Categories
Data Policy Thoughts

F**kwits

Anybody seen this dataHas anybody seen this data ?

If so, please return it in the envelope provided, as the owner would quite like it back.

Lisa, I think was a little shocked this evening when I jumped of the sofa and started swearing at the TV news.

Dear readers outside of the UK, I must explain.. the Government department responsible for taxation in the UK sent a dump of a database containing detailed personal and financial details of 25 million people (nearly half the UK population) on a couple of CD’s in the mail and it has gone missing !!

As an IT professional this is wrong on so many levels it really defies belief, why store personal information including address, national insurance details, Date of Birth etc in the same database as peoples bank details?, why dump them to a CD and not use the government secure intranet which has costs tens if not hundreds of millions to develop and operate, why not encrypt the data ?

The list just goes on and on.

The government say – don’t worry we don’t think the database has fallen into the wrong hands – well I don’t feel very reassured.

Now I’m just trying to convince Lisa to change her bank account, as she along with every mother/carer in the country has their bank accounts security compromised by these idiots !!

UPDATE

Looks like the data has been found.. don’t you just love the British sense of humour ?

ebay

Written and submitted from home, using my home 802.11 network.

17 replies on “F**kwits”

First one bank goes down, now all the others will be in utter turmoil as the nation makes the sensible decision to switch banks. Brown and Darling will be begging the nation not to. Banks will offer new account numbers. But the unfulfilled wish to change banks is dangerously close to the surface in millions of us (a wish only unfulfilled because we can’t be arsed).

One thing that depressed me was that Darling seemed reassured that no criminal activity had taken place so far. Bank account numbers don’t often change, nor do names or dates of birth. This is a data source whose value to criminals will last for decades, so an initial few days of inactivity is nothing to be cool about.

Oh, and are politicians’ records part of this data, or are they in some other system – as I hear is to happen with the NHS ‘Spine’ (itself another dead duck now, along with ID cards, one hopes).

I feel my identity and my wealth are being robbed as I type. This truly makes me fell sick inside. An absolute and utter disgrace of the utmost proportions. George Prwell will be laughing somewhere.

Strong language there Ed… not what I expected in my RSS feed at this time of the morning. 🙂

That BBC article doesn’t appear to mention that they use their own internal mail system called “grid” (I only scan read it), so it isn’t as though they popped it in a postbox or something… but of course, it is still an example of gross negligence losing information like that, not to mention raising the whole national identity card issue.

Likewise I swore at the tv. This has to put an end to any national ID card plans. This farce must be brought up anytime anybody mentions “central govt databases”. Even if the disk hadn’t been lost putting this data onto a cd is risky as some dodgy member of staff could run a couple of copies without anybody knowing…actually thinking about it this has probably happened already.

It’s a pity Ed your TV didn’t have a web cam, the content I am sure would have been good entertainment.

On a serious note it beggars belief but comes as no surprise. With the exception of the MOD, Military and SIS, security regarding personal information is not taken seriously in Government these days. The data protection act and the powers of the data commissioners are extremely limited and have been diluted on a number of occasions by secondary legislation. Most government departments instead of using the proper security classifications with all the proper procedures, instead simply rely on the data protection act that does not provide or enforce the appropriate security protection and the data protection commissioners who have no power to insist on a security audit for any organisation be it in the public or private sector. Equally BS7799 and ISO 27001 accreditation only ensure that a process is in place and nothing else!

This data should have had the appropriate security classification!

The official government security classifications are as follows

Unclassified
Restricted
Confidential/Medical In Confidence
Secret
Top Secret
Cosmic
Atomic

Please note there was a time when mail was classified as confidential, not anymore!

In respect of an individual’s personal data in this context, the correct security classification is confidential. In respect of the entire data set the correct security classification is secret.

Readers may be interested to know that anyone within national or local government can have access to your personal information without your knowledge on the authorisation of a civil servant of the rank of C3 or above. In practice this authorisation is rarely obtained or checked as in many cases there are blanket authorisations between government departments. In short one third of the UK working population could gain access to your personal data perfectly legally without your knowledge or authorisation.

As for the transportation of documents, civil servants daily use private or the internal mail systems for transportation of documents both classified and unclassified, including those sent to Iron Mountain. This system is not secure and should not be used for documents or data with a classification of confidential or higher. The proper procedure for the transportation of this data is for the data to be personally escorted by two civil servants or two police officers.

Had this data been properly classified all civil servants would be required to provide the proper security standards appropriate to the security classification, which is backed up by the official secrets act and the threat of prosecution should a security breach occur.

This security breach shows how much of a shambles this government is in, people’s financial security and personal security has been put at risk and should this data fall into the wrong hands the impact could be extremely serious and long lasting.

Ex British Military Intelligence

The BBC report claims the discs were password protected and sent by courier. While I have no particular faith in their password strength and have to wonder at the encryption method used (“password protected” zipped csv file probably), it appears at least some attempt was made to protect the data.

Love the eBay pic.

Personally I’m waiting for the first e-mail from Lagos to start “FROM THE OFFICE OF MR ALISTAIR DARLING. REQUEST FOR URGENT CONFIDENTIAL BUSINESS RELATIONSHIP IN RESPECT OF THE TRANSFER OF TWO MILLION BANK ACCOUNTS”…

Just think what a great postcode gazette this data would make. It would be far superior to the OS or PAF data. Name Addresses, Bank Details etc. Wow the mind boggles I could even publish it on a Google Map!

Leave a Reply to Will KingCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.