How?
How can it be secure? It's not password protected and on CD!
Her Majesty's Customs and Revenue have demonstrated how important it is to keep track of all your important data. So, inspired by their example, we've put all our stories on this week's data debacle in one secure location. Enjoy... Civil service apologises for HMRC data loss Running queries on the HMRC database fiasco HMRC …
There seems to be a lot of commotion surrounding the loss of two DVDs full of information. I could see the problem if it was lost by a private company, they have to comply with rules laid down by the Information Commissioner. They have to say what info they are keeping, what they need it for, how long they will keep it, how they will keep the info updated and current.
But no, it was lost by a government department, and they laugh at such restrictions.
They have told us they need the information, and that they will keep it safe. What more convincing do us plebs really need?
If it was a private company, their key issues now would be trying to avoid a catastrophic breakdown in customer and shareholder trust. The people at the top would be doing their best to avoid being hung, drawn and quartered.
But no, it's the government. So the main issues are getting the PFY with no IT knowledge to complete the task given by the boss with no IT knowledge.
Result? Keep burning and sending discs until one gets through, problem solved.
One truly shocking quote that told me the person at the top should now be on income support/ in prison was:
"Edward Leigh, the Conservative chairman of the Commons public accounts committee, said the NAO had only asked for basic details about child benefit recipients, without information on personal bank accounts, but was told by "high level" officials that it would be "too burdensome" for HMRC officials to separate out this data." ***
Anyone who has done even the most basic SQL course will know how to structure a query to do just that within a couple of seconds. So the people at the top have no idea what they are doing. The people at the bottom carrying out these orders have no idea what they are doing.
At what point does this become safe?
Ah yes, it's the point where they have all the tax funding they need to buy a REALLY big supplies cupboard with LOTS of blank DVDs in it. Eventually, one copy of the information is going to get through, and that's all we plebs should worry our pretty little heads about.
Point to ponder:
How many dismembered heads do you think would line the streets if the information lost was how much MPs earn, how much tax they pay, where they live, childrens names and any other information needed to have them picking up the pieces for years afterwards?
But that's never going to happen. Anyone who can turn a computer on best two out of three is looking after their information. The stone age neanderthals are performing that service for the rest of us.
*** - Quote taken from:
http://news.bbc.co.uk/1/hi/uk_politics/7106366.stm
P.S.
I chose the pirate icon as it's something I can relate to. They had no respect for the government either ;)
As "dismember" means "to remove the limbs from", I'd be very surprised to see a dismembered head anywhere.
If people seriously cared about freedom, most of the government - from the parasites in local government up to the hiveminded power-obsessed morons in the high levels - would have been dancing the bluetongue fandango from lampposts years ago, before the 'war on terror' even got into full swing. But they don't so they aren't.
I very much doubt that anyone will remember this come the general election either, unless, say, 1 in 5 or even 1 in 10 people have their bank balances cleared out within a month while the event is sufficiently fresh in people's minds that they associate their personal loss and inconvience with the government cockup. Otherwise only those with an active interest in data management will care.
Read the selection of emails between HMRC and NAO on the beeb site. We really didn't need to worry about that data, it was password protected. And doubtless the password would have been impossible to crack (unless it was the name of the "junior official's child, of course). The password would have been sent (as presumably it was on earlier data transfers) separately:
".. Please ring xxxx when you have safely received the two CDs ... so that he can pass on the passwords in an email"
(http://www.bbc.co.uk/blogs/nickrobinson/Informationrelatingtochildbenefitdata.pdf)
Though I did find one small outburst of charity for the NAO when I discovered that they were busy moving house at the time.
Still you can just imagine it.
"Hello Alastair, this is Jackie speaking, I'm Gordon's deputy whilst he's busy with the move. Could you send the passwords for those files to me on my personal email - the office ones are all out of action whilst we moving. It's j.smith@notquitehotmail.com Thanks.
Anyone like to bet it wouldn't work?
MGJ says:
"What this data loss has to do with ID cards?"
It's the notion that the ID card will be administered by a central database, linked to the [highly secure, natch] police national database. With all our data, including details of when we are abroad and the house is empty, which the government wants us to hand over, whilst reassuring us that all this data will be carefully protected by strictly observed and monitored government data protection procedures.
The government wants to put LOTS of personal data, including names, addresses, all security, medical and legal details onto this database.
How long before someone manages to get a job as a junior officer in the Civil Service department handling this data, and gets another junior official from elsewhere to send them the password in an email? The data is then burned to a CD, or sent over a nearby open wireless network to the criminals who got the man infiltrated into the data centre by the process of him being prepared to do the job. (Check how easy it is to get a job in a bank's call centre.)
The data is then auctioned off - though probably not via ebay.
I trust El Reg to keep these stories safe. In fact, I have sent my entire personal financial history, my logins and passwords, and my medical records to the Vultures today for safekeeping.
There was an interesting snippet in Newsnight's report last night - a disc of data arrived at a government office with an accompanying comps slip on which was written... yeah, you guessed it, the password.
Reading the papers' reportage and watching the television coverage, the truth seems to be that mid-level civil servants fucked-up, partly through ignorance and partly because the contractor - in this case EDS apparently - was going to charge through the nose for extracting an anonymised selection from the database. And an anonymised (comparitively) small selection of records was what the NAO actually asked for.
Of course, aforesaid mid-level civil servants are trying to pin the blame on some poor 23-year-old underpaid and over-worked drone. Disgraceful.
I wouldn't trust the government with my name: I wouldn't trust the civil service to use a pocket calculator. (Mind you, I trust Experian, EDS, banks, and their many private sector cohorts even less.)
Trust no-one. Tell them nothing. Overthrow the government at the ballot-box or the barricade.. Aux armes, citoyens!
"Most worrying of all, is the [over]use of Comic Sans"
WHAT!!?? The "most worrying" feature of those emails is the sodding font they're in? If only they'd used Times New Roman it would all be OK? Which bloody planet are you from?
It's the Government's focus on style, spin and presentation over substance, content and control that's caused this cockup to spiral out of control in the first place. Are you angling for a job from Gordon or something?
I read this morning that a limited extract would have cost them £5000 to developer and that was beased on 1 weeks work from a developer.
Now as honest db dev I will tender to work out how to do it in just one day* for the bargain cost of £2500 (special government discount).
(*see you at the dog and duck at 10-30am, I'll be buying).
Honestly, the pour government is trying really hard to be transparant here. We should help them out.
please fill in
First name
Last name
number of kids
bank account number
bank address
mother's maiden name
Pin number
Online bank access codes
Oh, and for the first 100 people I have £1000000000 left to me by this really nice barister in Nigeria that has died and told me that he wanted this money to be given to the first 100 people that help the government in it's transparency project!!
When Nationwide lost a laptop they were fined a cool million. Surely the government department which made this blunder should face repercussions. I would feel a lot better about government ministers if their pension was at risk if they f*cked things up on a scale as monumental as this.
I work for a financial organization and if I lost even one CD of unencrypted data it would be either my head and probably my bosses head as well unless I could prove I had followed the security policy in which case it would be the head of the person who signed off the policy.
Unfortunately, the Nationwide wasn't fined a cool million - their investors were the one who picked up the tab.
What a farce. And the lack of meaningful punishments in the latest data loss fiasco is being played out on the same day as a mother is going to prison for her child playing truant !?!?
Is "complete lack of common sense" a pre-requisite for being a public servant^H^H^H^H^H^H^H lawmaker these days?
Why are they even sending physical media?
They could avoid have avoided the entire mess by following these 3 steps:
Compress : Zip or tar.gz
Encrypt : using openPGP or equivalent
SFTP to the destination... Email is NOT for file tranfser.
Simple and cheap enough that even the startups I've worked for can afford it.
...and did so on the evening of the 21st. It called for the PM to offer everyone affected by this the right to get a new NI number - only that, I said, would restore some of the lost faith in the administration.
I don't see this on their open petitions page, rejected petitions or closed...perhaps my request was posted in the literal sense and they've 'lost' it. Perhaps I just need a black helicopter...
@ Anonymous Coward
"Why are they even sending physical media?
They could avoid have avoided the entire mess by following these 3 steps:
Compress : Zip or tar.gz
Encrypt : using openPGP or equivalent
SFTP to the destination... Email is NOT for file tranfser.
Simple and cheap enough that even the startups I've worked for can afford it."
Well the problem is that encrypted files cannot be readily scanned for viruses, so they don't get through the firewalls on the GSI. National Audit Office are of course not on the GSI anyway, and I doubt this could be considered 'RESTRICTED' in anycase (GSI is only cleared up to that level).
Of course, if we had a proper distributed system with secure electronic identities for citizens and administrators, then there would be no need for a department like HMRC to hold most of this information; they could ask the national department of payments to pay x to citizen y, but becuase no government systems talk to each other, and there are no national registers of people you have each department holding vast quantities of data they don't need.
Still, plenty still to follow on this story
Here's another two to add to the pile:
In 2002 HMRC (then the Inland Revenue) contacted me to ask me to fax to them copies of some of my tax records from previous years, including a P60 (my end-of-year tax certificate). The reason? They were sorry but they'd "lost my files".
In 2007 HMRC was contacted by me with regard to a P85 (migration notice) that I'd sent them. This was "never received", they told me. But they must have received it, I told them: "you have my correct new address on record and the only way you could have that is if you got the P85". "I hear you, but we don't tend to lose things," the operator maintained.
I have had exactly the same problem with the Revenue. About four years ago, I got a fine for two tax forms that hand't been filled in and returned. I called them up straight away and asked words to the effect of "what is going on? I've had no forms". I went through the whole "we sent them so you must have had them" thing, after they said they'd send them again and cancel the fines (which they did rather quickly, almost like it happens all the time) I asked where they'd sent the first forms, they wouldn't tell me directly, so I listed all of the addresses I'd lived in, it turned out that they'd sent them to an address I lived at 7 years previously, but they managed to send the fines to the correct address. Funny that. The Revenue person couldn't explain how that had happened.