Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Police Fined For Using Unencrypted Memory Sticks

Posted by Soulskill on from the expensive-security-lesson dept.

An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."

23 of 100 comments (clear)

  1. Why are they even using USB flash drives? by TWX · · Score: 4, Insightful

    Shouldn't they build or buy a system that allows employees to remote in? I work for a school system, and the school resource officers (which are city police officers) just VPN into their network from ours, so that they don't have to physically transport anything. Many of them even use computers provided by us instead of their highly-ruggedized but massively obsolete laptops...

    --
    Do not look into laser with remaining eye.
    1. Re:Why are they even using USB flash drives? by Froggels · · Score: 4, Insightful

      "School resource officers (which are police officers)"

      How orwellian can you get?

    2. Re:Why are they even using USB flash drives? by SimonTheSoundMan · · Score: 3, Informative

      They have to have police officers in American schools because gun crime is so bad. In the UK two kids will hit each other, in America a kid will bring a gun to school the next day. I actually thought someone was trolling me when I first heard that American schools have armed police officers.

      http://www.ifpo.org/articlebank/school_officers.html

      It all fights fire with fire. Totally backwards and yes, Orwellian.

    3. Re:Why are they even using USB flash drives? by Xest · · Score: 2

      "Makes sense to me, it's one of the few public offices that crams all of our children together on one place for such a long period of time. They should have been there anyway."

      Are you actually serious about this?

      You know the rest of the world handles this by, you know, simply teaching kids to get along and just not kill each other right?

  2. *facepalm* by girlintraining · · Score: 5, Interesting

    Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this? Some of them, twice even -- once for the loss of data, and again when they have to pay for it with their next tax return (admitedly, mere fractions of a pence, but it's the principle of the thing). That seems like a terribly effective method of teaching those officers not to leave sensitive data around! Far more effective, I think, then suspending one without pay or additional training how how to properly handle sensitive information.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:*facepalm* by davester666 · · Score: 2

      Yeah, fine the members of the department, so the individuals have to pay the fine. Then see how fast the situation changes.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:*facepalm* by Bert64 · · Score: 2

      Actually it does, in typical government inefficiency it will take considerable resources to process this fine, and most likely there will be banking charges involved which means at least some of the money leaks into private hands.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:*facepalm* by mjwx · · Score: 3, Insightful

      Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this?

      Yes, an organisation that collects fines for the taxpayer has levied a 12,000 pound fine against an organisation that is funded by the taxpayer.

      The greater Manchester police will now have to apply for additional (taxpayer) funding to cover the additional cost of paying a fine to the taxpayers.

      All of this should have been explained in the documentary Yes Minister.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    4. Re:*facepalm* by 1u3hr · · Score: 4, Informative

      Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget

      It'll come out of their budget. And in a bureaucracy, that's your status. It will certainly make the police take data security seriously, which is the point of the fine, not to collect money for the Exchequer to refund to taxpayers.

    5. Re:*facepalm* by PT_1 · · Score: 3, Interesting

      Oh wait... isn't it the government who receives the payment for the fine? ;)

      All this does is shift money. The government is just paying itself. It doesn't cost the taxpayer any more.

      To some extent.

      However, in the UK the police are funded partially through central government funds and partially through local council funds. People here pay income tax, which goes to central government, and a smaller amount of 'council' tax, which is for use on local services, police, fire departments etc.

      What these fines do, in effect, is to take money that residents of the area have paid to police the local area and give it back to central government. The health service is currently fighting a similar £325,000 (over $500,000) fine.

      These organisations should be held accountable for privacy breaches, but taking money away from residents and patients is not the answer.

    6. Re:*facepalm* by Suferick · · Score: 2

      Not exactly. The police force's overall budget will not be increased, so the taxpayer won't fork out any more, and the money will have to be found from elsewhere, such as the overtime budget for beat officers. It will thus hurt the force a little, and perhaps hurt the public because of the decreased level of service provided.

      How can we ensure that the people responsible are the ones who actually carry the can in cases like this?

  3. Sneakernet? by bmo · · Score: 3, Insightful

    Really?

    In 2012?

    copy data from police computers and work on it away from the department.

    Really? Aren't there such things as encryption and networks and the data staying on the bloody server?

    --
    BMO

  4. They should have fined the individual officers by opus_magnum · · Score: 2

    instead of offloading the cost back on the community.

  5. Re:remoteing systems cost more then takeing data h by Anonymous Coward · · Score: 2, Insightful

    Remote terminals come out of the capital budget, virus removal comes out of the operations budget.

  6. but but but... by slashmydots · · Score: 2

    But a Kanguru encrypted flash drive is like $29! (US) That's A LOT of money for police officer equipment, lol.

    1. Re:but but but... by cbhacking · · Score: 2

      I get that you're going for a joke, but the sad thing is, this really shouldn't cost anything at all. Assuming the police are using a volume-licensed edition of either Win7 (sadly, it's quite possible that they're still on XP but I would truly hope not), they can use Bitlocker To Go, which is full-volume encryption for removable storage. It's typically protected with a passphrase (though you can use any of a number of things, including multi-factor auth with smartcards and the like as well) and utilizes very strong encryption. Aside from a few minutes to enable the encryption, and needing to enter the passwords when the drives are mounted, there's no extra cost. It's read-only on XP (since XP doesn't natively support Bitlocker) but otherwise, it's just about perfect for this situation.

      There's also Truecrypt and GPG or some other PGP/openpgp implementation. Not as user-friendly as BL2Go, perhaps, but no requirements of OS version. That's just staying within the bounds of free (gratis) software; there are of course more options if they want to spend some cash. Hell, even using encrypted ZIP files would be an improvement...

      --
      There's no place I could be, since I've found Serenity...
  7. Standard... by Bert64 · · Score: 4, Insightful

    The problem is that there is simply no standard for encrypted removable storage... It seems every vendor of "encrypted" flash drives ships their own proprietary, usually windows-only binaries on the stick which may or may not work, and may or may not require various levels of privilege in order to install, and may or may not be full of all manner of security holes.
    Pity the poor consultant carrying a windows laptop that contains all these various encryption drivers installed because he never knows what proprietary encryption scheme the next client will be using.

    USB storage is a good standard, you can plug such a device into almost anything and it will be mounted and read... What we need is a similar standard for encrypted storage where you can plug it into almost anything, enter a password and it mounts without having to install any non standard drivers.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    1. Re:Standard... by jimicus · · Score: 2

      Not really. Ideally you need a system which marries some degree of security with a mechanism to recover lost keys. Few organisations will accept "you lost the password to your encrypted drive? Then you're stuffed. Not even MI5/NSA/FBI/B&Q can help."

      Most commercial encryption products include one or more "user has forgotten their password" recovery mechanisms for exactly this reason.

  8. Re:What's the solution (for Linux)? by Bert64 · · Score: 5, Informative

    Remove the usb-storage module, or blacklist it so that it cannot load.

    Other classes of usb device have their own modules, which you can either leave alone or remove at your leisure if you want to use them (printers etc)...

    You could also just disable the automount service, then no removable media will get mounted and you would need root in order to access it manually.

    It's actually much easier than the various hoops people jump through to try and implement the same on windows.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  9. Very Common Problem by GumphMaster · · Score: 3, Insightful

    Back in the 90s my home in Canberra (Australia's capital and a government town) was burgled. The first, and I mean very first, thing the police asked on arrival was, "I there any classified information involved?" I was standing there in my Air Force uniform, so I guess it was a reasonable question. Nothing I was working at the time could even remotely be considered safe to take home, encrypted or not, so the answer was a no-brainer. I guess I was dismayed that the event was common enough that the automatic response had kicked in though. Some things, it seems, don't change.

    --
    Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
  10. Re:What's the solution (for Linux)? by jimicus · · Score: 2

    There's hoops in earlier versions of Windows, but Server 2008 introduces a group policy object that makes it pretty easy:

    http://www.techrepublic.com/blog/datacenter/disable-removable-media-through-windows-server-2008s-group-policy-configuration/452

  11. You're not taking into account "government" price by Dr_Barnowl · · Score: 3, Interesting

    They really should have known better - the National Health Service has been lambasted on several occasions for similar data leaks and has thoroughly learned it's lesson. We are not permitted to mount unencrypted USB volumes any more.

    But the encrypted drives we are required to use if we need to transfer data are purchased from a central contract - and cost us £64 ($103) for a 2GB flash unit. I'm not surprised if there is a certain reluctance amongst the police to purchase that kind of deal.

    When I first saw that price I assumed they were some kind of military grade unit with a hardware encryption controller. They are not, they're just partitioned, with a custom driver in the first, plaintext, partition. So they are taking units that were probably about £5 (at the time) and making a very substantial mark-up.

    Our standard advice on what to do with an encrypted drive after we're done with it is not to just wipe the key block, making the data into worthless noise, but to physically destroy it. I'm willing to bet that our friendly encrypted storage vendor thought that one up.

    As you quite rightly say, there are other options. I estimated that I could knock together a solution using TrueCrypt - including all the features that the current solution has, like key escrow - and sell them for about £15 a go. You can't even *buy* 2GB flash drives at my usual retailer any more, or even 4GB units, so they'd have to put up with having 4 times the capacity. But I'd still be making a good margin - those 8GB drives are now around £5 retail. And the TrueCrypt solution has the advantage of working on every platform, not just Windows.

  12. wrong? by HarryatRock · · Score: 2, Funny

    The correct spelling of "honour", "colour" etc. is clearly given in the ENGLISH dictionary, The words "honor" etc. are not English, but "American", Mr. Webster and his ilk have a lot to answer for, especially their failure to use "Z" in words such as enterprize.

    --
    nec sorte nec fato