Taking data security seriously again

April 6, 2010

It would have been easy to miss this piece of bad news buried in the tin-foil of a few million Easter eggs:

Memory sticks and CDs containing the personal details of 9,000 school children have been stolen from a house in north London…The computer equipment was encrypted – in line with council policies to avoid access to confidential information – but this was not the case with the CDs or memory sticks.

Apparently the member of staff responsible has been suspended and, according to Techwatch:

Barnet council has taken action to tighten up its security, by disabling USB ports and any access to external storage devices so such unauthorised file copying won’t be able to happen in the future.

The council has also ordered that all computers leaving the office will have to have their data encrypted from now on, and it’s launching an independent review into the whole issue of how its data is managed.

Perhaps Barnet hasn’t read the Data Handling Guidelines, created especially for them and all other councils 18 months ago. Had they done so, they perhaps might have considered reviewing their practices rather earlier and following the example of councils that have made it impossible to copy data on to removable media without prior consent.

In the course of their review, they may also like to bear in mind the words of Ian Brown in our report on children’s consent:

‘It is critical that systems are designed in a way that as far possible prevents security breaches, such as preventing sensitive data being copied onto unencrypted laptops, USB disks and other mobile media; and limiting very strongly the amount of sensitive data that can be copied around a system – eg it might be reasonable for a social worker to take home the records of 10 individuals on an encrypted laptop. It is a disaster waiting to happen for a director of children’s services to take home information on hundreds or thousands of individuals, regardless of laptop encryption or any information security training they have received.’

Nobody should be able to take the details of 9,000 children home with them in the first place.

Advertisements

Lessons still not learned

November 17, 2009

Yet another data loss by a local council:

Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.

Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*

So in other words, we’re talking about rather more than a ‘slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ‘someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.

Once again we get this tedious assertion from the recalcitrant council:

the council takes its responsibility to look after their personal data very seriously

I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?

Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.

Presumably the council is also by now compliant with the Government Code of Connection. Amongst other things, councils should have a default position of not using laptops

Removable media
Removable media should be disabled unless there is a business case for its use.

What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?

*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner


Leeds 2, DP 0

December 11, 2008

For For the second time this week:

A laptop used by an educational psychologist dealing with some of Leeds’s most troubled children has gone missing.The computer was reported missing to police yesterday after being missing for a week.

Leeds claim that the data on the laptop wasn’t sensitive. So what on earth was the ed psych actually recording on it?


Another singalong

December 8, 2008

From the BBC:

The private details of thousands of children were found on a memory stick dropped by a council worker…it included the names, dates of birth, ethnicity and contact details for about 5,000 nursery-age children living in the Leeds area.

The council has apologised and started an investigation.

The stick, which was found in a second-hand car, also contained confidential information about child protection and whether or not the children’s parents claimed state benefits.

The data was, of course, unencrypted. Now, you all know the chorus:

A council spokeswoman said: “We take issues of information security very seriously”


There goes another one

December 3, 2008

This speaks for itself really:

Personal information regarding thousands of children is in criminal hands after a laptop theft. Surrey County Council (SCC) notified the 7,851 children, parents and carers, whose details were stolen, that there had been a “potential security breach” in a letter over the weekend.

Personal, unencrypted data was stored on the laptop swiped from a car belonging to one of the county council’s contractors, Trapeze Group UK Ltd, on November 12.

Unencrypted? Unencrypted? Oh good grief. You’d think they might have learned by now. And in case you’re wondering, Trapeze Group is responsible for arranging transport for children.


Lost for words

November 2, 2008

Apparently we have to allow the government to use our data as they see fit, and accept that it may end up in a pub car park.:

Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public.

The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.

“It is important to recognise we cannot promise that every single item of information will always be safe because mistakes are made by human beings. Mistakes are made in the transportation, if you like in the communication, of information.”

He makes it sound as if we didn’t know that already and were the ones begging to have our data harvested.

Perhaps the ‘consent’ forms that children and parents sign when an eCAF is carried out should contain an extra question:

Where would you prefer us to lose your personal information?
(a) on a train
(b) at a disco
(c) via the post/courier service
(d) in a car park
(e) other

PS. I guess it’s appropriate that the Minister responsible for the Government Gateway is the same one who left confidential correspondence from his red box on a train.


Database debacles

October 11, 2008

I doubt if anyone has missed the news that EDS has lost a portable hard drive containing:

the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants

As you might imagine, while attention has focussed on serving forces personnel, it’s the 600,000 potential recruits that particularly worry us. Presumably a fair number of those are still in their teens and won’t discover for a while yet whether this latest data debacle has made them sitting ducks for identity fraud.

For several years now, the US media has been reporting the increasing use by fraudsters of children’s identities. The Federal Trade Commission points out that they are ‘perfect targets’ because they have clean credit histories, and are unlikely to know what has happened until they open a bank account or apply for credit.

MPs have apparently demanded ‘a “cultural change” in public sector data handling’. Good luck with that – the rot goes deep. Only last week, a company called Databarracks published the results of a survey of schools that showed:

92% of education institutions say they back up their data, however, analysing this further, the survey shows that while 60% take the data offsite, 55% of them have this function performed by a member of staff who takes the data home.

No doubt Databarracks has its own agenda, but its findings do echo an earlier study that found almost half of schools taking unencrypted pupil data off school premises.

You only need to read UK Liberty’s pages on data loss to see the scale of sloppy public sector data-handling practices.

It would be nice to think that things would have improved by the time the national Contactpoint and eCAF databases make their entry on to the scene, but it’s not likely. Just substitute ‘Contactpoint’ or ‘eCAF’ for any of the systems mentioned on UK Liberty, and you’re looking into the future.

Incidentally, on the subject of Contactpoint, you may have missed a letter in the Telegraph from the CE of Barnardo’s objecting to conservative plans to scrap the system. He says:

I would ask Mr Gove to think long and hard about whether or not Barnardo’s, which works with more than 100,000 of the most disadvantaged and vulnerable children in Britain, would support ContactPoint if we thought it would, as Mr Gove suggests, increase the risk of children being abused.

What a relief. If Barnardo’s says it’s OK, that must be right. We can go back to sleep.