Quacking Information Security

News in the tech press that the NHS has been visited by Qakbot – a worm with a keen appetite for peoples’ sensitive data. (Despite the name it wasn’t specifically designed to target the NHS).

The effects of malware on systems that gather our sensitive data haven’t really entered public consciousness, but there are potentially serious problems here, especially when so many practitioners are logging in to systems remotely.

Last year, Tim Loughton asked a string of government departments about the incidence of malware during the previous year. Most of the replies fell into one of two categories. The Home Office, Ministry of Justice and Department for Communities and Local Government played the Mornington Crescent card by insisting that national security would be threatened if they even looked at the question.

Others, including the Department for Health when asked about NHS hospitals, produced the standard brush-off: ‘The information requested is not held centrally and could be obtained only at disproportionate cost’.

The Department for Children, Schools and Families dealt with it like this:

how many and what proportion of computers in (a) local authority children’s services departments, (b) Children and Family Court Advisory Support Service and (c) schools were found to be infected with malware in 2008.

Information on the number or proportion of computers infected with malware is not collected centrally from either local authority children’s services or from schools. However many schools do employ a managed service for their ICT support and those organisations will normally maintain this information and report to schools.

It simply won’t do. If a government department is mandating the collection of peoples’ sensitive data – particularly when this is without any opportunity to consent or opt out – it ought to be taking responsibility for the security of that data a great deal more seriously.

Advertisement

Lessons still not learned

Yet another data loss by a local council:

Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.

Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*

So in other words, we’re talking about rather more than a ‘slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ‘someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.

Once again we get this tedious assertion from the recalcitrant council:

the council takes its responsibility to look after their personal data very seriously

I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?

Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.

Presumably the council is also by now compliant with the Government Code of Connection. Amongst other things, councils should have a default position of not using laptops

Removable media
Removable media should be disabled unless there is a business case for its use.

What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?

*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner

Leeds 2, DP 0

For For the second time this week:

A laptop used by an educational psychologist dealing with some of Leeds’s most troubled children has gone missing.The computer was reported missing to police yesterday after being missing for a week.

Leeds claim that the data on the laptop wasn’t sensitive. So what on earth was the ed psych actually recording on it?

Another singalong

From the BBC:

The private details of thousands of children were found on a memory stick dropped by a council worker…it included the names, dates of birth, ethnicity and contact details for about 5,000 nursery-age children living in the Leeds area.

The council has apologised and started an investigation.

The stick, which was found in a second-hand car, also contained confidential information about child protection and whether or not the children’s parents claimed state benefits.

The data was, of course, unencrypted. Now, you all know the chorus:

A council spokeswoman said: “We take issues of information security very seriously”

There goes another one

This speaks for itself really:

Personal information regarding thousands of children is in criminal hands after a laptop theft. Surrey County Council (SCC) notified the 7,851 children, parents and carers, whose details were stolen, that there had been a “potential security breach” in a letter over the weekend.

Personal, unencrypted data was stored on the laptop swiped from a car belonging to one of the county council’s contractors, Trapeze Group UK Ltd, on November 12.

Unencrypted? Unencrypted? Oh good grief. You’d think they might have learned by now. And in case you’re wondering, Trapeze Group is responsible for arranging transport for children.

Lost for words

Apparently we have to allow the government to use our data as they see fit, and accept that it may end up in a pub car park.:

Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public.

The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.

“It is important to recognise we cannot promise that every single item of information will always be safe because mistakes are made by human beings. Mistakes are made in the transportation, if you like in the communication, of information.”

He makes it sound as if we didn’t know that already and were the ones begging to have our data harvested.

Perhaps the ‘consent’ forms that children and parents sign when an eCAF is carried out should contain an extra question:

Where would you prefer us to lose your personal information?
(a) on a train
(b) at a disco
(c) via the post/courier service
(d) in a car park
(e) other

PS. I guess it’s appropriate that the Minister responsible for the Government Gateway is the same one who left confidential correspondence from his red box on a train.

Database debacles

I doubt if anyone has missed the news that EDS has lost a portable hard drive containing:

the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants

As you might imagine, while attention has focussed on serving forces personnel, it’s the 600,000 potential recruits that particularly worry us. Presumably a fair number of those are still in their teens and won’t discover for a while yet whether this latest data debacle has made them sitting ducks for identity fraud.

For several years now, the US media has been reporting the increasing use by fraudsters of children’s identities. The Federal Trade Commission points out that they are ‘perfect targets’ because they have clean credit histories, and are unlikely to know what has happened until they open a bank account or apply for credit.

MPs have apparently demanded ‘a “cultural change” in public sector data handling’. Good luck with that – the rot goes deep. Only last week, a company called Databarracks published the results of a survey of schools that showed:

92% of education institutions say they back up their data, however, analysing this further, the survey shows that while 60% take the data offsite, 55% of them have this function performed by a member of staff who takes the data home.

No doubt Databarracks has its own agenda, but its findings do echo an earlier study that found almost half of schools taking unencrypted pupil data off school premises.

You only need to read UK Liberty’s pages on data loss to see the scale of sloppy public sector data-handling practices.

It would be nice to think that things would have improved by the time the national Contactpoint and eCAF databases make their entry on to the scene, but it’s not likely. Just substitute ‘Contactpoint’ or ‘eCAF’ for any of the systems mentioned on UK Liberty, and you’re looking into the future.

Incidentally, on the subject of Contactpoint, you may have missed a letter in the Telegraph from the CE of Barnardo’s objecting to conservative plans to scrap the system. He says:

I would ask Mr Gove to think long and hard about whether or not Barnardo’s, which works with more than 100,000 of the most disadvantaged and vulnerable children in Britain, would support ContactPoint if we thought it would, as Mr Gove suggests, increase the risk of children being abused.

What a relief. If Barnardo’s says it’s OK, that must be right. We can go back to sleep.

A week’s-worth of security breaches

An impressive hat-trick this week. On the bright side, it’s good to see that nobody has made any of those irritating claims about taking data security ‘very seriously’.

First off the blocks:

The discovery at a Cornish nightclub of a computer memory stick with details of troop movements on it is being probed by the Ministry of Defence (MoD).

And then two in quick succession:

Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.

Followed by:

A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism.

Two on the same day, eh? The pace is hotting up. UK Liberty is keeping a tally.

Update 7pm: We spoke too soon. It’s now four this week:

An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street.

Tees, Esk and Wear Valleys Trust said the stick was found by a member of the public in Barnard Castle, Co Durham. It stored a summary of medical histories and patients’ national insurance numbers and addresses.

This is just ridiculous.

DCSF systems under attack

Not exactly reassuring news about Contactpoint et al:

Government efforts to improve interactions with the public through the use of Web 2.0 technologies are being stymied by security fears…

A high-level source working with the Swiss government IT department confirmed that attacks against government web sites were reaching epidemic proportions. Speaking on the condition on anonymity, he told IT Week that his department was frequently under attack from groups looking to steal personal information.

He added that he had spoken to counterparts at the DCSF, who had confirmed they were experiencing “similar” levels of attacks.

The learning flatline

You might think that DWP staff would have been chastened by the child benefit Chernobyl into some basic grasp of data security, but apparently not:

The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today.

And in a predictable mismatch of words and actions, a DWP spokeswoman said:

“We take the security of individuals’ data extremely seriously”

If you’re wondering where you heard that before, it was last uttered a month ago by the LGA.

You have to laugh

I think this is called having your cake and eating it. Engaged in the nerdy pursuit of trawling the last few days of parliamentary questions, I found the following written answer from Ministry of Justice Minister David Hanson to a question about young people serving indeterminate prison sentences – not something the government enjoys talking about:

These figures have been drawn from administrative IT systems which, as with any large scale recording system, are subject to possible errors with data entry and processing so numbers have been rounded to the nearest 10.

And here we were thinking that Contactpoint and eCAF would be infallible. In similar vein, the BBC reports that in the last 3 years:

More than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data, it has been revealed

Treasury Minister Jane Kennedy is keen to stress

However, this represents less than 1 per cent. of total staff for each of the three years in question

Let’s see, if Contactpoint and eCAF have 330,000 users and just 0.5% misuse their access, I make that 1,650 people. Despite ministerial assurances that employees are always caught (and how do they know about the ones who weren’t?) it’s clear from the HMRC figures that the risk hasn’t acted as a deterrent over the past few years.

The goldfish bowl

The latest news on data breaches:

Government departments and private companies have reported an “alarming” number of new data breaches in the wake of the recent HM Revenue and Customs fiasco.

Details of nearly 100 cases of data breaches, two thirds committed by government departments or other public sector bodies, have been passed to the authorities, the Information Commissioner, Richard Thomas, said.

He warned organisations to step up security as he released details of the wave of new breaches, including unencrypted information lost on laptops, computer discs, paper records and memory sticks lost, stolen or missing in the post.

Undaunted, the government bulldozers ahead towards its goal of a single record system. I’ve just been re-reading the government’s ‘Harnessing Technology’ (pdf) today. Ostensibly it’s about using ICT in education, but as the role of schools expands into welfare, inevitably education and social care records start to merge.

It’s an extension of the approach piloted in Connexions, where personal problems are seen as ‘barriers to learning’ that must be dealt with. Thus the government wants to:

Ensure integrated online personal support for children and learners…

Support children’s and learners’ transition and progression by developing and implementing a common approach to personal records across education and children’s services, including public and private organisations and industry.

It hardly needs saying that the scale of data breaches can only increase with the amount of data collected. How strange to think that the government was once so wary about the collection of children’s personal data that they introduced the School Census one small step at a time. Less than ten years later, it’s hard to think of any personal data that isn’t fair game for the ‘joined-up’ treatment.

You can trust us…

The BBC has been doing some digging:

Personal data about members of the public has been lost or wrongly revealed by 13 London councils in the last year, a BBC survey has found… In one instance, sensitive information about children in care was stolen when a youth worker took files into a bar.

This response is frankly irritating:

Tim Allen of the Local Government Association emphasised that data security was very important to local government

It’s demonstrably not important enough. There seems to be a second story here, too:

Some 23 councils replied to the freedom of information request

But there are 33 councils in London, all of them public authorities bound by the Freedom of Information Act. What happened to the other 10?

Still here…

…Though our prolonged silence might have made you think otherwise. It’s been one of those intensely busy periods with no spare blogging time at all.

I did notice recently that an opinion poll carried out for the Information Commissioner’s Office found:

three-quarters of us were more worried than ever over access to personal data. And 70% said they felt powerless over how organisations kept an eye on data.

The survey comes after the government lost computer discs containing the entire child benefit database.

From the look of the other news around, people’s worries are entirely justified. There was this:

Documents containing payroll information relating to 182 NHS staff members have been have been found dumped in a street…The documents had been in the care of company Capita when they were lost.

They contained information, including addresses, bank account and National Insurance details, from five trusts in Leicestershire and Northamptonshire.

And this from the Liverpool Daily Post:

an investigation by the Daily Post, using the Freedom of Information Act, has revealed the loss of 230 records by health staff in the region.

More than half of the trusts which replied to a request for information confirmed they had lost data. It is also revealed that the largest data loss – 100 records held on a “memory stick” by Liverpool Primary Care Trust, was not reported to the patients involved.

Even the prison service is doing its bit:

Prison Service and IT staff are trying to correct errors in the networked Local Inmate Database System [Lids] – which holds records on more than 80,000 prisoners – after the Service’s IT supplier EDS discovered that thousands of records contained incorrect information or data was incomplete or missing.

Yet more symptoms of what the Joint Committee on Human Rights describes as:

“The Government’s failure to take safeguards sufficiently seriously”

and

“insufficient respect in the public sector for the right to respect for personal data.”

It was the elves…

Someone has to be telling porkies here:

A patients’ group said it is astonished that three inquiries into how medical records came to be strewn on a road failed to find anyone responsible.

The records belonged to patients from London’s Whipps Cross University Hospital and St Bartholomew’s Hospital, and London Ambulance Services (LAS). The papers were found in Northaw, near Potters Bar, Hertfordshire, in January.

Probes by the hospitals trust, LAS and by Bywaters waste management company found their procedures were “robust”.