back to article Civil servants still sticking unencrypted data in the post

Today's story of a cretinous government data giveaway is brought to you by... the Ministry of Justice. On the scale of government ineptitude this hardly ranks alongside the loss of 25 million child benefit details last year, nor the loss of a laptop containing unencrypted details of members of the armed forces - but it is …

COMMENTS

This topic is closed for new posts.
  1. Alan Lukaszewicz
    Stop

    Beg to differ

    It is not really a case of government ineptitude.

    A government minister cannot give instructions to low ranking employees.

    It is an example of public service (disservice) ineptitude and, at least to me, shows strong indicators of poor management within those organizations.

  2. Anonymous Coward
    Anonymous Coward

    @Alan Lukaszewicz

    It's called an organisation. The person at the top assigns high level responsibilities to competent people. These people do the same. Work is split into manageable chunks and fed down the chain of responsibility. When the person at the bottom does something stupid the person at the top is responsible. This doesn't matter (ignoring immediate fall-out). When the person at the bottom does the same thing or a similar thing again, the person at the top is responsible again. This time it does matter.

  3. Anonymous Coward
    Pirate

    You do realise...

    ... that this is the great UK Govt. just rubbing shit in our faces, don't you?

    This is blatant disregard for the will of the citizen's of the United Kingdom. They want you to have a national identity card, and they're going to make it so that you can't exist without one by publishing every single person's identity into to world except biometric data.

    It's not f*cking rocket science. Stop watching your high definition TV and drinking your instant coffee and eating your pre-cooked meals. Get a f*cking backbone and TELL THEM THAT THIS SHIT JUST DOES NOT FLY.

  4. Anonymous Coward
    Unhappy

    Courts?

    At least one Court in the UK has (allegedly) disposed of its non-attendees lists as these are rumoured to form part of key performance indicator assessments.

    Big list?

    Don't worry, send it in the post or shred it.

    Result?

    An instantaneous upgrade in kpi values.

    Consequence?

    A dodgy court management structure is immediately praised as an effective one.

  5. Ross

    Oh. My. God

    I'm sorry, if Andrew Orlowski personally sent the RIAA attack dogs round my mothers house and she was dragged through the streets for having copie done of her Johnny Cash CDs to tape I would still read the Reg. But you just linked to the Daily Fail.

    I have to draw the line somewhere...

  6. Miguel

    (untitled)

    So, these public services and organisations are poorly managed? These <em>government</em> organisations? I suppose you could say that that is government ineptitude?

    Granted, it isn't specific to government ministers but it is specific to government organisations.

    If things are going to change then it is the government (the organisations related minister) who should be putting through the required changes.

    Might not be as direct as you would like, Alan Lukaszewicz, but it is most definitely government ineptitude.

  7. Anonymous Coward
    Happy

    Sometime ago .......

    As this was in December and the stolen laptop was in January it does seem like some departments are very slow in owning up. At least, unlike the HMRC debacle, the CD's were recorded delivery and not just popped into the post box.

  8. bluesxman
    Flame

    morons

    ... but that aside (and pretty much off topic) recorded delivery is a waste of frickin' time, since it carries no more guarantee of arrival than a 2nd class stamp. If you post something recorded that is even *slightly* more interesting looking than a simple letter it's a red flag to to some skanking chav in the sorting office that this item might have some importance/value. Straight away the "yoink" factor goes through the roof. Not that Special Delivery is any less of a red flag, but at least Royal Mail are financially liable for losses thus they more likely to better secure the items ... one would hope.[/rant]

  9. Cameron Colley

    RE: You do realise...

    <quote>It's not f*cking rocket science. Stop watching your high definition TV and drinking your instant coffee and eating your pre-cooked meals. Get a f*cking backbone and TELL THEM THAT THIS SHIT JUST DOES NOT FLY.</qoute>

    How would the "Anonymous Coward" propose we do this? By posting anonymous comments on El Reg articles telling others to do something? ;~)

    Personally, I'd love to do something, but it's a little difficult in a country where just heckling a politician, having encrypted data on your hard drive, linking to anti-government websites or owning a copy of nmap can have you married to the man with the most cigarettes for years while you await trial.

  10. Robert Grant

    @Anonymous Coward

    Of course that's not actually the case, as the minister does not create the organisation; (s)he merely inherits it. However the principle behind your argument is still...no wait, that was the only thing your argument was based on :)

  11. Anonymous Coward
    Flame

    bring it on !

    ... the best thing about these repeated data loss stories, is that it shows the government up for being the Inspector Clueseo of the IT world. It's patently clear that "Government IT expertise" is an oxymoron.

    If the fear of being caught defrauding the system, because of all the expensive IT systems which would catch me was 50% last year, it's 5% now.

    The fact that CDs need to be posted round the country shows :

    1) There's no central data store

    2) Government computer systems are clearly incompatible

    3) There's no platform-indepedent govenment network

    at the end of the day, it would have been more secure to fax copies around, or use a point-to-point dial-up FTP package (ISTR ProComm) - I'm sure you can still get copies of KERMIT for Windows.

  12. Dave
    Joke

    they can do better than cd's.....

    steve jobs showed that the new macbook air can fit inside a normal envelope.

    you'd have thought they'd stop mailing cd's and leaving laptops in cars, when they can just mail the laptops and kill 2 birds with one stone.

    </encrypted usb drive>

    </coat>

    </taxi>

  13. Anonymous Coward
    Anonymous Coward

    envelope in an envelope

    It wasnt a numpty sending it throught the post because its ok to send restricted through the mail if its within an envelope thats within another one, is it?

  14. Alan Lukaszewicz
    Happy

    AC: true, true

    Under a delegation of duties model it is indeed true that:

    a Principal in a College/University/establishment is responsible for "everything" that happens

    Similarly so for a government minister, Head in a school, Chair of an organization, ...

    On the other hand were individuals to deviate from instructed practice or policy then that sort of clears the governance issue on one point but then begs what steps are being (realistically) taken to ensure policy is in practice.

    It is also a great way for public servants or others to deny their own ineptitudes and so forth by hoping that the public will hold someone else responsible rather than the direct management chain that has endorsed such things to happen.

    Get the feel for what is being reported (data losses possibly with pecuniary advantage to organizations (in this case the Courts), consequences on public accountability, verifying key performance indicators, ... , what is not being reported or being withheld, fogged or obfuscated and one will indeed have a truer picture of management malpractice.

  15. conan

    @Anonymous Coward

    ...get a backbone and publish your name when inciting activism, or at the very least explain what YOU'RE doing. There are readers of El Reg who do occasionally try to make a difference you know

  16. Anonymous Coward
    Coat

    Pay peanuts, get monkeys

    Like the DWP fiasco the scariest thing is that the processes designed to ensure things are done according to regulation are not being followed. Time to emigrate to somewhere where they don't know what a computer is... try stealing the ID of an Amish

  17. James Whale
    IT Angle

    It's not a problem with the state possessing our data...

    ---they just need to better-train their people.

    It's about 90% of the civil service being ludicrously IT-illiterate to the point of 'you couldn't make it up'.

    It's also about a lack of decent IT infrastructure (e.g. high-speed fibre network) which would render the sending of physical media through an unreliable postal system redundant.

    I find it crazy that any data could be sent anywhere unencrypted - I encrypt the contents of my USB stick and that's just for the journey to and from work every day when it's not even due to leave my possession.

    By the way, let's just hold the vector up for scrutiny once more shall we? Why are we so quick to blame the government without holding to account the incompetent (or worse still dishonest) couriers that keep losing the damn stuff?

  18. Alan Lukaszewicz
    Unhappy

    NHS anyone?

    Honestly, believe me when I say:

    - NHS national records

    - partnership initiatives involving diverse organizations with access to data

    - ID cards

    - ...

    are also subject to the same or similar "effective" management funded by the public purse.

  19. Law
    Paris Hilton

    RE: You do realise...

    Idiot... I'll ignore the fact that you say get a backbone while being anon (basically because somebody beat me to it!).

    So, what do you suggest we as an unhappy nation do then? Blow up parliament?? Hang the queen?? I don't get your point.... I love my coffees, my 40' HD TV is the dogs (especially when playing on my 360!), and so what if I don't have time to cook when I get in at 19:30 hours.... its none of you damn business what I'm doing.... so bugger off and rally somewhere else hippy! :)

    I have a good mind to tell Paris about all this data being sent around unprotected... I'm sure since her Sidekick days the importance of password protecting your files (and also choosing one the whole world would guess) has not escaped her. OOoooo - we could have a new series of Simple Life of them cleaning up the government.

  20. Anonymous Coward
    Stop

    Here we go again

    @Beg to Differ

    Ministers have absolutely no control over the day to day running of the Civil Service, any more than your average CEO does. These days ministers delegate that to oh, ex-CEOs from the private sector who demotivate the civil servents, by making up counter intuitive rules to stop them doing their jobs.

    @Enverlope in enverlope

    Yep, absolutely true, but then how would you know what any particular enverlope contains, hiding things in plain sight is actually quite a good way of doing things, unless of course you are stupid enough to publish it. Quite a few commentators have noted that, if you publisise the fact then the bad guys know there's something to look for, and where to look. I beginning to wonder what the government are reallly hiding with all this fuss about data loss.

    @Bring it on

    I do know of governments who have highly successful cenralised identity systems. that have complete details of a persons life. Unfortunately I doubt you would want to live in those countries. Democracy and Freedom have a price, which in many cases is more than the goverment wants to pay. However if you want to repeal the Freedom of Information act, the Data Protection act and strengthen the powers of the home office, then I see no problem in delivering an effective and secure government infrastructure.

    And finally, come on guys think these things through, politicians will act, and act wrongly, because they don't understand IT, but they do understand public feeling.

    So what will they do, ah, I know think up some simple sound bite thate sounds as if it will solve all the problems, costs a fortune to implement, if its possible at all. So when you shout, shout constructively, saying government IT is s**t isn't helpfiul or true, just like any other organisation, some is, some isn't.

  21. James Richardson
    IT Angle

    What is "password protected"

    Can somebody explain what "password protected" means if its not encryption.

    I assume we are not talking about (trivially defeatable) MS Office Password Protection....

    Or is it more secure, like an autorun.exe that asks you for a password, then ejects the disk?

  22. Steve
    Thumb Down

    Misaimed criticism

    "The head of HMRC, in a letter to people affected by the HMRC data breach, said, "And I can assure you that all efforts are being made to ensure that such a loss can never happen again." Clearly the letter never reached the court service."

    Maybe the fact that the court service is nothing to do with HMRC has something to do with that

  23. Anonymous Coward
    Paris Hilton

    The thing is...

    The secure network for transferring files such as these does exist - it's called the GSI (Government Secure Intranet), is available to all government departments and has been around for years.

    http://www.ogcbuyingsolutions.gov.uk/GSi/faq.asp

    http://www.ogcbuyingsolutions.gov.uk/GSi/services/sams.asp

    The problem is that that the cost of joining is prohibitively high for smaller agencies because the terms of connection require implementing security features to a level that they can't afford. Also, once they have joined, the cost of maintaining a decent speed link on the GSI is far higher than would be expected from a normal ISP. This is why the majority of these data losses are coming out of regional offices and / or smaller agencies attached to larger government departments. They can't afford the infrastructure required and they're not allowed to make alternative arrangements (only unrestricted data may only be sent electronically outside the GSI), so they bend the rules. Presumably this two envelope, Royal Mail are secure thing was thought up twenty years ago when the biggest thing you could fit in an envelope was one letter, not 25 million people's bank account details on CD.

    Bring back the guys handcuffed to briefcases I say.

    Paris icon because she knows a thing or two about handcuffs.

  24. Richard Silver badge

    "Password Protected"

    Almost certainly means the trivially-defeated MS-Office or similar.

    And your autorun.exe sugfgestion is also trivially defeated - hold down "Shift" while the disc is being inserted.

    Personally, I think it's time that the fines for such failures were greatly reduced - say to £100 per affected indidvidual - and applied directly to the MP in charge of 'x', or the directors of the relevant private company.

    If the consequences are just as personal as the data, maybe they'd undertake actual (rather than soundbite) measures to clean up their act.

  25. BitTwister

    @James Richardson

    > Can somebody explain what "password protected" means if its not encryption.

    *Very* simply put; "password protected" is like having a troll guarding the treasure: once he's killed you just scoop it up and sell it but "encryption" is where a magic word has been used to make the treasure look like a rubbish tip and to convert it back into treasure, you have to find or deduce the magic word. There is no troll.

  26. W
    Stop

    @ Here we go again

    "I do know of governments who have highly successful cenralised identity systems. that have complete details of a persons life. Unfortunately I doubt you would want to live in those countries. Democracy and Freedom have a price, which in many cases is more than the goverment wants to pay. However if you want to repeal the Freedom of Information act, the Data Protection act and strengthen the powers of the home office, then I see no problem in delivering an effective and secure government infrastructure." - Anon Coward @ 14:17 GMT

    Personally speaking, I'd happily live in Denmark.

    Even though "[Their Personal identification number] register was established in 1968 by combining information from all municipal civil registers of Denmark into one."

    And even though "The number is an integral part of Danish society, and it is virtually impossible to receive any form of government service without one. Even in the private sector one would be hard pressed to receive services without such a number, unless it is minor daily business." - en.wikipedia.org/wiki/Personal_identification_number_%28Denmark%29

    Or, without worry, I'd live in;

    The Netherlands (Burgerservicenummer - printed on driving licenses, passports and international ID cards),

    Sweden (personnummer - was probably the first of its kind when it was introduced on the 1st of January 1947.),

    Finland (henkilötunnus/personbeteckning - Often it is needed for government transactions, the use of the personal ID number is regulated, and requesting is legally restricted),

    Iceland (kennitala - the use of the identification number is unusually open and extensive in Iceland and is never used as an authenticator. It is worth noting that the completeness of the National Registry eliminates any need for Iceland to take censuses.),

    Norway (birth number - assigned at birth or registration),

    or Canada (Social Insurance Number (SIN) - issued in Canada to administer various government programs.).

    Note that in 16 out of the past 20 years, Norway or Canada has sat atop the Human Development Index (HDI) - a general measure of the standard of living worldwide. Iceland is the current leader. The UK trails behind all of them.

    Granted, the UK has an NI card, but the gov (based on the evidence thus far) can neither be trusted with, or are capable of, administering a national database.

    IT angle? We lag behind many other countries on standard of living because we lag behind on tech implenetation. It's embarrasing.

  27. Anonymous Coward
    Anonymous Coward

    @What is "password protected"

    My guess - password protected means something in the application that stops you opening the doc without password (might stop Joe Bloggs, wouldn't stop a coder and defintely not a hacker - unless data is encrypted, which it might be depending on app/settings)

    why would you consider something like "autorun.exe" to be secure? First thing I do when I build a Windows PC is disable autorun on PCs - therefore no risk of viruses jumping from usb/cd roms onto my machine and probably more importantly - doesn't try scanning every ****** thing on the disk and showing a useless dialog which can only serve to delay me doing what I want with the data (usually just copying to/from usb)

    and "autorun.exe" would make a lot of difference to Linux PC I think not

  28. Anonymous Coward
    Anonymous Coward

    @Alan Lukaszewicz

    Management in public service? - after experiencing it I would use the term Management by crises but that gives too strong a suggestion there is some (management that is – there is always a crises)

  29. David Mayne
    Paris Hilton

    Seems a bit 1984 to me

    Does anyone else think that "Misistry of Justice" is creepily Orwellian?

    He had:

    The Ministry of Truth - responsible for propaganda

    The Ministry of Plenty - responsible for rationing

    The Ministry of Love - responsible for torture.

    I suggest this government sets up:

    The Ministry of IT Security

    The Ministry of Deep reflection and thought before introducing policy

    The Ministry of Just and legal Warfare

    The Ministry of affordable housing

    and finally the Ministry of Honestly recorded donations...

    Though I might be up for a two minute hate every day... so long as it's never aimed at Paris...

  30. kain preacher

    is just me

    or is this done on purpose. Its like they want you to get so use to it that its not new worthy any more. you will just expect as the cost of being a UK citizen I know i sound like a conspiracy nut , but come on how many case have been published of data loss. At some point even a half wit would say some thing got to change..

  31. Eugene Goodrich

    I'm sure they're just working the bugs out...

    ... of their CDs-in-the-post system.

    They're sending through unimportant CDs now to see where they go. Black helicopters actually know right where they all are. For one thing, they'll round up all the mail thieves and once that's done the post will be as good as any physically-secure, carefully-administered, encrypted private network. (They'll also have a good idea of what you make a post envelope to look like so it doesn't get stolen.)

    So simple I'm suprised none of you thought of it already, actually. Makes sense that the bright thinkers in charge have got this all sorted out, doesn't it?

  32. Alan Lukaszewicz
    Happy

    Uh-huh

    Uh-huh

    It tends to be a natural consequence of numpty management using numpties :)

    BTW: apologies, I made a mistake in earlier post implying that CEOs or similar rankings within an organisation are the responsible dudes.

    In general that is not the case.

    The responsible ones form the board of governors or board of directors usually under a principle of shared responsibilities.

    A CEO (or similar) is non other than the senior accountability officer accountable directly to the board.

    Of course, legal models differ slightly but the above is a good and (I hope) robust generality.

    Board: responsible

    CEO and under: accountable.

    In one's own experience public servants use this to there great advantage and public disservice.

    If so consequence:

    If public funded organization ceases to serve government or public whom does it serve?

    Answers on a postcard please, marked strictly confidential and not to be lost in transit :)

  33. Alan Lukaszewicz
    Go

    OK I'll go off now

    But I am pleased to have reached #1 in the comments thread :)

    There are two extremes under reductio ab adsurdum that need to be considered.

    a) these reports are really as bad as it gets under accountability standards (especially under invocation of public accountability standards in the UK)

    b) these are tip of the iceberg indicators and demonstrate that much malpractice has been sustained over quite a while compromising Ministers (in the UK these are Government Ministers), public and public funding alike.

    You may choose some variance between options a) and b) as suits your perception and needs.

    I hold that option b) is closer to the truth.

    Have pity on the poor UK tax-payer and the atrocious service extended to those individuals (for as sure as eggz is eggz the CEOs don't).?

  34. Richard Porter
    IT Angle

    CDROMs?

    Why would Civil Servants be printing CDROMs to send a single batch of data? Clearly the Ministry of Justice has a bit of "an incompetence" when it comes to technology.

  35. Alan Lukaszewicz
    IT Angle

    Under statement mate, understatement...

    One model often used is: employ an incompetent.

    if anything goes wrong blame social factors that the incompetent invokes in a social sense to show that it was not intentional to appoint an incompetent in the first place.

  36. Anonymous Coward
    Anonymous Coward

    I see the problem around me every day.

    I'm a local goverment worker and I've been trusted with unencrypted access to the personal data of every child in our district for migration to a new school management solution. This includes names, addresses, medical problems and so on. It's no big deal because I do understand the implications of data security and how to implement it but let's look at this for a second.

    I'm the lowest paid technical employee in the team at a mere £15k a year.

    I've never had a CRB check.

    I've pointed these things out to management and particularly highlighted them in the case of recent breaches but no one cares. Whilst I am trustworthy there's always the chance that others in this type of position might not be - case in point, a few years back someone who worked on the old system was sent to jail after 15,000 child porn images were found on his machine - he also had full access to this data.

    So the data is in good hands I promise, I do know what I'm doing but it bothers me that there are people elsewhere in this situation who might not be either competent enough to look after the data or may just be outright malicious. Furthermore I'm just so utterly apathetic towards the job due to management ignorance and low pay amongst other things that even if something did go wrong I don't think I'd really care, besides I've informed management of the issue and they've done nothing to resolve it so I can't help feeling the age old and rather ignorant view of "It's not my problem".

    I have a lot of sympathy for the junior staff being blamed for these various breaches because if they're in the same situation as me then it's not their fault, they do what they can to look after the data but they can only do so much and if management isn't listening to their pleas to tighten up the process then what more can they do other than accept they'll have to do what they can with the tools they've got and if management orders them to send the data unencrypted on CDs via unregistered mail then they have to do it or face disciplinary and lose their job? Of course they'll lose it anyway when the blame comes round to them even though they did everything within their power to prevent it bar actually sacrificing their livelihood in protest.

    To cite another example, the goverment IT profession, some goverment organisation that basically oversees goverment IT workers has a mailing list we were encouraged to sign up to which I did. When they sent out one of their mailings they'd listed all addresses signed up to the list in the "To" field. As such all recipients could see all other recipients addresses and these addresses included everything from police to MI5 to NHS to parliament to other local goverment addresses. I immediately e-mailed back suggesting they in future used the BCC option to ensure people could only see their own addresses and not everyone elses. If one of those machines had been infected with a virus that spreads via mass mailing there is potential for that virus to spread to every single public sector department in the country. Of course, I never got a thank you or even a response to my notice of the problem that I sent to them but since then all e-mails have been sent such that we could only see our own addresses. Problem averted, but did it really take a £15k a year nobody IT support technician to point it out?

    It's frustrating and I say this sincerely, please don't listen to the lies about how it's all the fault of juniors - many of us try, we really do but we're limited by management. If we're going to achieve change then yes it is the goverment that needs to be blamed and in turn the problem needs to be pushed into the hands of upper and middle management to realise the issues and realise that they need to take action to ensure the data of the very people we're meant to be working for - the general public that pay their taxes is kept safe and secure.

  37. Anonymous Coward
    Boffin

    As a former employee

    and therefore posting anon (strange, clumsy with data, quick sharp on data protection act prosecutions when someone like me criticises), I would like to say that quite apart from the desperately poor management (of which there is far too much, in my area managers of various different grades outnumbered working staff by 2:1) the quality of staff being employed is dropping. Why? Because the pay is utter shite. I was the only person in my office not claiming some sort of state benefit, be it housing, child support, council tax relief etc... (cos I was still living with parents at the time) which seemed ridiculous that the government was paying us £13K pa (before tax) and then shelling out more in benefits. Even as court manager, if I had had to rent I too would have claimed housing. If they want quality staff who don't make mistakes, or to retain those few quality staff who are competent PAY A LIVING WAGE. And all that crap about civil servants having job security and good pension etc etc, maybe once, 10-15 years ago but not any more! I was threatened with redundancy twice and only kept my job by applying for other positions in the HMCS. No-one in their right mind should work for the civil service nowadays.

  38. James Richardson
    Stop

    Password protected

    To any US readers: some part of my previous post _may_ contain irony.

    Sorry for not flagging it dilligently enough and all.

    Also i want to know why it was four CD's. Any decent IT dept has got DVD writers these days.

This topic is closed for new posts.