really should have known better - the National Health Service has been lambasted on several occasions for similar data leaks and has thoroughly learned it's lesson. We are not permitted to mount unencrypted USB volumes any more.
But the encrypted drives we are required to use if we need to transfer data are purchased from a central contract - and cost us £64 ($103) for a 2GB flash unit. I'm not surprised if there is a certain reluctance amongst the police to purchase that kind of deal.
When I first saw that price I assumed they were some kind of military grade unit with a hardware encryption controller. They are not, they're just partitioned, with a custom driver in the first, plaintext, partition. So they are taking units that were probably about £5 (at the time) and making a very substantial mark-up.
Our standard advice on what to do with an encrypted drive after we're done with it is not to just wipe the key block, making the data into worthless noise, but to physically destroy it. I'm willing to bet that our friendly encrypted storage vendor thought that one up.
As you quite rightly say, there are other options. I estimated that I could knock together a solution using TrueCrypt - including all the features that the current solution has, like key escrow - and sell them for about £15 a go. You can't even *buy* 2GB flash drives at my usual retailer any more, or even 4GB units, so they'd have to put up with having 4 times the capacity. But I'd still be making a good margin - those 8GB drives are now around £5 retail. And the TrueCrypt solution has the advantage of working on every platform, not just Windows.
The correct spelling of "honour", "colour" etc. is clearly given in the ENGLISH dictionary, The words "honor" etc. are not English, but "American", Mr. Webster and his ilk have a lot to answer for, especially their failure to use "Z" in words such as enterprize.
nec sorte nec fato
My concern isn't so much that the officer had the information on an unencrypted memory stick. Whats more concerning is people in the UK are so safe that a POLICE OFFICERS home was burglarized! Thieves have absolutely NOTHING to fear.
Actually Memory Stick is a Sony trademark for their proprietary flash media.
per wikipedia
If you refer to DIMMs as "memory sticks" you're just as guilty as the submitter and editor are of promulgating confusion.
And thus make your removable media unusable on anything other than a modern windows box... Hence the need for standards.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!