back to article Lag log leaks - Home Office contractor loses entire prison population

In a major coup in the government data loss stakes PA Consulting - which until Monday was one of the Home Office's favourite consulting outfits - has contrived to lose the entire prison population of England and Wales. Personal details of the 84,000 people behind bars, along with those of 10,000 prolific offenders, have vanished …

COMMENTS

This topic is closed for new posts.
  1. Richard
    Flame

    How hard can it be?

    For a clause in the contracts to include punitive damages should data loss occur. In fact, it shouldn't be on data loss, it should be if the data is allowed to leave the network of the minister's mate ^H^H^H independent consultant's network. This would cover USB fobs and laptops that leave the office.

    I'm willing to bet that "processing purposes" means fannying about in Excel and the like. It's not as though there's a skills shortage for Excel fiddlers, so how is it that it's a case of "the transfer of further data to PA has been suspended pending an investigation", rather than "PA has been dropped (from a tall building) and will not work for the state until it proves it has got its arse in gear (or has separated it from its mouth)"???

  2. Anonymous Coward
    Flame

    It's not a memory stick ffs!

    I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them. It saddens me that this ambiguous misuse has extended so far as to be used on El Reg of all places! Okay, maybe the Wikipedia-reading public requires a disambiguation at the top of the page (see: http://en.wikipedia.org/wiki/Memory_Stick) , but really, aren't you supposed to know better?

    (Unless, of course, it really was a memory stick... but why would they do that?)

  3. Andrew Kelly
    Coat

    What worries me

    is not the loss of data but this statement from the BBC website:

    http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm

    "The data on the stick also includes information from the Police National Computer of some 30,000 people with six or more convictions in the last year."

    Have I read that right? 30,000 people have six or more convictions in the last year. How the hell does someone tot up six or more convictions in one year?

    Mine is the one with its pocket being picked.

  4. Joel Mansford
    Joke

    What were they doing?

    Can anyone think of a good reason why an entire database should be dumped on to a memory stick?

    Have these people not heard of database servers - they're really cool they have security and can be backed up and everything!

    If I were the IT manager for one of these outfits I would disable the USB ports on all machines I think.

  5. Nebulo
    Thumb Down

    The UK Government and its contractors

    are not fit to run a bath, never mind the remains of a great country.

  6. adam
    Paris Hilton

    Sheer Utter Incompetance

    This is just yet another example of utter incometance by this Government

    "lost" laptops by the MOD, "lost" CD's of data by the NHS, HMRC, you-name-it department

    This is unforgivable, not the fact its data from HMP, but that this type of thing happens so frequently.

    Surely I have a case to go to European Courts and claim compensation for the Govt putting my personal data at risk ?

    what is the difficulty here ? its OUR data and they are playing with it like its nothing.

    No wonder there is so much ID theft.

    Paris, because, she would never treat her "data" like a toy

  7. Jeff Deacon
    Black Helicopters

    Update please ...

    We need the story updating! Where is the Home Office comment that if we all had biometrically secured ID Cards, this sort of data loss would be completely immaterial, and could be allowed to become commonplace without inconveniencing the government in the slightest?

    We also need a "biometric ID solves everything" icon, so it will have to be helicopters instead.

  8. Andy ORourke
    Joke

    "a secure format"

    That'll be a passworded Excel file then :-)

  9. Anonymous Coward
    Anonymous Coward

    As an IT Contractor myself...

    I'll start by pinning my colours to the mast by saying that I have never voted for labour and am unlikely to.

    The media seem to having a field day with this news item and IMHO it is certainly a serious loss of data BUT should we be automatically blaiming the goverment?

    In my opinion the resonsibility lies with both the consulting company and the individual concerned.

    Even if the relevant gov dept passed the data on a key fob in unencrypted form I still believe that the recipient still has a respsonibility to look after the data in a responsible manner.

    Paris, because she can see my usb stick any time

  10. Dangermouse

    *sigh*

    There are just so many things wrong with this that it's hard to know where to start.

    Secure format?

    ID Card development?

    Downloaded "for processing purposes"?

    Anybody suspended?

    PA Consulting sacked for breach of contract?

    PA Consulting prosecuted for breach of RIPA or DPA?

    I despair. I really do despair.

  11. Nomen Publicus

    No accident?

    The time has come to consider that apparently losing personal data in this manner is a deliberate policy of the government...

    They have made SO much noise about ID cards and the wonderful database that will support them that they cannot back down without a very good reason. But we cannot afford both ID cards and the Olympics - one has to go and it better be ID cards because nobody wants them and cancelling the Olympics would be a career limiting decision.

    So, pretend that the government and all its friends in the IT business leak like sieves and there is suddenly a good reason to postpone or cancel ID cards which doesn't look like a policy U-turn...

  12. Jeff Bennison
    Paris Hilton

    Why oh why don't they get it

    Is it just me or is this just common sense to protect this type of data. Policies, Standards, laws and contractual obligations don't even come into it. It's sensative data so protect it. FULL STOP FFS

    It's the same as protecting stuff like the PIN number for your own bankcard. It is just SOOOOOOOOOO simple it's a joke when stuff like this happens again and again and again. A lot of people should be sacked for this kind of balls up.

    On the bright side I wouldn't mind being a contractor charged with sorting it all out.....chi ching as the cash rolls in.

    Paris as she certainly knows how to handle her sensative details ;-)

  13. Anonymous Coward
    Anonymous Coward

    Well, that puts the ID Card project to bed then..

    Out of interest, any signs of established and monitored ISO 27001 compliance?

    If yes: how could this happen?

    If no: why are they allowed this work?

    In either case: how did they ever pass those NAO audits?

    Just asking..

  14. Anonymous Coward
    Anonymous Coward

    @Glitter

    Watch for the Home Office to make some knee jerk extra law while the media topic is hot.....

    You know, Jacqui will be out there doing the 'oh won't someone think of the children' act and proposing some quick fix she hasn't thought through. Government for the hysterical housewife BY the hysterical housewife. :)

  15. dervheid
    Black Helicopters

    I've heard it reported...

    that Plod is 'investigating' this.

    Strange. I don't recall Inspector Knacker being called in over any of the other cases.

    Is this due to it being the apparent fault of a 'consultant' this time round?

  16. Anonymous Coward
    Anonymous Coward

    Only 84,000

    These data losses are getting to be two a penny. What I find surprising is that there are only 84,000 inmates. I blame the police, they are not doing enough to get the rest of the population behind bars.

  17. Anonymous Coward
    Alert

    new rule required

    Government contractor + data loss = no more contract.

    Since I am wishing for the extremely unlikely ...

    Government agency/ministry/department + data loss = sacked minister

    Or for the completely fanciful;-

    Data loss = disclosure (as legal requirement i.e. by Law).

  18. Anonymous Coward
    Anonymous Coward

    Sensitive Personal Data

    What's more, not just Personal Data but Sensitive Personal Data, within the definitions of the Data Protection Act.

  19. Anonymous Coward
    Coat

    And PA and stands for?

    When I worked for the Home Office we decided that the PA in PA Consulting stood for Piss Artist. They were a bunch of useless morons back in the 1990s and I see nothing has changed.

  20. John Lettice (Written by Reg staff)

    Re: It's not a memory stick ffs!

    It may well not be a memory stick. I would hazard a guess that it most certainly is not a memory stick. However, the Home Office says it is a memory stick, and I see no purpose to me arguing the toss with them about that. You go flame them if you like, but leave us out of it.

  21. James Robertson

    And thesed are the idiots they'll trust with a National ID card?!

    This is the ultimate argument against ID cards; forget the issues about privacy and the ability of the state to snoop on you; how you'd have to trust every government from now on with that much data on you - forget all those issues: it comes down to basic competence.

    These incompetence fecktards are just incapable of imposing information security.

    Do yourself a favour and get over to www.no2id.net and sign up.

  22. Astarte

    Another Stick-Up

    I really despair about such security failures. Even the most elementary precautions would help.

    Everyone in the chain of command from the individual responsible to the top of the organisation should be penalised for failing to implement appropriate security procedures.

  23. Mike Smith
    Black Helicopters

    Today's conspiracy theory

    "In its capacity as one of the Home Office's favourite consultants, PA was the development partner for the ID card scheme"

    Hmm, interesting. Wonder if the two are related?

    Most likely someone's just pocketed the thing. They're easy to conceal. We have a ban on putting sensitive data on memory sticks for exactly that reason, encrypted or not.

    But if someone in the PA office wanted to do their bit for Harry, England and St George by trying to undermine the Home Office's blue-eyed boy, this would be a pretty good trick to pull.

  24. Anonymous Coward
    Paris Hilton

    ID Theft? Excel? Shurley shume mishtake?

    Should we take any joy in the notion that persons convicted of ID Theft have now had their own identities stolen? - ok, raises only a small titter...

    As for the Excel spreadsheet, that seems a preposterous suggestion - I mean, 84K rows...

    Obviously that means two spreadsheets...

    Paris - cos she too has a record... I'd bang her up... more banality etc. etc....

  25. Anonymous John

    Re I've heard it reported...

    Plod (iPlod?) were called in when HMRC lost the two Cds last year.

  26. sw1sst
    Thumb Up

    Nice one. classic.

    .....another government initiative of reintegrating lags back into society,

    This new "scheme" is called ID FRAUD.

    I was always told that crime didn't pay.

    Now, it doesn't have a choice, the first it'll know about it is when it gets declined and it realises it's overdraft limit is reached.

  27. JCL

    @ I've heard it reported...

    I seem to remember by law govt. departments can't (won't) be held accountable for their misguided mislaying of memory sticks. Culpable contractors and consultants on the other hand will be.

    It'll all blow over, then a few months down the line the consultancy will be straight back in Mandelson style.

    I hope their public liability insurance is up to date.

  28. Frederick Karno
    Paris Hilton

    Typical home office.

    These are the people who constantly tell us they are able to defend our country against security threats.

    please stop blaming the contractor,it is the Home Offices fault,,,,they obviously havent put any measures in place since the revelations about other massive losses.

    IMO the only way to get public confidence back "IF they ever can" is to make it a criminal offence to lose data.It's a weekly occurrence in government now that a minister stands up ,says its not our fault (venus is out of alignment with saturn)or some such excuse and we will put in place stiffer measures (which hasnt happened in 2 years) in place.

    There is absolutely No i repeat NO reason why this or any other data had to leave its place of residence.The contractor should do his work on site and obviously under supervision.......for this very reason !!!!!

    Even Paris beefed up security after her data loss.

  29. Anonymous Coward
    Paris Hilton

    And they are not using encrypted USB Flash drives

    because?

  30. Anonymous Coward
    Stop

    Good timing

    Excellent timing by the contractors to lose this data just 4-6 weeks after 7 (yes 7) Data Handling Reviews by the Gov.

    The Burton review (MOD)

    The Coleman Report

    Data Handling in Government (Scottish Gov)

    Data Handling Procedures in Government: Final Report

    The Walport Report

    The IPCC Report (HMRC)

    The Poynter Review (HMRC)

    Nice to know that the Home Office and it's contractors haven't bother to read or adopt any of the recommendations within these.

  31. breakfast
    Paris Hilton

    @Jeff Bennison

    I think that was the first genuinely funny reason for the Paris icon that I've ever seen on a Reg comment. Awesome.

  32. Anonymous Coward
    Anonymous Coward

    The police are doing their jobs, Curfews not counted

    "What I find surprising is that there are only 84,000 inmates. I blame the police, they are not doing enough to get the rest of the population behind bars."

    Nah the police are doing a fine job, they got a whole town to imprison itself for nightly lock down, none of that lot are counted:

    http://news.bbc.co.uk/1/hi/uk/7550221.stm

    No messing there, they got a new power to issue anti-social behaviour orders without judicial checks, and suddenly they have the power of 'voluntary' curfew..... sure it's 'voluntary' but if you don't 'volunteer' we'll use one of our police state powers against you citizen.

    Curfew in Britain, I never ever thought I'd see curfews in Britain in peace time.

  33. Joe

    "How the hell does someone tot up six or more convictions in one year?"

    Arrest burglar. Burglars home has much loot in it. Burglar "asks" for 74 other offences to be taken into consideration.

  34. Nigel Wright

    F*ckwits

    LOL. You couldn't make this stuff up. "Trust us with your data, we know what we are doing". "If you've done nothing wrong you have nothing to fear".

  35. Dunstan Vavasour
    Boffin

    Desktop Virtualisation

    So we've all had a jolly good steam out of the ears rant about this.

    Back in the old days, users would be sitting in front of a terminal on a mainframe - the data was back in the computer room. Data loss was rare, because it was only physically available in the datacentre.

    Today we have various security models, with data slooshing round inside various security domains. In many situations, there are lots of users within some pretty large area with perimeter security - and this is the only security level. In this case, it would appear that a standard PC was inside the security domain where the data was available in plaintext.

    We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data. If some Excel jockey wants to play with the prisoners' details, this should be done on a machine in the datacentre to which he has a view - there are now plenty of appropriate technologies.

    As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick.

  36. Mark

    re: As an IT Contractor myself...

    But this is how the governments of the west manage to do things they aren't allowed to do.

    E.g. can't spy on your citizens? Pay a company to do it.

    In this case, the government can screw up in any way they need to and just say "we are instituting new measures so this won't happen again" and hope like heck people have forgotten when it happens again. Better is to outsource it to a business: you can then blame them for your incompetence.

  37. Anonymous Coward
    Anonymous Coward

    lets blame brown

    I know theres an argument that the PM isn't directly responsible for this but in a way he is and it's great fun to see him squirm. Brown you big fumbling plonka, look what you've done now!!

  38. Charlie
    Unhappy

    It's about time these sorts of errors were criminally accountable

    Perhaps the threat of some jail time would make some of the suits pay attention to things like encryption and physical security.

    It works with Health and Safety legislation and posting false company accounts is a criminal offence so why not negligent loss of private data?

  39. Mat

    "How the hell does someone tot up six or more convictions in one year?"

    Simple - Own a car.

  40. Block
    Paris Hilton

    Zoink

    94,000 files, probably a decent capacity memory stick then.

    Probably full of porn by now as i expect anyone at this PA place could just steal the data without 'losing' a memory stick (sorry, USB flash drive).

    Paris: Do i really have to explain.

  41. John Dallman
    Thumb Down

    All these portable devices...

    It's clear that organisations who handle data about people need one policy change, straight up.

    You do not put other people's personal data onto portable computers or storage devices. Period. No special cases, no approval processes; you just don't do it.

    First offense is discplinary. Second is sacking. No, we don't care if you're the head of IT security. Sacking.

    Bank workers don't take piles of cash home to count as part of their job, do they? The security-controlled data I work with doesn't move off its server: people know they can't have it on laptops, and they don't.

  42. Anonymous Coward
    Anonymous Coward

    responsibility

    I have to say even though the data was lost by a consultant firm it is still the responsibility of those that gave the firm the data.

    I'm sure MinJust knew this kind of thing was a common practice but ignored it out of convenience.

    It's like knowing your bucket is leaky, giving the leaky bucket to a guy, telling them to get you water, and then cutting his head off for bringing back an empty bucket.

  43. mittfh
    Flame

    It's not just central government...everyone's losing data!

    A couple of years ago a consultant working for Worcestershire lost a laptop containing that county's payroll database. Outside the county. The database was apparently encrypted...

    The East of England Strategic Health Authority reported back in March of the loss of a UFD (I refuse to misappropriate the Sony device) containing the records of 35 patients, and printed details of a further 25 dumped in a bin.

    Also in March, HSBC managed to lose a CD containing customers names, dates of birth and insurance details.

    Back in October, Queen Mary's Hospital in Sidcup somehow lost 25 years worth of employee information stored on microfiche, together with the reader. Leeds Building Society also lost employee records when it relocated its HR department.

    A survey by The British Chambers of Commerce covering e-crime and businesses in the UK found that 19 percent of the 3,900 businesses that responded had suffered data loss because of a virus and 8 percent reported having laptops stolen.

    Which brings me onto another question. When organisations lose "encrypted" information, would they mind telling us how strong the cipher was? Theoretically you could claim a ROT-13 transformation is encryption, and the ciphers used by MS Office and previous versions of WinZip were notoriously easy to crack...

    Fire, because you can be fairly certain data lost in the process can't be reused by people with malevolent intentions...

  44. DZ-Jay

    Wow, I'm impressed!

    Your guys may just be as incompetent as ours on this side of the pond. And that takes some high ranking, tenacious idiocy; by no means a small feat. I'm impressed.

    -dZ.

  45. Bronek Kozicki
    Coat

    @Nomen Publicus

    That's a good one!

  46. Peter Gathercole Silver badge
    Stop

    Securing data is not genetic engineering...

    ... sorry, rocket science is too simple now.

    Here are a number of measures which SHOULD be made compulsary wherever government held information is used.

    - Put a robust RFID chip as an integral part of each official USB Flash drive.

    - Put Shoplifter type security (or even make it prevent operation of the turnstyles) on all exits in secure facilities.

    - Do not use generic RFID tags, track specific tags (to stop someone identifying a secure USB device as the holder walks around a shoping center).

    - Have Official USB flash drives tracked, and holders made responsible for their loss.

    - Do not allow official flash drives to be held for extended periods.

    - Have a specific process to allow tracked USB flash drives to be removed from secure sites.

    - Change the USB ID on the official drives so that they do NOT appear as a generic storage device, so it becomes more difficult to read on ordinary PCs.

    - Put the required driver on all systems required to use the official stick, and have it use automatic strong encryption as the data is accessed.

    - Don't allow the specific driver to be installed on non-official PCs.

    - Regularly rotate the keys on the specific driver and flash drives (this can be done with the flash drives by making holders regularly check the drives in).

    - Clean all data from checked in flash drives when they are checked in to prevent people from using them as a backup mechanism.

    - Ban the use of personal USB flash drives (or the use of phones or watches, or whatever else provides this type of function) from secure sites as part of policy.

    - Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs).

    - Enforce the already existing GSI Security requirements for all government held data.

    I'm not saying that this will make our data totally secure, but it would be a step in the right direction. It would prevent casual examination of misplaced devices. It would not stop a concerted attempt to steal data, but what would.

    Very little of this is particularly complex or expensive, as most of the barrier security and procedures already exist in secure government locations.

    BTW. This counts as Prior Art in the unkilely event that I am the first person to put all of these ideas together.

  47. h4rm0ny
    Paris Hilton

    How do they know that they lost it?

    I mean it's possible that they know they find out they lost data. Somebody can come in and say to their manager "Woops, I lost that pen drive you gave me, I think I left it on the bus..." But honestly, it would be so easy to take this data without anyone knowing that you wonder how anyone could get caught doing this deliberately. Or even how long the company took before they gave up looking and admitted it to the government. A pen drive could so easily be down the back of someone's sofa. The conclusion, I guess, is that it's actually quite possible someone wants it to be known that data has been leaked in which case we should be asking who benefits?

    Paris, because she knows all about "accidentally" leaking private data.

  48. johnB
    Unhappy

    But unfortunately...

    Just as I was building up to demanding that this latest Home office debacle should lead to Jacqui Smith finally doing the honourable thing & resigning, I find it's actually Jack Straws dept.

    Damn.

  49. Anonymous Coward
    Black Helicopters

    USB memory devices

    Unfortunatly, they are just too useful.

    Where I am, they have recently effectivly banned their use, and have told everyone to use CD's to move data between discrete security zones, and to ensure that these disks are destroyed after use. Unfortunatly (or maybe by design) there are actually very few systems with CDRom drives, let alone writers, on the secure networks.

    This makes it extremely difficult to get things like UNIX patches, new products or bespoke released code to the systems that need them.

    In order to get access to a secure machine room to put a CD into a drive in a physical server, it is necessary to have a documented change scrutanised by a weekly security board. The whole process takes at least 3 days, depending on when you realise you need the material. Compare this to using flash memory device which allowed you to just copy, remove insert, and copy the material at will.

    I trust you can see why government projects over-run, and are so expensive.

  50. N

    Here we go again

    This time, it might just benefit us all if someone did publish the data on the net.

    ...but unfortunately its the same fools who want national ID cards, well hopefully thats dead & buried now

  51. John Lettice (Written by Reg staff)

    Re: But unfortunately...

    Straw's data, Jacqui's contractor. But the PNC stuff I assume is Jacqui's data. So go ahead...

  52. Anonymous Coward
    Paris Hilton

    Am I the only person here...

    ...pleased that criminals are exposed to the possibility of getting a dose of their own medicine? I would find it hilarious if some fraudster had their loot pilfered by another ID fraudster. I also like the idea of some of these individuals suffering from said crime, such that they reconsider the effect of their own actions. The lack of empathy seems to be such a characteristic of such people, that perhaps this might inculcate some.

    OK I know the above is pure shite on my part and that by no means all lags/ex-lags fall into the above category, it is pure fantasy really. I also realise the idiocy of saying that 'criminals can't enjoy the protections of the European Convention on Human Rights, but they should respect others' human rights'; but -

    perhaps the lesson from these data losses is just that data is no longer sacred and liability for securing title to assets should lie with banks and similar organisations - it should be incumbent upon them to secure the most material assets, and we should just not worry too much about the rest?

    Oh, and the other lesson is that until every civil servant is paid £1 million each a year, and has an IQ of 180, and gives a damn, nobody should mention the words 'secure' and 'ID card', in the same sentence?

  53. TeeCee Gold badge
    Stop

    "Home Office contractor loses entire prison population"?

    I thought that this one was going to be SSDD. Then I read the article and found that they'd lost some data about prisoners rather than the prisoners themselves for a change.

    Sort of less of a big deal than usual for HMG then.

  54. ReadyPeople
    Coat

    Oceans 84000?

    Perhaps this is just a viral marketing campaign for the latest installment to follow Oceans Eleven, Twelve and Thirteen.

    Give it 20 years and there should be enough room to store the prisoners themselves on a memory stick - that should solve the overcrowding problems.

    Mines the one with a file, hidden in a cake, hidden in the secret pocket

    ReadyPeople - starting up the Essex .NET Developers Group - Interested?

  55. Anonymous Coward
    Anonymous Coward

    Just stabbing in the dark, but...

    Let me guess, the data was neither anonymised nor encrypted? I assume it's also reasonable to assume no one in MinJus or PA Consulting will be found at fault.

    So it's only a matter of time before the National ID database is downloaded for 'processing' and left lying around by someone from PA.

  56. Danger Mouse

    The Scenario

    How it played out in my mind.

    Home office bloke "John, we need some analysis of this data"

    John from PA "Ahhh, alright, dump it to csv file on this stick, I'm working from home tomorrow I'll do it then"

    Home office bloke "Golf this weekend?"

    John from PA "Sure why not"

    Home office bloke "Here's your stick back, see you Saturday"

    John from PA "see you then"

    John returns to office via a pub lunch on expenses, sits down at his desk turns on his laptop, inserts usb stick opens up expenses spreadsheet, does a bit of fiddling, saves it, removes it and places it on his desk just above the bin. Finishes up for the day, knocking his usb stick into the bin in his rush to beat the cue out of the car park.

    Impossible I hear you say, nope, I've seen a previous 'manager' do exactly that, in my case he was fortunate that I had to look for a postit note with a phone number that I passed him early on in the day. I did let him sweat for a couple of hours the next day before sliding the key back on his desk after he informed his director. And no, I didn't like working for him :).

  57. Anonymous Coward
    Alert

    Enough!

    I personally don't handle data that's as critical as the data the government and their contractors (mis)handle on a daily basis.

    However, I have to say that I consider ANY data that isn't my personal data to be vitally important to the owner or those the data might refer to. My own data's pretty important to me to, because I know what the implications of data loss can be. So my security is my affair.

    I'm constantly appalled by the cavalier way such data is treated by customers themselves.

    It has to be said that by and large the people in question are basically, muppets.

    They have little or no conception of the risks they take on a daily basis - worse, they won't be told. They assume everyone else is stupid, they are smart, and it couldn't possibly happen to them, so precautions are a sensless waste of their, oh so valuable time.

    Myself, I've never (yet) lost data by 'loosing' a USB 'thumb drive', CD/DVD, external HD, or a laptop (a laptop FFS! HOW do you manage that?).

    Customers REGULARLY loose USB 'thumb drives' and CD/DVDs.

    No one I deal with has yet managed to loose a laptop, though with a couple of them I feel it's only a matter of time...

    Yes, the Government is ultimately to blame. The decision to employ staff/consultants is their responsibility.

    But, it's abundantly clear that individuals and firms are being employed who are of the caliber of many of my customers.

    'It won't happen to me, because I'm too smart / know what I'm doing / don't need to waste my time taking precautions'

    'Muppets'. All parties involved.

    The solution? Accountability. The buck stops at the Cabinet Minister in questions desk. No more 'investigations' designed to stall the matter until it's forgotten. No more 'It won't happen again' - because it clearly will.

    Simple rules:

    'You lost xxxxxx? - clear your desk'

    'Your downstream staff member lost xxxxxx? - clear your desk'

    'Your firm lost xxxxxx? - contract terminated and no further employment'

    'Your department engaged this firm that lost xxxxxx? clear you desk and kiss your pension bye-bye'

    No excuses.

    Also - since the government is so damn keen on databases, how about a database blacklist of individuals, firms and directors of firms involved in data loss incidents? So it is possible to ensure none of the individuals involved are ever employed on government work again?

  58. Kwac

    Ms Smith cop out

    "Ms Smith said the government had held the data securely but PA Consulting appeared to have downloaded it, contrary to the rules of its contract."

    BBC News

  59. Anonymous Coward
    Anonymous Coward

    Sigh - it won't change anything..

    I suspect the usual will happen: the sap who lost that stick (stupid, but human failure should always be planned for) will get the sack, but the management who failed to put directives, policies, software and audit in place to keep things safe will at most get a slap on the wrist with a wet noodle - and still pick up their bonuses for all the profit they made at the taxpayers' expense.

    No news here, please move along, just pay your taxes..

  60. Peter Gold badge

    @ Enough & black lists

    Blacklists won't work.

    They'll lose them..

  61. Anonymous Coward
    Anonymous Coward

    @ Good timing

    Given that just about everything has been outsourced to contractors/consultants, any idea who did those reviews? Just musing.

    Oh, and why did nobody check that the contractors really did what they promised? I do vaguely recall some standards being demanded in most Gov contracts, and even 4 years ago there were various consultancies promising more than they delivered (mainly because implementing it would detract from their beloved profits/bonuses).

    I guess now the search is on for new friends in Government..

  62. Anonymous Coward
    Thumb Down

    Terribly honest consultants.

    At least someone owned up to losing the data.

    If your job is on the line.. Lie !

    Where's that usb drive I gave you ? Dog ate it... sorry.. I'd already removed all the data on it, here take one of mine instead.

  63. jack horner
    Black Helicopters

    HAHAHAHAHAHAHAHAHAHAHAHA....................

    Do 'Private Contractors'* have to pass any sort of certification or vetting procedure before being allowed to lose heaps of personal data - or can anyone do it?

    On the bright side - the recruitment of villainous henchmen just got a whole lot easier! HaHaHaHa...etc (Evil laughter echoes around interior of hollowed out volcano).

    (*English translation: Money-hungry spivs with the right connections)

    Thanks

  64. Anonymous Coward
    Thumb Up

    @ Enough & black lists

    "Blacklists won't work.

    They'll lose them.."

    NOT if they are tattooed on the PM's face :-)

  65. Anonymous Coward
    Black Helicopters

    @ the idiots they'll trust with a National ID card

    James, it may be worth investigating just who was involved in the feasibility study.

    The answer may not come as a surprise, but as a hint, there was no conflict of interest whatsoever (that's meant sarcastically, btw).

  66. yeah, right.
    Black Helicopters

    got me thinking...

    One of the posts above got me thinking. If the UK gov "loses" data on everyone in the country, that means they can do lots of scaremongering about ID theft and the likes. Then they could sell a "National (Anti-)ID(theft)" card to all those scared-silly punters that they claim will make ID theft a lot less likely. There are probably enough stupid people in the UK today to perhaps make such a scheme work.

  67. Anonymous Coward
    Thumb Down

    @Ms Smith cop out

    Ahha, I see the hand of D.O.P.E here, well if it was secure then the contactor would not have been able to download it.

    Wacky Jacqi, null points

    Can we have a WJ icon please?

  68. Anonymous Coward
    Paris Hilton

    @ Jack Horner, re vetting procedures

    Go to http://www.cesg.gov.uk/site/clas/index.cfm (CESG Certified Listed Advisory Scheme) and fill in "PA Consulting".

    A company can only appear in the "competent to perform security work" category on GCAT (Government CATalogue of accredited companies) if it has CLAS certified people.

    However:

    - a company only needs ONE (1) such an accredited consultant to become listed as a whole (yes, even with the 2..3k people PA Consulting appears to have) so it's made dirt easy to game the system (no idea if the specific people themselves are vetted, given the recent cock-ups I have my doubts)

    - the whole process is tick box driven and easy for people with half a braincell. I presume that is because they would otherwise not be able to get anyone at all, a theory underwritten by this latest stunt.

    So, let's sum up:

    - the club that hacked the ID Card justification and the scheme itself together has screwed up badly, to the point that it has become a political bomb

    - so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event

    - the selection process for such a company appears to be holed below the waterline as well

    - nobody is in the least surprised, just resigned that it happened yet again

    What I want to know is which politician will now have the unmitigated gall to state that ID Cards are still a good idea. The Gov lacks competence, and so do their advisers. And it's not like that hasn't been a lot of "I told you so" already.

    What I like is that it's now weekend. They'll have to sit on this for the whole 2 days before they can do something about it. Sorry to be a bastard, but I rather enjoy the timing..

    Paris, because she at least learned after her contacts were stolen off her phone..

  69. Harry Stottle

    @Dunstan Vavasour

    Well said sir.

    A number of comments have focussed on introducing/increasing "criminal" penalties for data loss. This would be neither effective or realistic. Furthermore it does no more than reinforce the ill-IT-irate approach of the Government's existing incompetent attempts at Security Theatre. They THINK you can impose security with rules constraining humans. Wrong.

    As Dunstan puts it:

    "As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick."

    The reason The Law cannot possibly help is that it is quite impossible to create a "proportionate" penalty. Why not? Because the point of penalties is to act as a deterrent and whether a penalty is a deterrent depends on the value of the data to the attacker - which is not something under our control.

    Yes, we might deter casual theft or incompetence with a fine of a few thousand quid, or a prison sentence. But if the purpose of the theft is serious enough (obvious example terrorism) then no penalty is going to have the required deterrent effect and it's THAT kind of attack we should be most concerned about. And the ONLY protection against that kind of attack is to make it physically impossible for attackers to get at the data. Dunstan again:

    "We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data."

    And, in cases like the present example, they shouldn't even have a view of the "real" data. For the purposes of research, there is no obvious reason why they cannot have an anonymised view of the data, where any sensitive identifiers have been replaced with pseudo-data.

  70. Anonymous Coward
    Paris Hilton

    Somebody lend the BBC a picture of a memory stick...

    The news.bbc.co.uk coverage of this item featured a photograph of a plug belonging to some USB device or other (as is obvious from the lead trailing out of the back).

    I hope the device in question was a USB flash or an SD card rather than the memory stick quoted - wouldn't want public money wasted on overpriced Sony proprietary crap.

    Paris because she sticks in ones memory

  71. RW
    Unhappy

    PA Consulting

    Just why are they so favored by NuLab when, according to other comments, they've long since demonstrated their incompetence? Political connections, just perhaps? Or does our Jacqui have a thing for the MD?

    And what ever happened to the concept of ministerial responsibility, one of the cornerstones of the British constitution, pray tell? Jacqui Smith should have resigned long ago given the number of complete fiascoes that have happened under her guidance. The issue isn't whether she's personally responsible; it's that she has to take responsibility for both the good and the bad that occur on her watch.The woman's clearly out of her depth; AC's remark "Government for the hysterical housewife BY the hysterical housewife" is absolutely on point.

    Of course NuLab as a whole is clearly out of its depth. Its persistent discounting of intelligence, competence, education, experience, and skills in favor of political correctness and adherence to the party line means that now, after 11 years of NuLab, the Civil Service (or what's left of it) is infested with stupid political hacks from top to bottom. With the best will in the world, it will take decades to rebuild the British civil service, once the envy of the world.

    Anyone have any insight into the morale of the civil service?

    It would be funny if it wasn't so sad, seeing a once-great nation ground down into the current mess by a bunch of dimwitted ideologues.

  72. Andus McCoatover
    Joke

    @@ Enough & black lists

    <<"Blacklists won't work.

    They'll lose them.."

    NOT if they are tattooed on the PM's face :-)>>

    Er, what if Obama's our new poodle-caretaker PM? S'pose they'll have to be "Whitelists"?

  73. Boris the Cockroach Silver badge
    Pirate

    Not this again

    I used to be one of the despised civil servants working for the MoD in a secret job(in fact so secret, not even I knew what I was doing :=} )

    On the first day , all the new people were bluntly told:

    "You will keep all classified and above materials securely on site, you will not take them off site, and if part of your job does involve you taking them off site and you lose them, you will be subject to various penalties ranging from loss of job to 5 years in prison"

    My question to the minister currently in charge is..... whos been fired for the breach, and what criminal charges are being considered?

  74. Simon
    Coat

    The database of all UK citizens will be defeated but...

    it no longer matters. These data leaks are just the way the government is getting around the issue. No doubt every time there is a leak announced someone in a trilby and reading a broadsheet (with 2 holes cut in it), standing on a corner somewhere in Westminster is collecting it. Surely this is why no minister is having to forfeit their job.

    The one with the coat because that's the guy who is uploading the missing data to the government's everyone database.

  75. Anonymous Coward
    Anonymous Coward

    @Christopher P. Martin

    "I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them."

    Could it be because you're very anal?

  76. Anonymous Coward
    Coat

    @ Anonymous Coward

    "- so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event"

    Apart from the fact that Jacqui Smith on the one o'clock news specifically said that the Home Office and "The Contractor" had specific processes in place.

  77. Chris
    Paris Hilton

    Breach of contract...

    Is that really as far as Ms Smith will go? FFS heads should roll for this, esp. after all the previous cock-ups. Prison even. This should *NOT* still be happening. The question is not how was the data lost, but how on Earth was the data accessed in the first place. Contractors should not have unfettered access to this kind of data without a very, very good reason.

    Like others have said, this is confidential data that's been lost. In any other business you'd be out the door with your p45 in your hand faster than you can say, 'Paris Hilton.'

    This governement take the absolute piss and Gordon will be out after the next (soon to be lost) by-election and Labour soon after, I hope!

  78. kain preacher

    Hmm just a thought

    Could I not pay my taxes in the UK and then say hey I paid you chaps lost the records. Not my fault.

  79. Gulfie
    Thumb Down

    This is what happens...

    When you run government IT on a shoestring.

    Actually, PA are one of the better consultants working for the government - I've worked with them, EDS, CapGemini, Detica and Capita, all bid bargain basement prices so the service provided is straight from poundland...

    The government is reaping what it has sowed...

  80. Anonymous Coward
    Paris Hilton

    Mr Pedant makes a comment

    Just a small factoid... but pertinent all the same. The data is not lost. The storage device is lost (flash drive/USB/memory stick whatever). The problem is not one of lost data because the original database is still valid, but more one of "someone ELSE may now have a copy".

    PS - recommend we re-introduce quartering for politicians, anyone got a couple of spare horses?

  81. Anonymous Coward
    Anonymous Coward

    How incompetent is this country?

    I am looking for a refund on everything that has been enforced, by this lousy bunch of swindlers.

    There is not one iota of good in any of the public sector from education, policing, military, governance, and now the prison service, only the library service to go, oh wait.

    It is just goes on, we must be able to fire the lot of them, confiscate their property, stick them all in rowing boats and shove them off Dover beach, let the French deal with them :)

  82. Anonymous Coward
    Anonymous Coward

    Darn!

    I feel so much safer in the knowledge that my personal details will be secure once the UK introduces the national ID databse and cards

  83. Anonymous Coward
    Anonymous Coward

    @nomen

    More like the Government (etc) are losing them on purpose because by making us all open to identity theft, it is proving the case for needing an intense 'intentity proving' database. How very convenient.

    ID cards are supposedly needed because we need a way of proving EXACTLY who someone is. A driving license, bill and passport aren't enough, and can be faked.

    So they'll say that it doesn't matter if someone has your name and address, because in future, with the ID cards, they will need to have your fingerprints and retinas too. Otherwise they will get nowhere.

    (Although I give it less than 5 years before criminals are able to somehow 'steal' fingerprints and dupe eye scanners)

  84. Anonymous Coward
    Thumb Down

    2 things.

    "The data was held on PA's computers, in "a secure format" according to the Home Office, but was downloaded onto a memory stick and "for processing purposes." This was then lost. A search of the company's premises has failed to recover "

    It's completely irrelevant how secure it was last year, last week, or yesterday, if it has gone balls up today.

    Is that honestly supposed to (re)assure ANYONE of ANYTHING? Or has it just become such a habit to include a line like that whenever shit hits the fan?

    Secondly, it couldn't have been that secure if it managed to get easily transfered onto a freakin' PORTABLE usb stick by some random person.

    THEN subsequently lost.

    I suggest that any sensitive data should have to be stored on something so large that it's impossible to misplace it (so I guess it will have to be bigger than a laptop...) I mean, if you REALLY need to use a tiny memory stick, is it too hard to attach it to a keychain/lanyard so that you CAN'T possibly lose it? Or to have one of those beeping key finder devices attached to it?

    Common sense people. If you're so stupid that you lose small things then at least have the sense to attach them to something that makes it a bit harder for them to disappear. Or something that can locate them when they inevitably do.

    Seriously.. They expect us to believe our information is secure? Why are people allowed to make copies of ENTIRE databases whenever they want, presumably without any sort of special permission or supervision?

  85. I. Aproveofitspendingonspecificprojects
    Happy

    You lucky people.

    I think we should all have ID cards, not just the few who travel on London trains or break into civil servant's cars.

  86. Anonymous Coward
    Anonymous Coward

    Re. policies et al - just realized something..

    If I read the PA Consulting website "defence" section right, PA must be a cleared company (i.e. List X, although that apparently no longer exists). That suggests annual audits.

    The longer I look at this the more it starts looking like a one person cock-up, which is almost impossible to defend against (as evidence that rules don't stop problems, do a bit of digging for the "Kofi Annan bugging scandal" - tell me that lot doesn't have enough processes and rules).

    As cock-ups go, however, this one is of epic proportions. PA was already unpopular for a number of things it was doing (remember the speed camera study?) and seems not have guarded against the impression it was very much allied with one party (given that it was doing its dirty work re ID Cards it probably would have been a waste of time to claim otherwise anyway).

    The timing is thus a classic: a party under threat, and with a history of blatant incompetence when it comes to data retention, employs a now unpopular consultancy which demonstrates a compatibility in the area of data loss. Result: it has gone political at warp speed, with a government keen to show "it wasn't me" (for a change), an opposition not willing to let them off that easily and both sides firing at the consultancy in the middle. Sacking the person who lost that data is not going to fix this, it'll need more important scalps before this dies down.

    It'll be an interesting week ahead, I think..

  87. John Stag

    @ should we be automatically blaiming the goverment?

    Absolutely!

    They're the ones who could enact laws to send everybody concerned to prison for a long time whenever this happens (the personal responsible and his superiors).

    The only way to deal with this problem is to make everybody completely paranoid about carrying sensitive data around on their person. This sort of data should never leave the building in any form.

    The current system is based on a bunch of greedy contractors trying to get a slice of government money at any cost. Wouldn't it be better to have people scared of taking this sort of contract unless they were damn sure of their security procedures?

  88. heystoopid
    Paris Hilton

    But then again

    But then again the way the current UK has been installing barriers for all the local peons to travel about internationally and all those security cameras beeing installed even in public loos , I would have thought the prison population including all on day release jobs(well some one has to earn the money to pay the wages of the blue coated armed security guards who shoot foreign guest workers on sight without any provocation or probable cause) the current prison population must be about fifty four million men , women , grannies , children and babies inclusive give or take !

  89. Destroy All Monsters Silver badge
    Paris Hilton

    Very nice, very nice....

    <---- Is this a memory stick in your pants or you just glad to see me?

    I will make this "suggested reading" in our small informatics group, including the thread. Maybe I can get past the "gallic shrugs" this time 'round.

  90. Gary Samuelson

    If you don't care -> they won't care

    If you don't care they won't care.

    Worrisome to hear the crowd grumble about something that typically results from bad policy.

  91. This post has been deleted by its author

  92. Anonymous Coward
    Anonymous Coward

    Why was the data there in the first place?

    I agree with everything said about USB sticks and portable media.

    What I don't see is why the data was in clear and complete. According to the BBC report, it was provided for a research project on tracking prisoners through the system: how much of the data was needed for that? Surely a unique identifier, age in years, sex , sentence and possibly crime committed, and risk status would be adequate?

    Equally, how secure is secure remote access?

    *If* working from home is needed, wouldn't this be a better way than of authorising remote use of data than download onto any type of media, whether or not encrypted?

    You can tell I'm a GP - and not an IT consultant!

    PS what are the implications for the single shared electronic patient record being introduced under NPfIT?

  93. Anonymous Coward
    Boffin

    implications for the SSEPR being introduced under NPfIT?

    ... details regarding your most embarassing ailments will be up for sale to the highest bidder.

  94. Anonymous Coward
    Joke

    To be honest I don't see what the fuss is about.

    Memory sticks are like Bic Biro's. They fall into a seperate ether from which there is no return, unencrypted or not they are probably far more secure than having an encrypted stick in a known location. Until we've got some way of crossing dimensions there's not going to be a problem.

    Mines the one with the Tardis Key in the pocket.

  95. Anonymous Coward
    Coat

    oh goody :)

    does that now mean all the prisons are now empty???

    so they can start banging up all those chavs n other undesirables still loose on the streets.

    hey maybe they could impose new jail sentances, i sentance you to 20 years impisonment on USB stick... (for the worst offenders).

    we can but wish i suppose ;p

    mines the one with the pockets full of lags on a stick,,,, which im gonna delete as soon as i get home,,,,

  96. James Pickett
    Alert

    Icebergs - tips of

    It occurs to me that we only get to hear about the losses that have been confessed. If I lost a memory stick/CD/laptop with sensitive data, but still had access to the original files, I'd replace the device PDQ and keep my head down, so presumably this has only come to light because the stick's former owner can't reproduce the information easily.

    One thing this incident will help to ensure is the keeping of extra unofficial copies of everything!

  97. John Dougald McCallum
    Stop

    @Peter Gathercole

    " Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs"

    Why have "USB" or"PS/2" ports at all I personally do not see the need for them on data procesing computer terminals have the keybords hard wired keyboard goes down replace the lot or use a DIN socket these can be made with as many pins as are needed some of which need not even be live.

    Any thing wrong in this approach?

  98. Goat Jam
    Paris Hilton

    What?

    Was it an access database or something?

  99. Anonymous Coward
    Coat

    Well...

    @John Lettice- You could have at least put it in ironic "quotes" to point out how silly the Home Office are,

    and

    @AC- Yes, I probably am a bit anal.

This topic is closed for new posts.