Equally a fingerprint scanner is not fool proof. Myth Busters showed how a fingerprint could be lifted from a glass or other object and transposed onto ballistic gel or similar that can then be read by a fingerprint scanner.

Read all about it at
http://kwc.org/mythbusters/2006/08/episode_59_crimes_and_mythdeme.html

It would not surprise me when the biometric ID card scheme comes into operation that kits will be on sale via the Internet. Just think as well as skimming your credit card in a restaurant they will also be able to lift your fingerprints and therefore your biometric data from the wine glass! Ah but they say the data is encrypted yes it is, but any cryptanalyst will tell you repetition is very bad news! Are they then going to change the encryption key and salt value every time your new ID card is read? No I rest my case!

Also if all this data is so easily available to all government departments why oh why do they so easily make mistakes and then expet you to pay them back if they do (how am I supposed to know if they have overpaid me or not), and why do I have to fill in one hundred page forms for every benefit department when they share data?

BBC political editor Nick Robinson

It’s in this feeling, and toward this probability, that I take comfort.

Personally I’m waiting for the first e-mail from Lagos to start “FROM THE OFFICE OF MR ALISTAIR DARLING. REQUEST FOR URGENT CONFIDENTIAL BUSINESS RELATIONSHIP IN RESPECT OF THE TRANSFER OF TWO MILLION BANK ACCOUNTS”…

Readers may wish to look at the Information Security Groups website who are part of the University of London. http://www.isg.rhul.ac.uk/

On a serious note it beggars belief but comes as no surprise. With the exception of the MOD, Military and SIS, security regarding personal information is not taken seriously in Government these days. The data protection act and the powers of the data commissioners are extremely limited and have been diluted on a number of occasions by secondary legislation. Most government departments instead of using the proper security classifications with all the proper procedures, instead simply rely on the data protection act that does not provide or enforce the appropriate security protection and the data protection commissioners who have no power to insist on a security audit for any organisation be it in the public or private sector. Equally BS7799 and ISO 27001 accreditation only ensure that a process is in place and nothing else!

This data should have had the appropriate security classification!

The official government security classifications are as follows

Unclassified
Restricted
Confidential/Medical In Confidence
Secret
Top Secret
Cosmic
Atomic

Please note there was a time when mail was classified as confidential, not anymore!

In respect of an individual’s personal data in this context, the correct security classification is confidential. In respect of the entire data set the correct security classification is secret.

Readers may be interested to know that anyone within national or local government can have access to your personal information without your knowledge on the authorisation of a civil servant of the rank of C3 or above. In practice this authorisation is rarely obtained or checked as in many cases there are blanket authorisations between government departments. In short one third of the UK working population could gain access to your personal data perfectly legally without your knowledge or authorisation.

As for the transportation of documents, civil servants daily use private or the internal mail systems for transportation of documents both classified and unclassified, including those sent to Iron Mountain. This system is not secure and should not be used for documents or data with a classification of confidential or higher. The proper procedure for the transportation of this data is for the data to be personally escorted by two civil servants or two police officers.

Had this data been properly classified all civil servants would be required to provide the proper security standards appropriate to the security classification, which is backed up by the official secrets act and the threat of prosecution should a security breach occur.

This security breach shows how much of a shambles this government is in, people’s financial security and personal security has been put at risk and should this data fall into the wrong hands the impact could be extremely serious and long lasting.

Ex British Military Intelligence

That BBC article doesn’t appear to mention that they use their own internal mail system called “grid” (I only scan read it), so it isn’t as though they popped it in a postbox or something… but of course, it is still an example of gross negligence losing information like that, not to mention raising the whole national identity card issue.

One thing that depressed me was that Darling seemed reassured that no criminal activity had taken place so far. Bank account numbers don’t often change, nor do names or dates of birth. This is a data source whose value to criminals will last for decades, so an initial few days of inactivity is nothing to be cool about.

Oh, and are politicians’ records part of this data, or are they in some other system – as I hear is to happen with the NHS ‘Spine’ (itself another dead duck now, along with ID cards, one hopes).