back to article Stop using USB sticks to move kids' data, auditor tells Education Dept

The Department for Education (DfE) needs to improve the way it handles the personal sensitive information of 20 million records contained in its National Pupil Database, according to the Government Internal Audit Agency (GIAA). The findings were revealed in the department's annual accounts for 2014/15, which were published …

  1. Chronos
    Flame

    Stop leaving spare USB ports active on machines that handle sensitive data.

    FTFY. This was SOP not so long ago. And rivet the case shut, too. Repeat offenders to be issued with machines that have a solid blob of epoxy where the USB connectors were.

    You don't need spare USB ports on a corporate/government machine. Peripherals should be shared per office, installs done from approved images over PXE and input devices should be permanently attached and only removable by a technician. Sort your physical security first, always. Then layer on the software and wetware policies.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stop leaving spare USB ports active on machines that handle sensitive data.

      "Repeat offenders to be issued with " .. P45s and lawsuits. It's about time individuals are held accountable, not taxpayer-funded departments ...

    2. Keith Glass

      Re: Stop leaving spare USB ports active on machines that handle sensitive data.

      Really. Although we used hot-glue sticks to fill the USB ports. And the case-opening switch would send a flag to security after being booted up again. . . .

    3. Ian Johnston Silver badge

      Re: Stop leaving spare USB ports active on machines that handle sensitive data.

      That's fine, if you're supplying machine for battery hens in call centres to use. Completely useless in a professional setting, like a school.

      1. HmmmYes

        Re: Stop leaving spare USB ports active on machines that handle sensitive data.

        Er a 'professional' does not copy personal data on a USB stick esp. after being told not to.

        What you're describing is an unprofessional environment.

      2. Lunatik

        Re: Stop leaving spare USB ports active on machines that handle sensitive data.

        "Completely useless in a professional setting, like a school."

        You've obviously never seen the way my kids' school uses technology. Professional is about the last adjective I'd use.

    4. Anonymous Coward
      WTF?

      Re: Stop leaving spare USB ports active on machines that handle sensitive data.

      "input devices should be permanently attached and only removable by a technician. "

      I take it you've missed this thing called a "Laptop". Pretty new, you must try one sometime.

  2. Halfmad

    I cringe..

    When I hear "Data governance". No it's just information, it's nothing special, treat it like you would paper "data" and keep it secure. The problem starts when you consider something stored electronically as somehow more secure than paper, which it rarely is.

    1. glen waverley

      Re: I cringe..

      "something stored electronically as somehow more secure than paper"

      Agree. Hard to leave a filing cabinet on the train

      1. Glen 1
        Happy

        Re: I cringe..

        Briefcases are just as easily left on public transport, although these days are likely to be subject to a controlled explosion. Still, that would be better data sanitation than just binning a usb drive too small to be useful.

        Large file transfers are technically still possible

  3. PhillW

    It is the cheaper option it times of austerity

    Come on, it is far cheaper to leave a USB stick on the train with all of the data on it than an expensive laptop.

  4. Dan 55 Silver badge

    And also in that website...

    There seems to be a plan to record each child's internet browsing at school and home.

    I'm not sure how the "at home" bit works as they don't specify, but I'm pretty sure it wasn't unintentional.

    It doesn't sound good. Their web history can't be entrusted to an organisation who gives away their school record to practically anyone. Getting their web history on their own devices or at home is a step too far.

  5. Keith Glass
    Trollface

    "But it didn't cost anything. . . .

    . . . .we found those USB sticks, laying on the ground in the parking lot. . . ."

    Why am I ***SURE*** that's already been said. . .

  6. energystar
    Windows

    Wish could be light and playful as usual...

    But we are talking about kids' data that will follow them and their public profile for their entire life.

    ........

    Little known or endorsed Heroes, auditors with 'guts' and decency of their own. Kudos to the brave man.

    1. energystar
      Go

      So many weak points...

      At so many layers of the stack. Glad to see some of them being audited. Glad to see one individual ACTUALLY doing his|her work.

  7. Efros

    Fundamental ignorance

    Of the simple fact your security is only as good as your weakest link. If you're using USB sticks to move around sensitive information then at least you don't have to go looking any further for that weakest link and Anne Robinson is going to have a field day.

    1. Adam 52 Silver badge

      Re: Fundamental ignorance

      I like USB sticks for moving data securely. The number of people who could potentially breach a server is in the billions, the number with physical access to my USB stick much smaller.

      At work our servers have been successfully hacked by the Chinese government, the Russian government and the Syrian government (and probably more that I'm unaware of). Nobody has ever got my USB stick, and if they did they'd to figure out how to reassemble the deleted blocks.

      1. Triggerfish

        Re: Fundamental ignorance

        Yeah I have moved info round on USB sticks. I do not think its the medium its being carried it's the person carrying it not treating the information they have seriously enough to take care.

      2. energystar
        Pint

        Re: Fundamental ignorance

        "..The number of people who could potentially breach a server is in the billions...". Much Less.

        The number of people who could potentially breach that CiberCafé Zombie where you inserted your USB is in the billions.

      3. energystar
        Mushroom

        Re: Fundamental ignorance

        Fundamental ignorance also is the unknown picoCPU, firmware, boot block, hidden memory space, lack or redundancy, unmanaged fail progression, and ultimately, deliberate execution blocks installed by quite a few USB shadow or trademark pirating factories.

        1. energystar
          Linux

          Re: Fundamental ignorance

          Use Writeable DVD -R, if caring for the Planet, erase zero-filling. If critical Non-Writeable, single-key encrypted, single session, pad to the border. Far from best, but a lot better.

          1. energystar
            Coffee/keyboard

            Deliberate Ignorance...

            Right now at a refractive phase, all about Computing Learning. [Quite f_(*%d up].

            Any Vulture illuminating the issue of BluRay Blues?

  8. Will Godfrey Silver badge
    Unhappy

    And another thing...

    I'm sure that (not being terrywrists) they don't encrypt these USB sticks either - nothing to hide, as they say.

  9. John Doe 6

    Actually...

    Computer manufacturers need to fix the USB problem they created.

    USB has become totally useless now, yes it is smart but it is also unsafe and it is not only storage devices... any USB device may now be a potential security risk.

    1. energystar
      Alert

      Re: Actually...

      Ouch! Sorry Intel Corp. Deserved.

    2. energystar
      Childcatcher

      Re: Actually...

      'Universal' and smart tags aren't usually seen together.

  10. Roland6 Silver badge

    It's not about USB sticks - It's the release of confidential data!

    Whilst the use of USB sticks may be causing problems, the article does not give a single instance where the use of USB sticks is linked to the fundamental data privacy and protection issue raised, namely:

    "Jen Persson, coordinator of children’s privacy group defenddigitalme said: “The DfE freely gives out 20 million children’s confidential personal data directly to unaccredited third parties without the consent of parents or pupils. Parents must be told who has their children’s personal data, and why." "

    What is the DPO doing? As this is a clear breech of the DPA.

    1. SVV

      Re: It's not about USB sticks - It's the release of confidential data!

      Exactly.

      I was under the impression that the data was not given freelly as in "for no money" for commercial use by companies, rather that it was "freely" available at a not insignificant price. So, to all those Tory voters who love privatisation, congratulations, your kids have just been privatised!

      Think this ia a little over the top? Imagine that your kid goes through a tricky adolescence which results in exclusion, or poor test results for a while. Would you like all that information sitting on the databases of every major employer and recruitment agency in the country for the rest of their life?

      Let alone the consequences that will inevitably happen after the one leak required to ensure it's all out in the wild for anyone to see for ever more.

      Now do you start to see why privacy matters and this government policy is outrageously stupid?

      1. David Pollard

        Re: It's not about USB sticks - It's the release of confidential data!

        the consequences that will inevitably happen

        Availability and (mis)use of data in the National Pupil Database itself is only part of the problem. Features of the RYOGENS programme also seem to be being implemented, although we hear very little about these aspects. It's not hard to wonder whether this will lead to greater stigmatisation of a proportion young people and the creation of an underclass, rather than the reduction in crime claimed by proponents from both sides of the political spectrum for what amounts to computerised surveillance.

        http://www.fipr.org/childrens_databases.pdf

  11. ecofeco Silver badge

    How odd

    The focus seems to be on USB sticks when the REAL issue is the personal data of children being given away.

    But hey! Look! Unsecured USB sticks!

  12. anniemouse

    inability to handle security has made paper a better option

    we done outsmarted ourselves

  13. HmmmYes

    Easy fix.

    If someone is found with personal dat on a USB then sack them and fine them 50k.

    What is sort hard about that FFS?

    1. Fenwick

      Real world

      "Analyse this data or you are sacked, it is your job."

      "No you can't have network access, you can have access to the computer for 10 mins."

      "Don't tell me how it is done, just make it happen."

      So who exactly will you fine with your easy fix?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like