UK Police Fined For Using Unencrypted Memory Sticks

An anonymous reader writes "The Information Commissioner's Office has filed a suit for £120,000 against the Greater Manchester Police because officers regularly used memory sticks without passwords to copy data from police computers and work on it away from the department. In July 2011, thousands of peoples' information was stolen from a officer's home on an unencrypted memory stick. A similar event happened at the same department in September 2010. 'This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine,' said ICO deputy commissioner David Smith."

Why are they even using USB flash drives?

[TWX]

Shouldn't they build or buy a system that allows employees to remote in? I work for a school system, and the school resource officers (which are city police officers) just VPN into their network from ours, so that they don't have to physically transport anything. Many of them even use computers provided by us instead of their highly-ruggedized but massively obsolete laptops...

Re:Why are they even using USB flash drives?

[Froggels]

"School resource officers (which are police officers)"

How orwellian can you get?

*facepalm*

[girlintraining]

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget... sooo, wouldn't that mean the taxpayers will wind up paying for this? Some of them, twice even -- once for the loss of data, and again when they have to pay for it with their next tax return (admitedly, mere fractions of a pence, but it's the principle of the thing). That seems like a terribly effective method of teaching those officers not to leave sensitive data around! Far more effective, I think, then suspending one without pay or additional training how how to properly handle sensitive information.

Re:*facepalm*

[1u3hr]

Yes, a fine against the police department will certainly show them! Oh wait.. isn't it the taxpayers who pay for their budget

It'll come out of their budget. And in a bureaucracy, that's your status. It will certainly make the police take data security seriously, which is the point of the fine, not to collect money for the Exchequer to refund to taxpayers.

Standard...

[Bert64]

The problem is that there is simply no standard for encrypted removable storage... It seems every vendor of "encrypted" flash drives ships their own proprietary, usually windows-only binaries on the stick which may or may not work, and may or may not require various levels of privilege in order to install, and may or may not be full of all manner of security holes.
Pity the poor consultant carrying a windows laptop that contains all these various encryption drivers installed because he never knows what proprietary encryption scheme the next client will be using.

USB storage is a good standard, you can plug such a device into almost anything and it will be mounted and read... What we need is a similar standard for encrypted storage where you can plug it into almost anything, enter a password and it mounts without having to install any non standard drivers.

Re:What's the solution (for Linux)?

[Bert64]

Remove the usb-storage module, or blacklist it so that it cannot load.

Other classes of usb device have their own modules, which you can either leave alone or remove at your leisure if you want to use them (printers etc)...

You could also just disable the automount service, then no removable media will get mounted and you would need root in order to access it manually.

It's actually much easier than the various hoops people jump through to try and implement the same on windows.