Yet another data loss by a local council:
Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.
Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*
So in other words, we’re talking about rather more than a ‘slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ‘someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.
Once again we get this tedious assertion from the recalcitrant council:
the council takes its responsibility to look after their personal data very seriously
I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?
Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.
Removable media should be disabled unless there is a business case for its use.
What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?
*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner