Lessons still not learned

Yet another data loss by a local council:

Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.

Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*

So in other words, we’re talking about rather more than a ‘slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ‘someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.

Once again we get this tedious assertion from the recalcitrant council:

the council takes its responsibility to look after their personal data very seriously

I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?

Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.

Presumably the council is also by now compliant with the Government Code of Connection. Amongst other things, councils should have a default position of not using laptops

Removable media
Removable media should be disabled unless there is a business case for its use.

What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?

*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: