Pants on fire.
"The government takes information security extremely seriously". Enough said really,
UK official LOSES Mark Duggan shooting discs IN THE POST
Discs containing information from three sensitive police inquiries – two of which involved highly controversial shootings in London, including that of Mark Duggan – have gone missing after being sent through the post. Yeah, you read that right: sent through the post. The information covers probes into the role of the police …
-
Friday 30th January 2015 14:14 GMT Anonymous Coward
Faith in humanity, I've heard of it.
This comes to light at the same time as the abuse victims' details being "accidentally" leaked on the Commons website?
I feel I must clarify that I do not respect Russell Brand before I quote him that incompetence on this scale is indistinguishable from malice.
-
Friday 30th January 2015 15:11 GMT Anonymous Coward
Re: Faith in humanity, I've heard of it.
> I quote him that incompetence on this scale is indistinguishable from malice.
It's not his quote; that's Grey's law (which itself is another way of stating Hanlon's razor).
-
-
-
Tuesday 3rd February 2015 11:11 GMT Anonymous Coward
Re: It's sad but...
we've had everything from CD's to mothercare vouchers stolen whilst in the post (yes, post office, when I get the recorded envelope through the letter box without signing and missing contents it's been stolen).
They look for certain envelope types and stuff, it's big business and computer CD's may contain useable details and sell for lots to the 419 rings, boiler rooms etc.
So don't think they were not targeted for being media that may contain, not for their actual contant.
Maybe now some scammers are demanding money to not release the details of the shooter?
-
-
Friday 30th January 2015 14:31 GMT JimmyPage
They CANNOT be the only copies
and they were encrypted to GCHQ approved standards
the mind boggles.
Just WTF are we paying for with all these government IT contracts.
In a way I *do* hope something bad happens as a result. It might just wake someone somewhere up.
By the way, my choice of icon is deliberate. This is in no way a "fail". It's sheer WTF all the way.
-
Friday 30th January 2015 14:48 GMT Anonymous Coward
Now let me guess
The one person who has been suspended is low down the payscale but apparently wrote the data protection policy for everyone? I just can't see how it is one persons wrap.
"I had access to all this super sensitive information, so I copied it off to some disks and nipped down the post office, was that wrong? oh sorry."
Meanwhile phrases like "take some time off, keep your head down" were muttered around bosses offices.
I'm off to buy me some shares in a paint firm, whitewash specialists.
-
Saturday 31st January 2015 17:16 GMT Christine Munro
Re: Now let me guess
"The one person who has been suspended is low down the payscale but apparently wrote the data protection policy for everyone? I just can't see how it is one persons wrap."
Yeah, I had that one when Oxford's John Radcliffe Hospital* emailed me the (frankly appalling) response to another patient's complaint in entirely unnecessary detail and presumably did likewise with mine.
When I contacted them, they assured me that the nameless person who sent the email was no longer working for them. Though given that they didn't name them, didn't say why they were supposedly no longer working there and made no reference to confidential medical information being sent using standard plaintext email, in contravention of their working practises, and by people probably not authorised to do so, I don't feel a great deal of confidence as a result of their response.
I did try reporting it to the ICO, who were utterly useless, which is probably why this sort of thing keeps happening and is going to keep happening.
* who are apparently already following an "undertaking" because of previous carelessness with personal information. I'm sure they're quaking in their boots.
-
Monday 2nd February 2015 12:17 GMT Hans 1
Re: Now let me guess
>When I contacted them, they assured me that the nameless person who sent the email was no longer working for them. Though given that they didn't name them, didn't say why they were supposedly no longer working there and made no reference to confidential medical information being sent using standard plaintext email, in contravention of their working practises, and by people probably not authorised to do so, I don't feel a great deal of confidence as a result of their response.
Indeed they upgraded the server hardware of the mail-response system that was not thread safe - so indeed "another person".
-
-
-
Friday 30th January 2015 14:50 GMT Goldmember
FFS...
... Not this again. And still using DISCS IN THE POST to send sensitive info? The ICO should issue the maximum fine for a data breach for that act alone, plus a fine for each case.
I really hope the discs were encrypted, but gov agencies have form for not doing so. And if not, then another maximum fine should be issued for each disk that failed to have this in place.
-
-
Friday 30th January 2015 15:35 GMT Doctor Syntax
Re: And still using DISCS IN THE POST
"Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret"
In this case we don't know the marking nor whether it was Special Delivery. For all we know they were sent 2nd class in which case they might be delivered tomorrow.
-
Friday 30th January 2015 17:07 GMT theblackhand
Re: And still using DISCS IN THE POST
"Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret"
Or, to translate for Police and associated staff:
Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret. To use this service, shred all information and send an empty envelope to the recipient. In the off chance this is not "lost" by Royal Mail or consciencous Police staff, when the recipient recieves the empty envelope and contacts you advise them the contents have been stolen.
-
Friday 30th January 2015 22:18 GMT Graham Marsden
Special Delivery??? - Re: And still using DISCS IN THE POST
> Royal Mail Special Delivery is specifically mentioned as a permissible transmission channel for everything up to Top Secret.
Which isn't as Special as you might think.
I sent a delivery of custom-made items to a long-time customer whom I know and trust. A little while later he contacted me saying that he hadn't received the items.
Checking with Royal Mail, they said "well they were signed for and the GPS location was at his address, so as far as we're concerned, he's got them" despite the fact that a) he lives alone and b) it wasn't his signature, nor was anyone else there or authorised to sign for them.
Their response "we asked the Postman and he said he'd delivered them, so that's that, screw you, you're not getting any compensation..."
-
Friday 30th January 2015 15:33 GMT Doctor Syntax
Re: FFS...
"ICO should issue the maximum fine for a data breach"
It would make no difference in this case as fines just go to HMG. Now a fine to be paid personally and not reimbursable by the depts. Perm Sec or minister. That might have some effect. For one thing it would be made clear all the way down the chain that this would be a sacking offence.
-
Friday 30th January 2015 15:33 GMT Bob Wheeler
Re: FFS...
The only problem with the ICO handing out the maximum fine to the MoJ is that it's not their money, it's tax payer money moving from one piggy bank to another.
If you really want to get prople's attention, it's the prospect of JAIL TIME, not a FINE that will make the muppets wake up (I hope)
-
Friday 30th January 2015 16:33 GMT Anonymous Coward
Re: FFS...
"still using DISCS IN THE POST to send sensitive info?"
Why not?
Using the post seems to have a certain amount of plausible deniability with the politicos, when inconvenient information conveniently goes missing.
As others have noted, the politicos are so ignorant that they typically get away with not asking about backups and the like,
-
Friday 30th January 2015 17:42 GMT Anonymous Coward
Re: FFS...
The ICO should issue the maximum fine for a data breach for that act alone, plus a fine for each case.
That will have absolutely zero effect - they will be paying that with your tax money anyway so all you do is sponsor some lawyers and accountants to ship some money around.
I think this is really enquiry level stuff as it keeps happening - clearly something is fundamentally wrong there and it is time someone start digging deep enough that people start paying attention. This is not some expenses for a duck house - it's on an entirely higher scale altogether, also because that just happens to contain data from an extremely sensitive investigation. Call me cynical, but I have long stopped believing in accidents.
PNN and GSI have been around for some 15 years or so - don't try to tell me they have as yet to develop a way to securely transport data of that level of sensitivity, because then I want to know how it is possible that Youth Justice cases (read: concerning minors) ARE going via email.
It's time to stop the excuses - it's all too easy to say, "oops, silly me again". Until there is some personal accountability introduced this is not going to improve, and an enquiry will at least start to heat up some rear ends.
-
-
Friday 30th January 2015 14:53 GMT LucreLout
Lessons will not be learned
I can confidently predict that absolutely nothing of consequence will happen to anyone in regard to this loss. If, and let us not prejudge the quality of the coverup before it is completed, the data was not encrypted then people must be sacked and told to find careers outside of the public sector.
If the public sector cannot be trusted with the data they demand from us, and all evidence available shows that they cannot, and they are unwilling to take professional responsibility for their lack of basic competence, then we must enshrine in law a new criminal offence. Losses of sensitive data should ordinarily result in convictions and jail time. We are, after all, compelled to provide this data, so it's not like we can simply use another provider.
-
Friday 30th January 2015 15:05 GMT JimmyPage
What happens to things that are "lost in the post" ?
Since matter can't just vanish into thin air, they must be *somewhere*.
1) damaged in transit - presumably the royal mail have procedures for items like this
2) stolen by employee[1] - although unless it looked like it had money in it, not likely
3) wrongly delivered - worrying if there was no tracking
4) somehow in the wrong part of "the system" - a thorough search should locate them
5) stolen by employee [2] - deliberately targeted. Raises more questions than it answers
6) we are of course assuming they made it to the postbox ....
However, there is a certain life-affirming feeling knowing that Royal Mail can cock it up for the great and glorious as well as for the little guy.
I wonder how long the MoJ had to spend on the phone ?
-
Friday 30th January 2015 15:17 GMT David Pollard
Perjury in the Lynette White case
For some reason this case comes to mind. A large number of police had been charged with conspiracy to pervert the course of justice, three innocent men having been convicted for murder on the basis of false evidence. Then some files were lost and the prosecution case collapsed. A while later the missing files were mysteriously discovered.
https://en.wikipedia.org/wiki/Murder_of_Lynette_White
-
Friday 30th January 2015 15:26 GMT wyatt
Has the UK official posting via an approved method of transport lost them or the carrier? I'd say the carrier.. 'IF' the official did everything correct and they're encrypted then there's no problem is there? Suspensions can be stated but do they actually happen and for the reason that is reported?
-
Friday 30th January 2015 15:43 GMT Anonymous Coward
"'IF' the official did everything correct and they're encrypted then there's no problem is there?"
Lets, think..... YES. FFS YYYEEESSSSSSS THERE IS SOMETHING FUCKING WRONG!
If the individual has followed an approved protocol, they may be in the clear. But for the MoJ, pointing to the post office and saying "they lost it" is no excuse. They had the fucking data, they've lost it. Doesn't matter if they gave it to a tramp, to a motorbike courier, a postman, or a passing tinker, the wankers of the MoJ have pissed confidential data into the ether. I wouldn't trust donkey post for confidential material, why should the clowns at MoJ?
What's wrong with encryption and electronic transmission? The whole idea of taking digital data, burning to optical, and sticking in a post box is imbecilic for any organisational data, but there's a further implication about data security here, and that is that flunkies at the MoJ have the facility to export large volumes of data (which shouldn't be possible) and evidently without any effective audit and control (which is unforgivable).
Head should roll, and they shouyld be at the very least the head of IT for the MoJ, the head of IT security at MoJ, and whoever authorised the sending of this data by post. Of course, that won;t happen, and they'll continue to accrue an over-generous pension despite their incompetence.
-
-
Friday 30th January 2015 16:15 GMT John Savard
Puzzled
Looking up the case, I found that Mark Duggan was in possession of an unauthorized firearm, and that he was believed to be a member of an organized crime gang. Given that, why would his death be politically sensitive, or, indeed, a concern to anyone except perhaps his immediate relatives? Isn't the whole country at war with drug dealers and the like?
-
Friday 30th January 2015 16:31 GMT JimmyPage
Re: Puzzled
We don't have capital punishment in the UK. The police can't go around executing people they suspect of anything.
The Duggan case raised enough serious doubts about the police conduct to be *very* wary of believing their truth of the matter. Something these disks might actually demonstrate - especially if it has *all* the police testimony there. Before it was "adjusted".
-
Friday 30th January 2015 16:40 GMT Anonymous Coward
Re: Puzzled
Allegedly in possession of a firearm. There's a couple of witnesses say that the gun appeared afterwards and the taxi driver said he had a phone in his hand.
Yeah, he looked pretty thuggy on Facebook; but that isn't normally an automatic death sentence (anyway he was a drummer and I think it's a job requirement to look at least a little sketchy). There are major discrepancies between witness statements and several versions of police statements and there's a lot of speculation on the web; but not too much in the way of hard facts.
Whether he was genuinely a gang-banger or whether the police involved are backpedalling frantically to cover up their mistakes is open to speculation without facts...if the latter then the facts could be politically sensitive, if not incendiary.
Us Brits tend to frown on executing people for being brown...that's more America's thing. If someone is executed then we want to know that there's a bloody good reason for doing so. With proof.
-
Friday 30th January 2015 19:19 GMT Loud Speaker
Re: Puzzled
His death was politically sensitive, because at the time of his death, a lot of people in the area thought criminal gang members more trustworthy than the local police.
Many people think that the "unauthorised firearm" was planted, and the witness statements make this entirely plausible.
Some people rioted because nothing was being done about crimes committed by the police which they had personally witnessed. Others were just out for what they could get. See other websites for comments on the police failing to investigate their own crimes.
I do not recall anyone suggesting Duggan was an innocent bystander, only that the police were expected to be of a higher standard, and did not appear to be.
-
-
Friday 30th January 2015 16:33 GMT manchesterj
A bit of a comment on the state of IT systems in that part of the civil service really and I guess the training/awareness of the staff (that it went by post in the first place). Although to be fair when I had to send data to the DTI for the company I worked for there was a secure repository where I could drop of the files - which worked really well and that was about 12 years ago. I guess if you could start from scratch..... some company would make a huge profit and the project would fail....
-
Friday 30th January 2015 16:50 GMT IHateWearingATie
Hmmmm
1. Central gov employs hundreds of thousands of people, and deals with sensitive information all day every day. The likelyhood of a complete muppet doing this is pretty high. That does not mean that everyone in Gov is an idiot.
2. From my experience, private sector organisations are just as bad. Came across an example recently that made my mind boggle, but you'll never read about it in the paper as the company will never tell anyone and it wasn't personal data or anything covered by the data protection act so it is not obligated to tell. Stupid things government does ALWAYS ends up in the paper
3. Don't have enough information from the story, but posting a disk encrypted with very strong encryption may be appropriate given the outcome of the risk assessment. The headline might be fun, but actually it could be a non-story (but that doesn't sell papers or get unique vistors). Use the right encryption software and the disks will be nothing but coasters to anyone who doesn't have the NSA's encryption munching capabilities (maybe not even them depending on what they used to encrypt it).
-
Friday 30th January 2015 16:58 GMT JimmyPage
Re: Hmmmm
Downvoted because it's irrelevant what private companies get up to. At the end of the day they are just that. Private companies. You can choose to do business with them or not.
Data held by the state is obtained under duress. Don't provide it - go to jail. Which is why it's imperative the state demonstrates it takes great care of this data.
Your tax money is the same. Obtained from you under duress. And look how carefully the government look after that. They would never lose that in the Royal Mail. (Although they may lose it in a Royal Mail sale).
-
Friday 30th January 2015 17:23 GMT The_Idiot
Re: Hmmmm
"Downvoted because it's irrelevant what private companies get up to. At the end of the day they are just that. Private companies. You can choose to do business with them or not."
Lord Jimmy, with respect, I must disagree (not that my agreement or otherwise need have any merit or value). These days, whether from existing service contracts (third party or sub-contracted service delivery), or simply by transfer of negotiable currency, private sector organisations may have or be able to gain access to Government data. The same data you comment as being obtained under duress.
As a result, in cases where that is so, _I_ do _not_ have a choice as to whether to do business with them or not. I do business with them whether I choose to or not. yes, at one remove, but it's still my data, whether it be (now or in the future) health care, my driving record or any other, including tax activity, potential criminal past or any other form of 'Bad Person' check data.
I therefore, personally and without prejudice or assumption as to any other point of view, have to support the use of Private Sector practices as a valid supporting example of why the world is generally going to heck in a bloody handcart - and not _just_ when dealing with Guv'Mint.
Of course, I'm an Idiot - so I'm probably talking nonsense :-).
-
-
-
-
Friday 30th January 2015 19:08 GMT Fred Flintstone
Re: "The discs were password-protected but unencrypted"
"The discs were password-protected but unencrypted"
What? Are you telling me that the data was in plain text? And how does the password come into play?
Maybe it's along the idea of the Irish virus? The first line of the data has a line that says "the password is xxx. If that is not the password you were thinking off, please do not continue."
I mean, there is no other way to interpret this, other than that the spokesperson has no clue and is committing the cardinal media management sin of making assumptions when talking to the press.
-
Monday 2nd February 2015 12:30 GMT Hans 1
Re: "The discs were password-protected but unencrypted"
>What? Are you telling me that the data was in plain text? And how does the password come into play?
The disc contained the data + autorun.inf which executes a Windows program on the disc that asks for a password, when no password/incorrect password is provided, the disc is unmounted ... turn off autorun and "All Your Data is Belong to US".
Must be something like that - it has to pass Microsoft Certified Windows/Surface Security Experts auditing practices.
-
-
Friday 30th January 2015 19:21 GMT Anonymous Coward
Lessons
will be learned, or have been learned, or are about to be learned etc..... They haven't had enough time yet for the PR dummy to come out with those words (or did I miss it?). I have had recent experience of the private sector "taking care" of my personal data. A pensions firm (based in Manchester( which handles my mother's widow's pension required sight of my power of attorney for her and would not accept a solicitor verified copy ( which was countersigned and verified on each and every page). So I toddled along to their Cardiff office with my original document- I was not willing to entrust it to the Xmas post, special delivery or no. So they had all this info on me, my brother, our certified witness and out two people to be informed etc., you get the idea... When I got home, I found that they had emailed this document in the clear to their Manchester office. How do I know? They had copied it to my email address, to "keep me informed of progress". Whilst I was working up a form of words to the ICO an envelope arrives in the post which informs me that the copy I had provided was not acceptable as it was only verified on the first page. I phoned up and informed them that the copy was theirs and I considered it unacceptable that they had sent it, unencrypted, via email. A few days later another letter arrives - carbon copy of the first, unacceptable etc... Flame on, phones up, demands to speak to arsehole in charge of section, did a mars attacks on him, informs him the ICO know about his organisation, told him whose copy it was and I would like an apology etc. Apology forthcoming, grave error, not how we normally do things etc.... Letter arrives, no need to do anything, accept document, fulsome apologies, bullshit etc. The problem is that these private sector people operate like this all the time, I only know how they handled my data because I was accidently copied into the emailing! How do we have oversight on how private companies handle this stuff?
I can only suggest that the ICO develop a form of words that we can attach to any document to any company, public or private, that warns of legal action if they are found to have breached the conditions attached to our submission of our private data.
Yours,
severely pissed off,
Someone whose data is already out there.
-
Friday 30th January 2015 20:45 GMT Mark 85
I'm a tad confused...
Was this the ONLY copy of the data or not? My impression from this is that disks were burned and dropped into the mail. Then the original was wiped from whoever's HDD. And for what it's worth, whether the original was wiped or not, I would hope that the disks were encrypted, but like other things mentioned in the article, nothing is clear.
Biting the hand that feeds IT
