At work we have automatic notification if an email is sent to an external address - do the police need a consultant?
Police face accusations of incompetence after accidentally emailing a file detailing the results of thousands of criminal records checks to a Register journalist. The author of the email at Gwent Police is now facing a gross misconduct investigation and potential sacking over the incident, which came to light this week. The …
It'd bloody well help increase my bank account if I were to get a wee consultancy gig moding cop systems. And a _second_ gig _unmoding_ them later on after the mods irritated the hell out of a few coppers for a few months. And a third gig putting the mods back on after the _next_ time something of this kind happens. And another gig removing them again once the noise level drops back down to normal background level... Job security in these troubled times, mate...
Oh. You meant that it's not helpful to John Public... Carry on, then.
The police are absolutely right this does undermine my confidence in them. Well done El Reg for taking the decision to publish this, we as the public have a right to know when the police act incompetently and stuff like this should never be covered up.
Did they explain why they felt the need to export such sensitive data into a spreadsheet and email it to multiple recipients? What need was there for 5+ people to have a copy of the requests in this format and is this compatible for the purposes the data was collected for?
Sadly, this does not undermine my confidence in police competence. It just reinforces my present (very low) opinion.
As someone else mentions below, there is a very good chance that this not an export from their database storage system - it *is* their "database" storage system.
To congratulate you on some nice and responsible journalism. A very embarrassing incident for the police, but you have pointed out the circumstances fairly and made it clear what they have done and the current impartiality constraints they are operating under. (Its called Purdah).
Yes indeed, congrats to the Reg for the very responsible journalism. It's comforting to know that when your journalists end up being given confidential information by mistake the first thing you'll do is take a sneaky peak at it.
And then a much longer look to enable you to pull together some figures about peoples' jobs, statuses etc.
And then write a story revealing a load of that information, albeit not personally identifiable.
But as long as you deleted it several days later it's all good.
I say it is a fault of the system.
If the system had called for the data to be encrypted before it was transmitted, this wouldn't have been a problem.*
How the hell can they think that emailing sensitive information, "in the clear", is ok!!!
Obviously as long as they didn't include the password in the email!
"Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would undermine public confidence in the force, but we declined."
Should have said, "Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would CORRECTLY undermine public confidence in the force, but we declined."
... to not pubish until the enquiry had concluded - as long as this was quick (i.e. not more than 3 months).
Worrying that this could happen in all forces as there are no central standards for encryption of such data.
They should keep this information on a secure server - and send the link by email. If you don't have the credentials, the mis-communicated email would be of no use.
Ye gods - thank goodness it was sent to someone who knew what to do about it, and I salute your stance - hopefully it will get some proper data handling in place.
We can' t have police forces (or indeed anyone else) expecting silence as a way of covering up mistakes.
I'm starting to like the conservatives more open approach, it will hopefully make things like this more transparant.
Right - i'm off to see it's appeared on wikileaks...
It sounds as though once the original error had been made everyone responded appropriately and no-one uttered the dreaded phrase 'lessons will be learned'. The only way to make such mistakes impossible to make is to make the system unusable for it's intended purpose so all long as people 'fess up' and the people who made the mistake are the ones that are punished in some form then there is hope.
OK, not that much hope
But at least they are trying
This is a combination of too much information being held (the stupidly OTT CRB process) and poor information handling procedures. Even IT professionals can cc the wrong person; when you have this kind of information held on a desktop PC that also holds random email addresses, it's an accident waiting to happen.
The solution? Maybe a dedicated system (or just a dedicated PC) for CRB processing. Then, if someone does send out this kind of info, they have clearly circumvented security procedures, and not just made a typo.
Maybe, if they hadn't been warned.
Maybe, if they had done things properly
Maybe, if their IT systems hadn't cost the earth.
then *maybe* I might have some sympathy.
As someone who has worked in IT for 20 years, I can tell you that 20 years ago, I would have been factoring into the system measures to prevent this sort of breach happening then.
IMHO this is gross incompetence from the start. Not that it would have made any difference, but the spreadsheet wasn't even encrypted FFS.
This post has been deleted by its author
Sweet merciful crap.
Under which provision of the DPA is it acceptable to dump incredibly sensitive information like that into a plain-ol' Excel spreedsheet and fling it across the Intertubes in plaintext by SMTP? Accidental cc-ing of the Reg or not - data like that should simply never find itself being transmitted from point to point using that sort of method. I think it's fair to assume that the coppers here email critical data around like this in plain text all the time though. Utter ineptitude.
"Investigators are blaming human error for the data breach, rather than the system design."
If it's human error, the erring human concerned is the one who implemented the database in such a way that exports like this are even possible.
What conceivable reason is there for anyone needing all 10,006 names? For any sort of management or analytical purpose, the names could be replaced with anonymous codes.
The really sad thing is that how to do this properly IS well understood. I recall reading about how the (1990?) census data was stored, and how queries were processed such that only sufficiently-anonymous extracts were available. (For example, it would give precise answers to questions about large areas, but once the areas were small enough that individuals could be identified it would introduce random perturbations.) How is it that in the last 20 years, things have got worse rather than better? My guess is that the people in charge weigh up the risk of a breach ("could never happen to us") against the inconvenience of properly protecting the data, and make the wrong choice. In fact, is it a case of "VIP Passenger Syndrome"? Were the 5 recipients of this email senior, i.e. more senior than the IT person who might have considered it a bad idea?
Not just Novell either.
Anyone in business these days knows the value of having a name that shares the first name and first few characters of the surname of that of someone seriously important. You can build a career out of being seen as someone who really knows what's going on, when actually all you're doing is reading all the high-level stuff that's being sent to you inadvertently.
Autocomplete in a widely used MS email product FWIW.
Ah. I understand the "Coward" bit of remaining anonymous now.
I suspect that this is _exactly_ the case. Odds are that their entire 'database' is merely a Very Large Excel Spreadsheet. Many years ago I spent literal months building a 'database' in Excel which was a bunch of linked spreadsheets, some of which were originally Lotus 1-2-3 or Borland Quattro spreadsheets translated to Excel format. (And those who recognise the names, yes, it was that long ago.) I was under the direct orders of the MD to do this, despite recommending that perhaps a real database system would have been preferable. A real database system would have 'cost too much'.
They acted appropriately ?
They threatened to fire the minion that had been told to email the data.
Not the bosses who picked the system without thinking of the problems, or who allowed data like this to be emailed around in clear, or didn't look at backup plans like detecting outside email addresses, or having a separate secure system for this type of mail.
It was PC idiot wot did it, so fire him.
"Investigators are blaming human error for the data breach, rather than the system design".
But the human beings who operate the system are part of it. If a human operator makes an error of judgment, that is every bit as much a failure of the overall system as a hard disk crash or a programming oversight. The alternative - to exclude the human element from the system - is absurd, as virtually all systems include human elements who can easily make them fail.
Of course the people who are responsible for the system (and who earn really, really big bucks on account of that awesome responsibility) like to think that they can blame anything that goes wrong on the pondlife* who do the actual work. But it ain't so - they, the big cheeses, are equally responsible for hiring and firing the pondlife, and for motivating it, giving it adequate rest breaks, and generally making sure it performs up to specification like every other system component. Gee, if they are really concerned about its performance, they might even go so far as to try talking to pondlife occasionally. You can learn a surprising amount of useful stuff that way.
*Disclaimer: don't get overwrought about my use of this simple vivid term. I am pondlife myself, and very proud of it.
I would have hoped that an organisation responsible for a great deal of sensitive information, some of which could put peoples lives at risk, had some kind of DLP system deployed on their email system. It’s quite simple to check outgoing email for tag like 'NOT FOR EXTERNAL DISTRIBUTION’, and hold it for authorisation before sending to external addresses. Such measures are becoming increasingly common in business where fines, loss of business and reputation are at stake.
just put a block on any outgoing unencrypted documents/ spreadsheets/ databases, even PDFs attachments on emails...?
Having the right type of service and filters can very easily stop this. People make mistakes, very stupid ones but still mistakes. A simple setup to stop outgoing unencrypted documents/ spreadsheets/ databases would stop this and sender can be notified. Whoever did the initial system design, didn't do a very good job of it (or perhaps it was the lack of financing!)
Why the hell would anyone export over 10k records anyway? If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?
"If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?" -
you don't mean like a "database"?! I have reservations about the amount of information the state maybe keeping on me in various databases, but i always assumed (somewhere in the back of my mind) that they were actual *databases*, only accessible by certain people that had been vetted and trained to use them. Not some poxy spreadsheet that gets cc'd to all and sundry.
damage confidence in the police?! - damage confidence in the whole damned system more like...
Once again, the "Ooh, I'll e-mail you the data as an Excel file!" workflow of the Wintards bites someone in the behind. Either some time previously or at some point in the future, when a migration away from the usual mish-mash of Excel plus "bespoke" (in other words, "shitty ad-hoc") macros is suggested, everyone will have been (or will be) up in arms about the replacement not being as shiny: "Where'd that lovely dog/paperclip/ribbon go? I want my Brand M!" <stamps foot>, followed by later whining about needing training for the next iteration of Windows/Office.
And it'll be back to banging the rocks together and umpteen copies of confidential spreadsheets littering the "network shares" and various hard disks, to be seen in an eBay auction near you.
...should be re-assured that I, for one, have greater confidence in them today than I had yesterday. Why? Well...
Yesterday, I took it as read that such incidents occur but nothing will actually change until someone *really* screws up. Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.
«Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.»
Wrong assumptions lead to wrong deductions.
1) You assume that they care and thus are going to do something about it. WRONG. They ignored the issue before ("won't happen to us") and they will most likely continue ignoring it ("can't happen twice")
2) You assume that they have the technical ability and the cash to plug the hole. WRONG. This kind of incident prove that the system is fundamentally flawed. Even if they did actually want to fix the system It would take a complete audit and redesign. Which they probably don't know how to do, and they couldn't afford to anyway.
Only thing that will happen will be a couple memos reminding everyone to check their emails' recipients list twice, and that's it.
Alas, this is just another example of a condition known as "Spreadsheet Bindness" where all critical thinking ceases as soon as data is entered or imported into a spreadsheet. Spreadsheets are an amalgam of data and application logic and presentation, yet data integrity, security, consistency and versioning is ignored; complex application programming is undertaken with no design, and put into production without any structured testing.
So we end up with financial and personal information being managed by the emailing of spreadsheets: these are deemed to be authoritative data by the recipient with no consideration of their provenance, and disseminated with no consideration of basic data management.
There is now a potential £500,000 fine for loss of data. As (by any standards) this is sensitive personal data, then I assume the ICO will take a very dim view of this.
Of course it is completely pointless fining the Police for this as it is us, the general public, and who would indiorectly pay for this. For issues such as this, then it is those who are in positions of responsibility that should be made to feel the pain in a personal way.
That it was sent to an IT rag who had a vested interest in being whiter than white in the handling of the document so they could report it without repercussions - what would have happened if they had mistyped the persons name and sent it to Johnny McRandom?
Why the hell this stuff isn't shared over an encrypted VPN I have no idea - even local councils have better systems than this for *non* confidential data.
It's an honest mistake, and you can't prevent everything with technology or no work gets done.
That's not to say I applaud the stupidity, but I would suggest re-thinking we all do IT in general - here is again a normal human error by someone who is entitled to handle the information, surrounded by a setup that expects the person to be perfect. Well, perfect people don't exist, so any security or containment that is based on that assumption needs rethinking.
For a start, this person will temporarily the safest one of them all as he/she/it has burned his fingers - nothing teaches better.
Having said that, there is actually hope on the horizon as Criminal Justice is gradually growing its secure email system, and is about to roll out another tranche. From what I know it's supposed to fail safe in such a situation. I think it's Microsoft based so "safe" must be put somewhat in context, but it would be an improvement.
If this is heading towards the police, it is in my experience a very bad idea to mess with this process to put interim measures in place in technical form because it creates another bottom feeder who will be unwilling to take its snout out of the through when the Criminal Justice system arrives, creating all sorts of extra problems fixing the problem for good.
Instead, if you really want to spend some money, train these people. Use the person who made the mistake, and do something positive with it. That's better than Yet-another-kneejerk-reaction which won't address the real issue.
And the cop who actually sent the email is not responsible, either.
«Instead, if you really want to spend some money, train these people. Use the person who made the mistake, and do something positive with it. That's better than Yet-another-kneejerk-reaction which won't address the real issue»
No. That is so incredibly wrong. Instead, you want to use some of the money to design a system that cannot dump all of it's data to random email adresses. Especially not in unencrypted form (not talking password here, real encryption.). Not that the encryption thing would be very important anyway if the data handling was done properly (i.e. NOT relying on junior staff not hitting the wrong button by mistake).
I stated that such a safe(r) system IS ALREADY ON ITS WAY. What I was trying to say (but could have made a bit clearer) was that it would *not* be a good idea to ask someone to dream up an interim solution in isolation, which is typically what happens when some politician tries to fix bad press coverage with throwing some tax money at the nearest consultancy that promises to take the evil press people away (AFAIK there really isn't more thought behind the decision process).
I've seen this happen before. The result is that you create another stakeholder in the process who will try to hang on to their share of the pie by all means possible, damn the consequences, and because you now have a politician in the decision chain it becomes a mess.
As far as I know, of all the tax absorbing entities in the UK (police, government and military) only MoD appears to have had the sense to implement a fail safe, and as far as I can tell they've had this for decades.
Good job you don't run Anti-Money-Laundering checks in business!
AML, the individual is responsible, right up through the chain to the MD/CEO.
ANYONE found to have had any knowledge and failed to report it, hefty fine and a spell in chokey! No matter what position you hold from cleaner to MD, no excuses. If you knew and it's proven, tough!
Quicker we use AML type punishments for data-breaches the better it will be, then everyone top to bottom will feel the pain if they faff about with Excel ODBC-hooked up their central DBs!
..as long as you don't try to cook up another IT solution that people can point at instead of admitting they have been stupid. AML has a good approach, but you're dealing with government here, and a New Labour one at that. Realistically, if they have been getting away with avoiding responsibility for 15 years and STILL have people publicly supporting them I don't rate your chances high to get that concept introduced at so late a stage.
My point is, people make mistakes. They'll have to carry the stick for that mistake (because getting away with it teaches exactly the wrong lesson), but it is a mistake which should be taken into consideration in the sentencing. Stuff like that you need to catch in processes, and IT can help - provided you don't get in the way of something that is already happening.
I've seen some perfectly decent projects ruined because politicians needed headlines, and guess who doesn't get blamed when the whole thing veers into abject failure? Don't expect a consultancy to say "no" to the change either, because the account managers already know that a failure caused by a politician means more money from the government to get it right as they can't afford the truth to get out.
The Criminal Justice email system is expanding, and I hope they'll wrap those goons into it before long. Just be *bloody* careful with sticking something in between because the police doesn't handle change all that well. Two changes in a year is going to be too much to cope with (yes, I'm cynical, so sue me).
that's what I was told.
No names, no pack drill as they say, but as part of one of my contracts, I was required (only this week in fact) to prepare a list of 400 names for CRB vetting in blocks of 50 in excel spreadsheets. I pointed out that sending these as attachments to an email was like sending them on the back of a postcard and asked how we should encrypt them and pass them the key separately.
The answer was don't bother, just send the data. "We aren't set up to deal with encrypted messages". I'd say that IS a (fairly major) System Design flaw...
You have actually touched the very root of the government data management problem: the government actually does not have an encryption standard. AFAIK, they're now going to set up PGP but until now they have had nothing. Nada. That's why there are also no processes dictating the encryption of media and data leaving the door: the question would have been "with what?".
Interesting that most reporters didn't ask that basic question.. Another one to ask (when they admit it) is "why?". Could be interesting to see what they dream up as answer..
While this is clearly a breach in terms of the DPA... WTF? The info "leaked" is already a matter of Public Record... if you get prosecuted for something its published in your local rag... and most of what we're talking about here a private dick/gum-shoe could find out anyway...
Quite franlky, I'm more worried about the NHS Summary Care Record and what they're likely to leak all over the place...
«The info "leaked" is already a matter of Public Record...»
So I believe your name, adress, current and prospective occupations are regularly published in your local rag? As well as that time when you got lectured by the plods for roving in the streets while drunk? And that time when they suspected you of being a pedorrist for taking pics in public space, and confiscated your camera? And that time when they questioned you as part of this rape case only to discover that you were abroad at the time? You don't need to be convicted (or even seriously suspected) of any misdeed to have a non-clean CRB check.
Wrong on so many levels.
If the document contains such sensitive information, the most that should have been permitted is an email of a link to where it can be found, accessible only to those who have the correct level of password authority.
Allowing autocomplete is madness as well, but ithat's not the only way to create this sort of cock-up. I do remember someone once sending an insulting message concerning a promotion and the Peter Principle to a colleague. Sadly he managed to cut & past the subject into the CC field. The subject contained the word "engineering". Guess what the email alias for the whole of the engineering organization was? Of course he then compounded his error by trying to apologise, instead of just taking a month's vacation...
"It's an honest mistake, and you can't prevent everything with technology or no work gets done."
But you CAN prevent stuff like THIS happening without affecting how people work.
Simply having a password over the excel file, whilst not great, would be better than nothing.
The file itself should be encrypted - at the very least flagged up when some low level person exports over 10 thousand entries from the database.
None of this will prevent work being done or slow down what they're doing - but it CAN be prevented VERY EASILY.
Flagging is pointless as either someone should be allowed to export that much data or they shouldn't - no one will react to a notification that someone has done something they are permitted to do and by the time it has been emailed to a journalist it is far too late.
Similarly password protecting an Excel file is next to useless and near-impossible to enforce.
Putting information to which there should be limited access in contact with tools that are designed for the easy dissemination of information (and both SMTP email and Excel are really very good at this) is the problem and removing the convenience these tools bring is bound to affect how people work - there's really no point doing anything that doesn't.
While there is a reasonable chance that the ability to email sensitive data without encryption (or indeed to lack the ability to use encryption) was down to poor system design, there are other (equally depressing in many ways) possibilities
1) The system designer included secure email, but was overruled by
a) His boss, who had to try an deliver to the price the salesman had promised
b) The Police contract negotiator (who cut scope to save us money!)
2) The design included secure email, but it was not implemented.
a) Because it could not be delivered on time, so his boss cut scope to make it fit.
b) Because it could not be delivered on time, so the salesman cut scope...
c) Because the delivery schedule just didn't allow time to test it.
Unfortunately IT contracts are often negotiated by people who not only do not have sufficient technical knowledge to understand the details of them, but who consider 'big name' and 'lowest basic cost' to be the most important factors. Typically these people are unlikely to listen to anyone who does understand ideas such as requirements analysis, specification, design, testing, hence the large number of failed IT projects.
GORDON FUCKING BENNETT!!!!
But having had a nice cup of tea and a lie-down, I find it harder to put the blame on Mr. or Mrs. Plod.
Was (s)he trained in using this system? IT (rather than nightstick) literate?
How the hell could this happen - and it goes further - much further than this one person. Nope, this Plod is being made a scapegoat for the entire lack of security* of their IT system. The PFY of Gwent Police should be seriously 're-educated' by his own over-voltage cattle-prod.
Christ, I've even had to 'advise' someone who was using the pub computer to check his accounts - in view of me - then advise it's best to log out of the bank, showing the account, balance etc. with full access to it for every Tom Dick and Harry while he wandered off to play Billiards. Left it totally open. OK, it'd auto-shutdown after 15 minutes, but I could've done a lot of damage in that time.
System's as good as the 'nanny' who looks after it, not a possibly neophyte user.
*Just wondered - were they using Vista...Nah. Surely not.
There is no possible reason for multiple copies of that file to exist.
Nobody can handle that many individual names or details - only a summary could be useful. If they need details on an individual they can go to the *single* master copy for it. (And possibly their access gets logged.)
Making multiple copies is ludicrous - all it does is take the data out of any control. And it can never be properly updated or deleted, because you can't be sure how many copies there are or where they are.
It's completely wrong headed for any information, let alone confidential stuff.
And this was found by chance. Which makes it almost certain that it was not an isolated instance, but probably standard practice.
An underlying factor in this (and many other) wrongful disclosures is "Spreadsheet Stupidity" --
Part A: People twist and warp spreadsheets so they are used for things they should NOT be used for; and,
Part B: People BELIEVE (due to poor education) that spreadsheets are "where data should live"; they see a row/column display (of any type) and think, "that's a spreadsheet!"
This sort of data has NO PLACE in a spreadsheet!
If a plod needs to look something up, the system should have them look at a database. Even the SQL-ignorant can enter search parameters into a GUI front-end.
Statistical analysis, if needed, can be done via SQL and/or various report generators.
DO NOT EXPORT DETAIL DATA.
Q. "Bu-bu-but my Big Screen Presentation to the Police Big Cheese!..."
A. Connect your laptop to the secure wired network and to the screen projector. Show your saved-within-the-system, not-on-your-hard-drive-and-not-on-external-media, results.
Q. "Bu-bu-but my Big Screen Presentation to the Police Chiefs Conference in Bermuda!..."
A. The other Police Chiefs have no need-to-know to see DETAIL-level data. Your statistical analysis results (pre-computed before you headed to Bermuda)/Powerpoint can be carried on your encrypted-for-good-measure external media.
Q. "Bu-bu-but my Big Boss wants to see the quarterly stats and I need to email him/her my results..."
A. As with the Police Chiefs Conference, you can send your boss the stats.
Q. "Bu-bu-but Interpol wants to know about Suspect X!..."
A. (This is an instance of authorized, limited-scope data export) Verify that it's an authorized Interpol agent making the request (and not my brother calling you up from a telecoms closet), log the request and authorization details, run the query, and send the agent the results for Suspect X (and NOT the whole god-damned database, and NOT all database records for persons whose last name is "Smith").
As far as we know, Gwent Police were contacted by The Register. If they already knew what had happened, why had they not contacted The Register.
How do we know this hasn't happened before?
There seems to be a gaping hole in the security model they've based this system on.
(But note that a great many Police Officers might have an unpredictable need to check this data. So, with Taxi drivers on the list, how do they check a drivers license?)
I have previously worked at a company where I handled customer data, and it generally ranged from "extremely valueable" to "holy fuck I had really better not do anything wrong with this."
As such, auto-complete was banned throughout the entire company, and no customer data was sent over email (even internally) without encryption, and with the password /not/ in the email.
Then, if you had turned on auto-complete and sent something unencrypted to the wrong person (god forbid a different customer, since they all generally competed in the same space) then it was undoubtably human error, and negligence, and the employee almost always got fired for it.
If you don't have that sort of thing built into your policy, then yes, your system is broken.
1. Why sensitive data in a spreadsheet of any kind? Because spreadsheets are the vehicle of choice for ad hoc data analysis.
2. Why emailed to El Reg? Because of that goddamned autocomplete feature. Microsoft, in their drive to dumb down the computing experience for Joe and Jessie Sixpack, have a nasty habit of implementing features like this without thought for the downside, and the habit has spread far and wide. I'm a reasonably intelligent person, but even so have been bitten on the ass by autocomplete from time to time. The problem is compounded because the To: text box probably isn't big enough to show all the data entered, and the programming is too mickeymouse to auto-enlarge that box.
3. Why a fuckup? Because the culpable party was probably not trained/educated in safe data handlng techniques. Because instead of having people on staff specifically tasked with carrying out ad hoc analyses, everyone is deemed capable of doing so. You hire idiots, pay them idiot wages, don't properly educate them, and what you get is idiot behavior. A variant on the old garbage in, garbage out scenario, if you will.
4. Why not encrypted? Sheer incompetence on the part of those specifying the email software, along the lines of Jonathan Carlaw's analysis. It seems obvious that email software used in critical applications (e.g. law enforcement) should have encryption turned on at all times. If this means that coppers can't email their mistresses to arrange a lunchtime rendezvous, so be it.
5. Why not have all this stuff corraled inside a network with no connection to the outside world? I don't know.
On the whole, it sounds like no competent, experienced IT person was in a position of authority to dictate system features. Perhaps the lesson is that being higher in the hierarchy than someone else does not entitle managers to override technical decisions made by underlings.
"Why emailed to El Reg? Because of that goddamned autocomplete feature. Microsoft, in their drive to dumb down the computing experience for Joe and Jessie Sixpack, have a nasty habit of implementing features like this without thought for the downside"
Now I'm as happy to blame Microsoft for crap things as the next commentard but I'd consider it beneath me to slate them for my failure to to take responsibility for my own actions.
It's a sodding useful feature; like you I wouldn't turn it off.
And, as the article points out it was Novell's email software that was being used. Even if Microsoft invented Autocomplete of addresses (did they? doubt it.) it is a bit much to blame them because another firm copied it and then an unlucky wally failed to check what it had done.
There is only need for one single point:
1) why is the database system allowed to spew out 10 000 + _complete records_ ?
Because the system is fucked up and need to be redesigned, preferably from scratch. End of.
The email client has nothing to do with it, nor has the poor plod who hit "send". They could have *mitigated* the issue but given the type of data -and the wide availability of solutions designed precisely for this kind of things- they should NOT have to do any mitigation in the first place. Good practice data handling by base-level plods should be _at most_ a redundant 3rd-line security feature, not the only bloody one.
System is a clusterfuck of FAIL.
When I installed some internet facing machines in a Nottingham police station a few years ago there we had to go to great lengths to label them as internet facing and install a separate LAN for such machines to sit on. The police have a national network already for exchanging data not for public consumption. To find out that a sensitive document was sent in plain text across the internet beggars belief. The rest of the excuses of the how it happened are unimportant. The fault lies right there. That the document was stored on an internet facing machine in plain text should be investigated, not just the poor plod that pressed the wrong button, the button shouldn't be there to be pressed. Woeful.
1) System (I'll give them the benefit of the doubt the spreadsheet is an extraction from a *real* database) allows *wholesale* download to spreadsheet.
2)System does not permit sharing of a data view by relevant authorised staff (maybe it does but senior plod "too busy" to learn how)
3)Auto-complete on. (Set Fail Probability level to 11).
4)Junior Plod unaware/not allowed to use encryption/password on file
5)JP fails to check recipients list before pressing send.
6)Email system does not filter/warn email going outside office with attachment.
*any* of these would have stopped (or substantially mitigated) the fault process in its tracks.
They sat failure is an orphan. *not* in this case. It had plenty of fathers.
"Investigators are blaming human error for the data breach, rather than the
Phil E. in the comments says: "If it's human error, the erring human concerned is the one who implemented the database in such a way that exports like this are even possible."
Hate to break the bad news to you but there probably IS no database. They've just been adding stuff to a excel file and using Control-F to look through it.
Anyway, invetigators are wrong. A spreadsheet is not a database. A database has access controls. A database would have access controls. A database would discourage officers from just trolling through information, as lookups would be logged. Finally, people accidentally forward documents (like a excel file) while people don't accidentally forward a database 8-) Finally, if they DO have a database, but it allows export of that many records, it is broken.
This post has been deleted by a moderator
Heads *need* to roll for this. I mean what happens when dozens of people get Das Boot from their high paid jobs because they failed to disclose that they got busted for possessing an ounce of weed back in the '70s.... which I might add shouldn't even be on the records after that length of time.
Fail on a googol levels.
AC, because I really, *really* hate getting raided when working on my fusor...
Or maybe not, Gwent Police don't have a Head of IT anymore. What they do have is an umbrella manager who has no experience of managing police information and by the admission of his own council staff is not concerned with security.
I expect the Register will get a lot of copy from Gwent Police over the next few months.
Novell eMail application were they using ?
I have to say, I have been using SeaMonkey eMail client for several years under various Microshaft OSes,
However, having gone over to Ubuntu for a dreadfull few months, I am now running OpenSuse Linux and I am forced to say that SeaMonkey is very very wonkey by comparison to the Windose versions.
This morning the preview pane opened up by itself, one of my Junk folders decided it wanted to be open on a TAB of it's own (?) and the message headers are often all screwed up (?)
Still, plod doing this sort of stunt just makes the whole thing a fucking farce. As per expectations.
Seamonkey isn't a Novell e-mail application, it's from Mozilla and I very much doubt the plod are using it.
It's more likely an enterprise level E-mail system such as Novell Groupwise...
Remember, before Novell bought SuSE they had Netware.
Still it's pretty shite that the Gwent plod are allowing this data to be exported like this.
You shouldn't have published because in fact the article achieves nothing other than good copy for El Reg.
The fact is it was an innocent mistake. The person responsible would have been in just as much trouble whether article was published or not. The IT systems would have been adjusted to make sure such a breach does not occur again whether the aritcle was published or not (password/encrypt/monitoring of outbound attachments etc). The article does therefore only serve to undermine confidence in a public service in which it is essential the public has trust.
Of course it's a fine line between what is in the public interest at the expense of public confidence.
When I was readin your article I thought to myself that it was not a good one to publish and that there are far more great police officers in the various forces than there are bad and that articles such as these just undermine everyone but for no actual public achievement/gain. It was right of you to add in the line at the end about disclosure but I feel that you got it wrong on this occasion.
Next time ask yourself; what does making this story public achieve? What are my real/honest motivations for publishing the story?
"When I was readin your article I thought to myself that it was not a good one to publish and that there are far more great police officers in the various forces than there are bad and that articles such as these just undermine everyone but for no actual public achievement/gain"
Are you serious, or just a master of deadpan comedy? Of course bringing a massive breach in data security like this to public attention benefits the public interest. Covering it up would just allow whichever idiot oversees this lax operation to sweep it under the carpet. Airing it means that 10,000 people can now ask just who else their confidential data has been accidentally emailed to, and also makes sure Gwent Police have to seriously improve their procedures.
....your bank gives out your account details by mistake, you want it kept quiet because it undermines the public confidence in banks?
....HMRC emails your tax login details to everyone on its mailing list, you want it kept quiet because it undermines the public confidence in the Tax office?
....The Company you work for gives out the details they hold on you to everyone in the Company(Salary, Bank Account, Home address, CV, pension details, NOK details, annual apraisal etc), you want it kept quiet because it undermines the confidence in the Company's workforce?
And then when they do it again......and again......and again..........
That is what you mean, isn't it?
/icon of a muppet/
Is that just a nom-de-plume - you're actually a Polic3man ?
What's the chance that we'd have ever heard about this if El Reg hadn't published ? Sounds as if Gwentplod weren't even aware that they had sent it to the wrong person until they were advisd by El Reg, which suggests that they send confidential data in an unsecure manner *all the time*. I seriously doubt "the IT systems would have been adjusted" in any way, or have been even now.
Gwent Police : redefining the word EPICFAIL.
Paris, cos even she has more of a clue when it comes to not revealing secrets to the world.
>> The IT systems would have been adjusted to make sure such a breach does not occur again whether the aritcle was published or not
IF that were true then maybe you'd have a point. But it would have been hushed up and ignored. "No harm done, no one found out. We'll keep everything as it is and it definitely won't happen again."
How does CRB check work behind the scenes:
- CRB asks the organisation which is allowed to process the forms to scan them and extract data from them into a (usually) pretty big file
- CRB then expects the organisation to upload the pretty big file via FTP to them (yep, unencrypted, but 'password protected').
- CRB then does 'the check' and sends letters
I wouldn't be surprised if they were expecting data delivery from various police forces in a similar way.
Anon cause... - well, guess why.
> The Register has now deleted the file in cooperation with Gwent Police’s professional standards officers ..
Will it also be deleted from the numerous email servers it passed through o nthe way to you and what the F**K are they doing emailing such files over the Internet ????
This incident should scare everyone deeply, not for what was revealed but for what must surely be going on that we don't know about. There must be thousands of incidents of stupidity/negligence every day that are business as usual and never found out about. As they say, the problem is not that you broke the law, but that you got caught!
Not in AutoComplete, not in the plod, and not in the Gwent police.
The fault lies in data of this nature being held in a stupid frigging data file that can be moved from machine to machine, and without encryption.
It needs to be some sort of server (SSL?) in which the Plog must log in to interrogate the data. He can look, he can cross-reference, he can run off printouts. Everything being logged. And if nothing happens for more than 15 minutes, he is kicked off and blocked from logging in for an hour (get the wally to remember to log the hell out when done). The file is encrypted and held in one place which is only accessible via the front end. If references need to be given to collegues, then the URL of the current entry can be pasted into an email, and upon following the link... log in request.
Why does this seem to be so difficult?
"Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would undermine public confidence in the force, but we declined."
My confidence was undermined far more by the fact that they asked the Reg to keep quiet about than by the leak.
What's the pass mark you have to hit now for getting in the force,as it's constantly being lowered so all and sundry can get in to fill those otherwise empty seats ?
I'll take a guess;
5ft at least ,a waist of 50 inches max ,able to get over excited and feel physically threatened at the slightest of things and the ability to put one foot in front of the other (and in your mouth on numerous occasions) (when you eventually get of your arse once in while that is)) !?
is why someone felt the need to have extrated ANY info from the CRB database to be stored, presumably locally, on a poxy spreadsheet. It's not just the twat who accidentally sent it that should be 'disciplined', but also whoever put the spreadsheet together. And also, if the CRB database is being abused by one force, would we be wrong to presume that it's being abused by them all?
Many forces use a system where you can't send an email without giving it a protective marking ('Not protectively marked', 'Restricted', 'Confidential'). If you try to send anything higher than 'Not protectively marked' outside the secure government network, the client refuses.
Obviously it doesn't stop you from sending to the wrong person within that network, but it'd stop you sending it to some hack who must have made lemonade in his pants when he saw it :)
My girlfriend volunteers for an organisation and just happens to have the same name as one of the HR staff. So she gets sent all manner of things - usually people's personal details - which have nothing to do with her. At the same time, the intended recipient doesn't get these mails. She mails them back saying "You shouldn't be sending me this stuff", they mail back saying "Oh sorry, we've taken you off our list now". Then it all goes quiet for 3 weeks, then starts again.
Are Gwent police now investigating themselves thoroughly for data breaches????
Surely as there is clear evidence of them having commited one offence they should now start checking every email they have sent for the last X years (where X is defined by their data retention policy, probably 10 years for secret type data) and making sure that no other incidents have occured.
What about all the similar emails that were sent to criminals? (because I'm sure the police must email ex-cons and the like more often than innocents?)
This sort of cost as a result of a single incident is about the only way to ensure that they spend the money getting it right in the first place.
When it's "if an email goes awry it costs us a few quid to delete" then it's cheaper to get a crap system in place.
When it's "if an email goes awry then it costs us a shed load of money to investigate" then it's suddenly a lot cheaper to do it right first time.
Our 'organisation' is forbidden from communicating with Gwent Police by e mail because of its known high level of mail insecurity and reputation for data cock-ups. It's not a new issue it's just gone national that's all!
I'm already in trouble for refusing to complete any security clearance forms because they lost one of mine in 1997 that caused me a lot of grief for years.
I expect to be unemployed fairly soon.
Anon? You bet. Be safe!
And so will everyone else soon. Have a look at the South Wales Argus. Gwent Police are getting into bed with the local councils to share data centre, desks, staff etc. So now, not only do you have to worry about the competence of police staff but also council staff to look after your data. And bearing in mind this is a public sector project run by a 'manager' with no experience of managing police data it's already over budget and way late. It would have made far more sense to merge Gwent Police with South Wales Police rather than the councils, at least they'd have something in common. Not the best way to spend our taxes but hey, once you're high enough in the council what can they do to you.
Biting the hand that feeds IT © 1998–2021