Great sub title
"Quest to free all world's imprisoned data continues"
Funny until you realise it may be true...
A lost laptop containing the personal data of 109,000 Pensions Trust members has sparked the latest in a growing list of information security breach alerts. The missing machine was stolen from the offices of NorthgateArinso, suppliers of the Pensions Trust's computerised pensions administration system, where it was being used …
1. encrypt your hard drives, esp. on laptops - password protecting Excel files does not count.
2. transfer data on line (if you have to), not on a disk with the password on a Post-It attached to it.
3. Reduce the number of records / fields if you have to hand it out for testing or statistical analysis.
4. Anonymize records if you have to hand it out for testing or statistical analysis.
There, that would have stopped 90% of the embarrassing datalosses .
That leaves deliberate leaks and data theft.
If you're an MP wanting to cover up expenses claims, you're F**ked.
... that way there is the maximum probability of everything going wrong when the application/web-site/whatever goes live. Please let them test on live data at least a couple of days before going live.
The other thing: why are we hearing about this kind of thing so much? Are they softening us up, getting us used to the idea of all our personal information being known by everyone, so that we learn to accept having no privacy? I can't think of any other explanation of all these announcements. Surely in decades past this kind of thing would have been hushed up?
Having missed by only a couple of days having my details revealed in the Great Child Benefit Data Giveaway, the Pensions Trust have finally managed to do it.
Knowing the ICO can and will do nothing more than shake their heads and say "Tut, tut, tut", is there any basis for private legal action against these muppets, or does one have to prove monetary loss?
"In spain, it is explicitly unlawful to use confidential data in test, development, etc. And it also a nobrainer"
sorry, but that's pretty silly law
we use in special cases live production data for QA, it is in very controlled environment (special QA environment for live data) and has full production policies and controls. Sometimes it is almost impossible to use dummy or obfuscated data if you want to do really good overall QA and/or there is data backfill being done.
it's not about not using live data in development, it's how it's controlled. Clearly they did not have good policy in place.
I just got back from London having had a few pints with some of the lads from the old firm, and they mentioned they're already preparing for the forced ID card deployment. "Clean" (spotless CRB check) people are being spoken to about getting jobs with the contractors.
The data alone is valuable, and that'll go walkabout pretty quick, but having someone on the inside savvy enough to manipulate it or install some MITM trickery and it's a "digital fucking diamond mine" as one of them put it.
The comments on here are interesting as they show that all anyone really cares about is the data on the device, not the device itself.
The data in this case isn't protected by encryption, just a password. But knowing the data is on the device, would it make any difference to the peoples perceptions that their private data is on that device?
Surely knowing the data has been removed from the device would be a lot better? Utilising the internet or mobile phone networks you can receive this reassurance through a tool like BackStopp. The data is removed and a report is made available detailing the removal of such data. What price would the company in question pay for that functionality now?