F**kwits

Anybody seen this dataHas anybody seen this data ?

If so, please return it in the envelope provided, as the owner would quite like it back.

Lisa, I think was a little shocked this evening when I jumped of the sofa and started swearing at the TV news.

Dear readers outside of the UK, I must explain.. the Government department responsible for taxation in the UK sent a dump of a database containing detailed personal and financial details of 25 million people (nearly half the UK population) on a couple of CD’s in the mail and it has gone missing !!

As an IT professional this is wrong on so many levels it really defies belief, why store personal information including address, national insurance details, Date of Birth etc in the same database as peoples bank details?, why dump them to a CD and not use the government secure intranet which has costs tens if not hundreds of millions to develop and operate, why not encrypt the data ?

The list just goes on and on.

The government say – don’t worry we don’t think the database has fallen into the wrong hands – well I don’t feel very reassured.

Now I’m just trying to convince Lisa to change her bank account, as she along with every mother/carer in the country has their bank accounts security compromised by these idiots !!

UPDATE

Looks like the data has been found.. don’t you just love the British sense of humour ?

ebay

Written and submitted from home, using my home 802.11 network.

17 comments

  1. Laurence Penney

    First one bank goes down, now all the others will be in utter turmoil as the nation makes the sensible decision to switch banks. Brown and Darling will be begging the nation not to. Banks will offer new account numbers. But the unfulfilled wish to change banks is dangerously close to the surface in millions of us (a wish only unfulfilled because we can’t be arsed).

    One thing that depressed me was that Darling seemed reassured that no criminal activity had taken place so far. Bank account numbers don’t often change, nor do names or dates of birth. This is a data source whose value to criminals will last for decades, so an initial few days of inactivity is nothing to be cool about.

    Oh, and are politicians’ records part of this data, or are they in some other system – as I hear is to happen with the NHS ‘Spine’ (itself another dead duck now, along with ID cards, one hopes).

  2. Tony Battle

    I feel my identity and my wealth are being robbed as I type. This truly makes me fell sick inside. An absolute and utter disgrace of the utmost proportions. George Prwell will be laughing somewhere.

  3. Chris Brind

    Strong language there Ed… not what I expected in my RSS feed at this time of the morning. 🙂

    That BBC article doesn’t appear to mention that they use their own internal mail system called “grid” (I only scan read it), so it isn’t as though they popped it in a postbox or something… but of course, it is still an example of gross negligence losing information like that, not to mention raising the whole national identity card issue.

  4. Will King

    Likewise I swore at the tv. This has to put an end to any national ID card plans. This farce must be brought up anytime anybody mentions “central govt databases”. Even if the disk hadn’t been lost putting this data onto a cd is risky as some dodgy member of staff could run a couple of copies without anybody knowing…actually thinking about it this has probably happened already.

  5. Duncan Garratt

    It’s a pity Ed your TV didn’t have a web cam, the content I am sure would have been good entertainment.

    On a serious note it beggars belief but comes as no surprise. With the exception of the MOD, Military and SIS, security regarding personal information is not taken seriously in Government these days. The data protection act and the powers of the data commissioners are extremely limited and have been diluted on a number of occasions by secondary legislation. Most government departments instead of using the proper security classifications with all the proper procedures, instead simply rely on the data protection act that does not provide or enforce the appropriate security protection and the data protection commissioners who have no power to insist on a security audit for any organisation be it in the public or private sector. Equally BS7799 and ISO 27001 accreditation only ensure that a process is in place and nothing else!

    This data should have had the appropriate security classification!

    The official government security classifications are as follows

    Unclassified
    Restricted
    Confidential/Medical In Confidence
    Secret
    Top Secret
    Cosmic
    Atomic

    Please note there was a time when mail was classified as confidential, not anymore!

    In respect of an individual’s personal data in this context, the correct security classification is confidential. In respect of the entire data set the correct security classification is secret.

    Readers may be interested to know that anyone within national or local government can have access to your personal information without your knowledge on the authorisation of a civil servant of the rank of C3 or above. In practice this authorisation is rarely obtained or checked as in many cases there are blanket authorisations between government departments. In short one third of the UK working population could gain access to your personal data perfectly legally without your knowledge or authorisation.

    As for the transportation of documents, civil servants daily use private or the internal mail systems for transportation of documents both classified and unclassified, including those sent to Iron Mountain. This system is not secure and should not be used for documents or data with a classification of confidential or higher. The proper procedure for the transportation of this data is for the data to be personally escorted by two civil servants or two police officers.

    Had this data been properly classified all civil servants would be required to provide the proper security standards appropriate to the security classification, which is backed up by the official secrets act and the threat of prosecution should a security breach occur.

    This security breach shows how much of a shambles this government is in, people’s financial security and personal security has been put at risk and should this data fall into the wrong hands the impact could be extremely serious and long lasting.

    Ex British Military Intelligence

  6. Grant Herbert

    The BBC report claims the discs were password protected and sent by courier. While I have no particular faith in their password strength and have to wonder at the encryption method used (“password protected” zipped csv file probably), it appears at least some attempt was made to protect the data.

  7. Richard Fairhurst

    Love the eBay pic.

    Personally I’m waiting for the first e-mail from Lagos to start “FROM THE OFFICE OF MR ALISTAIR DARLING. REQUEST FOR URGENT CONFIDENTIAL BUSINESS RELATIONSHIP IN RESPECT OF THE TRANSFER OF TWO MILLION BANK ACCOUNTS”…

  8. Duncan Garratt

    Just think what a great postcode gazette this data would make. It would be far superior to the OS or PAF data. Name Addresses, Bank Details etc. Wow the mind boggles I could even publish it on a Google Map!

  9. Daniel

    The irony here for me, Ed, is in having the feeling toward a distinct probability, that the entire former Monty Python cast had jumped up just as you did while watching the tele — with similar verbage, and with similar mannerisms.

    It’s in this feeling, and toward this probability, that I take comfort.

  10. Tony Battle

    “A gap’s opened up between what we’re told about data protection and the reality”

    BBC political editor Nick Robinson

  11. Bull_UK

    Another reason not to give your bank detais to the government, personally I never do.

    Also if all this data is so easily available to all government departments why oh why do they so easily make mistakes and then expet you to pay them back if they do (how am I supposed to know if they have overpaid me or not), and why do I have to fill in one hundred page forms for every benefit department when they share data?

  12. Duncan Garrattt

    This security breach raises serious questions about the proposed biometric ID card scheme and how safe is it? A bank account number, pin number, password or credit card number can all be changed but the minutea of a fingerprint or Iris if compromised cannot be changed. Therefore the individual’s proof of identity could be compromised for life!

    Equally a fingerprint scanner is not fool proof. Myth Busters showed how a fingerprint could be lifted from a glass or other object and transposed onto ballistic gel or similar that can then be read by a fingerprint scanner.

    Read all about it at
    http://kwc.org/mythbusters/2006/08/episode_59_crimes_and_mythdeme.html

    It would not surprise me when the biometric ID card scheme comes into operation that kits will be on sale via the Internet. Just think as well as skimming your credit card in a restaurant they will also be able to lift your fingerprints and therefore your biometric data from the wine glass! Ah but they say the data is encrypted yes it is, but any cryptanalyst will tell you repetition is very bad news! Are they then going to change the encryption key and salt value every time your new ID card is read? No I rest my case!

  13. Muki Haklay

    Maybe the person who done that was surfing the webste ‘Free Our Data: Make taxpayers’ data available to them’ and decided to do something about it?!?

  14. Justin

    How many times have we asked the Ordnance Survey NOT to send £4,000,000 of OS MasterMap data on DVD/CD’s by post? 😉 because they can’t seem to send it securely and electronically even if they advertise they can! Thank god for change only updates now (still on DVD though!)

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>