Cumbrian Police accidentally publish all officers' details online Cumbria Constabulary inadvertently published the names and salaries of all its officers and staff online earlier this year, making it the second UK force in a fortnight to admit disclosing personal information about its employees. In this incident, the Cumbrian police admitted the names, salaries and allowances for all …
It's not so much a question of access rights (I imagine it's a very small team), it's how on earth somebody had that document and actually thought "Yes, I'll upload this to the website", or mistakenly got the wrong document and then didn't think "I'll just go and check it's uploaded correctly" after publishing it.
Pretty much all the data held by a police force is potentially sensitive.
There really is no excuse for having a system in which it is even possible for data to be posted online without at least one other party actively reviewing the actual intended publication (and not a description, summary or original sources thereof). It's not an "accident", it's not "human error", it's a negligent failure of governance.
"It's not so much a question of access rights "
I'll give you an upvote but I still think it IS a question of access rights.
Even I have folders for assets I will put up on my web site and don't just grab stuff off of the hard drive willy nilly. Everything that's in those folders has been thoroughly gone over, spell checked, etc. It's not likely I'm going to grab a bank statement or the back-end information page from my accounting program and post it online.
You organize your data so you avoid it, but you don't have locks on everything making it entirely impossible to upload something you shouldn't. Your success in not posting stuff that shouldn't be public is due to being careful, and the steps you take are designed to make that easier.
My problem with the calls to fix this in software is the assumption that, somehow, computers have to make careless users harmless. Somehow, if a user is physically capable of causing a problem with the system, then it's the system's fault. This is not used in a lot of other parts of the world. Take physical security. There are some people who work in extremely secure facilities where they may not take anything in or out and they're subject to lots of scans to ensure they haven't. Does everywhere you have worked do that? My offices have not; if I want to steal something, I can scan my credentials to unlock the door, pick something up, and walk off with it. This doesn't mean that, because theft was possible, the security system is at fault. If we took that attitude, you'd eventually reach the point where every employee or visitor would have to have MRI scans on entry and exit. At some point, designing the system to prevent idiots doing stupid things is worse than working a bit harder to have fewer idiots and to make sure they understand information about whether what they're doing is stupid.
They could be in the same situation I found myself in once when having queried the wisdom of placing a document on the web site being told it wasn't my job to decide what got published. It was fun to see all the headless chickens running around half an hour or so later shouting take it down, take it down
I'm in a similar position as Data Officer for our organisation. I'm subserviant to the Chair and the Exec, if the Chair or the Exec instructs me to give them all the data I hold, I am instructed to give them all the data I hold. I work for them, they tell me what to do. I'm the Corporal, if the Major says Jump, I jump. If jumping smashes a window, it should be the Major whose actions should be investigated.
"as Data Officer for our organisation. I'm subserviant to the Chair and the Exec, if the Chair or the Exec instructs me to give them all the data I hold, I am instructed to give them all the data I hold"
That's basically the Nuremberg defence. Just following orders, gov! If the Chairman or CEO give you an order that is illegal, your reply should be "It is illegal for me to do so". If in doubt, the company lawyer should clear it directly to you (CEO telling you 'legal said it's OK' doesn't count). As Data Officer for your company, you should know (maybe not every little legal detail, but in broad strokes) what are your legal duties and obligations. And, I might add, if being Data Officer is exposing you to legal risks, you should (a) be well compensated for those risks and (b) have a strong risk mitigation strategy
Whist that is correct, the issue now with this sort of "accidental" release is that it cannot be undone.
This is what seriously pisses me off. Every time this happens (and it appears to be approaching daily) it is an "accident". There appear to be no consequences for anyone involved, it is just accepted that "it happened, nothing to worry about, carry on".
If the consequences were significant then people would be rather more careful in what is actually done.
Take the PSNI fiasco, the top man should have been suspended without pay pending investigation and then probably dismissal. The staff further down the chain should also be subject to consequences.
Then we have the breaches that are always a "sophisticated attack". I don't care how sophisticated the attack was, the data has been exposed and nobody appears to give a stuff.
ahem isn't that the same excuse Rudolf Hoess used at Auschwitz. Just because you work for them the personnal data doesnt belong to them. that belongs to the individual it pertains too and if they give permission for it to be used it can only be used in which permission is sort. GDPR protects individuals nowadays.
That is no excuse. your job is to enlighten those above do they really need access and for what purpose do they need access and for how long. not blindly just handing it over.
"They could be in the same situation I found myself in once when having queried the wisdom of placing a document on the web site being told it wasn't my job to decide what got published."
You then get those instructions in writing and signed by somebody who has a lot more to lose. Either way you may get sacked, but you don't want to be on the witness stand defending yourself from charges too. The stupid has to get stopped somewhere.
And also there needs to be personal consequences for those responsible. What on earth is the point of the ICO or anyone else fining a public funded organisation where the taxpayer is footing the bill.
I am sick of hearing the "We sincerely apologise...mistakes were made...we know we have to do better...lessons have been learned..." rhetoric. It's just a catch-all for the freedom to repeatedly screw-up without accountability.
I think that is most companies! Every company has a set of spreadsheets that are critical to ongoing operation where no-one can remember who created them, no-one knows how they actually work and no-one dares edit them!
Setting up some monster of a spreadsheet with lots of lookups and maths looks good to management but they end up out of date in a matter of weeks. We had an ordering form that was supposed to have all the project details and associated codes in a lookup. It was never maintained. The people filling it in didn't usually know the accounting codes as they were on a part of AX they had no permissions to. Accounts whinged and whined about badly filled in forms and when confronted about the fact that THEY allocated the codes and THEY had access to the relevant systems the response was 'not our job to update this form, it was written by xyz and they should update it'.
Another such ball-ache type document we used had a typo in a script. Whatever version of office we were using at the time didn't care. The next version threw an utter hissy fit and would take 5+ mins to open the docs. Productivity fell through the floor for a while :)
How does it happen? Many ways. For instance, I have worked places which are very project-centric and PMs get their bonus depending upon time taken and money spent. So if you have Project A to do something to system Y and project B to create system X, neither PM wants to pay for the work to integrate the two. So, to plug the gap, users run a report in A, bugger about with it in Excel and then upload the CSV to system B. PMs get their bonuses but the result is terrible.
More generally, spreadsheets get used to plug holes in functionality because they can be done quickly and with any cost hidden - unlike getting involved in the whole IT project process.
"Excel spreadsheet saved to a shared drive (shared drive, intranet, internet, what's the difference?)."
Absolutely this. I have a sneaking suspicion that this info wasn't consciously published but simply copied to some folder on the intranet that is being used as a document archive for the web server, and whoever copied it had no idea.
"Absolutely this. I have a sneaking suspicion that this info wasn't consciously published but simply copied to some folder on the intranet that is being used as a document archive for the web server, and whoever copied it had no idea."
Seems the most likely explanation to me, or maybe someone not even knowingly doing it. Dragging and dropping files on a GUI, the GUI freezes momentarily meaning that your mouse operations don't happen where you thought they were happening and before you know it, a whole other directory has moved to somewhere else and you're spending the first few seconds thinking "bloody computer!" followed by "did anything actually happen then?" and at least the next few minutes finding out what actually happened, where it went, is it back in the right place now, what even was the original file structure and finally will I get in trouble for this?
And that's just the GUI doing you in. As the saying goes, to err is human, to really fowl things up requires a computer. Given today's data driven world, this has never been more true.
"The PR department has complained it takes too long to publish to the website, so we need you to create a shared folder they can just drop the files into. Yes I know it's a bad idea but the head of PR is sleeping with the boss who is breathing down my neck so just get it done."
To make this data access a little safer then we need to upgrade 2FA to 20FA to try and prevent this sort of event from happening so often ... hacking is not easy but it's not impossible is it?
El Reg, I will please ask for a new icon update again ... a pair of wire cutters to refer to the guarantee of data safety.
It wouldn't bother me one bit.
And if it did bother me I would just take some deep breaths and calm down and go on with my life. If I had trouble doing that I would seek the council of a therapist or clergy member to help me find peace.
I don't see what the big deal is anyway.
Their opinions are their personal feelings to work out with their therapists or themselves and none of my concern.
> It wouldn't bother me one bit.
Then let's see you put your money where your mouth is and actually upload your full tax and medical records with full identifying information- and any other personal info of yours anyone here might want to see- on a publicly accessible site for us to do whatever we want with them.
Otherwise it's probably fair to assume you're just another pseudonymous online bullshitter able to spout wannabe-blasé shite until you're required to put your money where your mouth is.
Looking forward to your bravely-principled stand and to finding out what antibiotics you got for that mysterious rash after the business with the goat.
That would not represent the same situation.
If everyone's information is available, then there is no disproportion in power (information is power in this context)
Mutually assured destruction keeps the peace.
The Cold war and it's outcome overwhelmingly demonstrates that principle to be sound.
If everyone's information were available then that information could no longer be used as identification for impersonation.
And under such a situation, I would not care.
Another difference is that I have not accepted power over other human beings. They have.
So to balance them psychologically and give effective natural consequence for self-restraint and responsible critical thought towards future consequence before taking an action, a humbling mechanism is necessary to relatively equalize their potentials to interfere with others relative to that of their fellow citizens.
Chronic exposure to disproportional power is both addictive and strongly alienating to mental processes stemming from low-level subconscious all the way up the stack to conscious awareness.
It's unhealthy for them , its unhealthy for us.
It's simply unacceptable.
Wouldn't it be terrible if all officers like this were held accountable for their actions.
" if all officers like this were held accountable for their actions."
They should be "held accountable for their actions" in a court of law with due process. Otherwise what you are promoting is vigilante "justice". And for all the fancy Hollywood movies where the hero takes matters into their own hands, the reality is that real-life vigilantes are often clueless fools motivated not by justice but by anger and revenge, the real-life consequences of which are likely to result in cases of mistaken identity, collateral damage, and overall a far worse situation than the one they are trying to prevent.
I'm pretty sure info about how much we pay people in the public sector IS available, just anonymised.
Long ago someone managed to get hold of a document with the salaries of EVEYONE at the company. I believe it was in a ring binder just sat on a shelf in the admin area of the office.
Oh my that kicked up a heck of a fuss as it revealed disparities between teams and that they had ramped graduate salaries above the level of pay that people who'd been there 1-2 years were on. Not sure anyone got an arse kicking for that.
I’ve always thought all the salaries of a company’s employees should by law be visible to everyone within that company (and nowhere else). At the moment only the employer has the full picture.
As you discovered, it would highlight discrepancies and would discourage the employer from treating one person better than another based on sex, race, old school, or whether they are/are not golf buddies.
There are potential benefits, but I also foresee some problems. If someone deservedly gets paid better than others, will the others simply accept that their performance was better, their skills unmatched, their work ethic stronger, or will they feel they've been treated unfairly? If they do, how would you suggest handling that without either withholding what you would have given to the stronger employee or dealing with more people quitting, which places more work on everyone who stays. This is just thinking of the problems from an employee's perspective as that's my position, but there are problems from the company's as well which aren't necessarily indicative of malpractice on their part.
I'm not blind to the benefits of transparency of salary data, but I think it might cause quite a few problems. I think you probably do as well, which is why you limited it to employees of the company; some people advocate that financial information be available to everyone in the general public, but I think a lot of things would go wrong if that were attempted. I think the more limited version would produce fewer problems, but that some would still exist.
If someone ‘deservedly gets paid more’ the onus would be on the employer to demonstrate why they were more deserving. As I said earlier, without transparency the employer can reward people based on criteria which have nothing to do with ability or performance.
I suggested that salaries are visible only within the company, not because I see a problem with transparency but because that’s where direct comparison is most relevant. Pay across companies and sectors could also be compared with anonymised data.
My point is that people often don't like being told that they were not as good as someone else, even if it's true. What you suggest turns any performance review period into a "here's why one of your colleagues is better than you" experience including a full league table, and nobody likes those. Not to mention that, for most complex jobs, it is relatively easy to make up a lie about a non-discriminatory reason for different levels of pay, whether it's true or not, so any disparity you ask about will have one whether or not the actual reason was justifiable.
"If someone ‘deservedly gets paid more’ the onus would be on the employer to demonstrate why they were more deserving."
As if there is an employer that wants to deal with that every couple of days.
It could be that somebody is making more because at the time the company was looking to fill that position, they had to pay that salary to get somebody qualified and didn't have time to shop. If they try to go back later and trim that pay packet, they'd likely be looking to fill that post once again. When you got hired, they had several candidates and weren't going to pay a premium. When you applied, you may not have asked for as much as the company was willing to pay and somebody else did.
"I’ve always thought all the salaries of a company’s employees should by law be visible to everyone within that company (and nowhere else). At the moment only the employer has the full picture."
You would also need all of the background information that lead to that salary decision and there would still be bickering, lawsuits and accusations of something or another. It's not your business what your colleagues make. If you are wondering about the average ranges for your profession, there are government stats you can look up. If you are on the low end and think you deserve more, ask. If they won't give you a rise, find a company with a post to fill and see if they will give you that amount. Sometimes that's the only way to get a better salary.
In most private companies salary is confidential between the employer and employee. In the UK in the public sector there are job descriptions and associated pay grades so at a high level you do not what different members of staff are paid. What the variation is in the small band within the grade is another matter and personally it was such a small amount I did not get excited by it.
Keeping salaries private between the company and each employee gives all the power to the employer. It allows them to underpay people who are not strong negotiators and/or not friends with their boss, and unless those people are willing (and able) to up sticks and move employer, they may never know they are underpaid.
I think it's a generational thing - in my (boomer) generation hardly anyone is prepared to say what they earn, whereas my kids' generation are quite open about it.
I'm old enough to remember when salary bands existed for pretty much every job (well the not so senior grades anyway) and virtually everyone know roughly what they were. Then came along the idea of paying by merit / worth to the company and individual pay. Now Fred the genius is paid twice what Fred the useless is paid and everything is fine as long as Fred the useless doesn't find out. Don't matter if Fred the genius finds out.
Why exactly should you have the right to know the name of everyone who works in the public sector? And I mean a proper justifiable reason other than 'they are paid for by the taxpayer' because in my case its not true.
I work for a local authority but our service is paid for by income we generate so isn't funded by the taxpayer.
Finally if you had an ounce of intelligence you would know, certainly in the UK, all public sector salaries are already in the public domain.
Please explain why, just because someone is a public employee this data should be available?
There is no justification in publishing all employee details other than for people who are not in that sector to cause trouble. By the same token then all employees should be listed for every organisation, private, public, charity the lot. The downside of course is that YOUR details would then be publsihed,
It is also rather ironic that you believe this should be publicly available yet you post as "AC", not even handle........
The £25m NHS data transfer deal to Palantir and recent leaks from the Electoral Commission, PSNI, this, and others means essential UK population data won't be lost. Putting data out to tender on the internet so organisations can make copies represents best value for money for the British taxpayer.
The creators of Excel and predecessor apps must be spitting feathers to know how misused their baby has become. Hmm let’s just lob this spreadsheet online, never mind what else it might contain. Releasing anything like this to a website should go through proper scrutiny and should be the exception rather than the rule. Review it like you personally will end up in court, and you won’t go far wrong.
@FirstTangoInParis: “The creators of Excel and predecessor apps must be spitting feathers to know how misused their baby has become.”
The creators of Excel copied its functionality from preceding spreadsheets - mainly VisiCalc and Lotus Notes.
Nov 1991: “I think we have a fantastic opportunity with Excel 4.0 to really drive the nails in the coffin of Lotus.”
> VisiCalc and Lotus Notes
I assume you mean the spreadsheet Lotus 1-2-3 (as the document seems to imply) rather than Notes.
Lotus were later more associated with the infamous Notes, but Lotus 1-2-3 was their original "big" product until, as you note, Excel ripped it off and used MS's market dominance to replace it in the market.
(1-2-3 had in turn ripped off and taken over from Visicalc, which you also mention).
Which will be paid by the taxpayer. Whenever a public body is fined, the fines are ultimately paid by the taxpayer. Whenever a private company is fined such as a water or energy utility, the fines are ultimately paid by their customers. Regulators and the courts exist to give the impression of justice being done. We are being conned and we are paying for the privilege.
The fines don't need to be huge, they just need to be personally targeted at the people responsible for either breaching their responsibilities, or implementing such weak governance that allowed it to happen.
I'm sure that the equivalent of 6 months salary would be a suitable fine to make people more careful.
I remember when I was working at a UK Bank, it was drummed into us that regulatory fines for not following money laundering protocols were levied directly against the people not following procedure (and I was not even in a position where I could affect any money flow!)
If this can be right for bank cashiers, then surely it could be done for other entities, especially public ones.
These leaks aren't human error, they're criminal incompetence.
In the PSNI case the information was provided in response to an FOI request for numbers of people in posts, and they published the entire spreadsheet with all data, instead of just the sheet with the calculated numbers. That simply should not be possible. The person with access to the information should not be able to publish it, and the person whose job is to publish should only have access to the summary.
This isn't rocket science, government agencies which deal with classified data (secret, top secret, etc.) have well defined processes for handling this, and the IT systems they use are designed to prevent information with a security classification being sent to any system with a lower classification. The basic principle of "write up, read down" has been enshrined in trusted OSes for decades.
No-one should just be paying a fine for this, senior heads should be rolling and someone should end up in jail.
"These leaks aren't human error, they're criminal incompetence."
Government employee = incompetence. If that wasn't the case, those people wouldn't be feeding at the public trough. If you realize that you are a massive screw-up, you take the civil service test until you pass and then never have to worry about job security ever again for just being you.
Then you can expect lifelong salary increases far beyond your value whilst consistently claiming you could earn even more in the private sector. No-one will challenge this and call your bluff. If you're really lucky you belong to one of those special public sector clubs allowed to collectively set their own rewards. Like MPs for instance.
If you screw up really bad, you will be promoted and moved sideways so that you can screw up in a whole new area.
Ultimately you can get a reward in the New Year Honours list for serial failure.
What's not to like?
"If you screw up really bad, you will be promoted and moved sideways so that you can screw up in a whole new area."
The more enlightened institutions may move somebody sideways into a role where screwing up has very few consequences such as having an intern redo the work properly. In Japan there is the concept of being given a "window seat". They don't fire you, but move you someplace where you must show up, will never get a rise/promotion, but will still get paid. Most will quit if that happens due to the shame. Since the firm didn't do the sacking, they aren't on the hook for severance.
Much like the private sector then.
Have people been sanctioned for the Capita USS loss, Equifax? Not that anyone is aware of. The fines were (or will be) derisory.
It does not matter if it is public or private sector, there a plenty of incompetents in both. One can also argue that it is easier to get away with in the private sector as there is less scrutiny. I have been on both sides of the fence.
"These leaks aren't human error, they're criminal incompetence."
Indeed. I can understand how The Clueless tm can send an imprudent email to 2000 people without using Bcc:, but, here, this is a whole new level.
The person engaged into full web publication without checking the content. This is hard to believe outside of criminal behaviour !
It looks like the request was for a list of names, so you are allowed to know who works for the police, just not every other detail about their jobs including their salaries. Why you want the data is another question, as it's usually pretty easy to determine either whether a certain person works for the police or which members of the police were involved with a certain situation, but it looks like you are allowed access to the full list if you find that data useful.
"Why you want the data is another question,"
Most questions that start with "why" can often be answered with one word, money. The vast majority of social media companies make the lionshare of the income from selling personal information. The really horrible merchants of PII, buy data from anywhere they can and sell subscriptions so this sort of leak could be gold.
News organizations have departments that do nothing but gather information on VIPS. Addresses, phone numbers, family members contact info, where the kids/grandkids go to school, etc. The tabloids take that info gathering a level or 6 down into the dark depths. For the average person, big data mainly wants to have a nice rounded picture of you so they can sell companies very targeted lists.
Well sort of,
You can file for that information, and they can take their sweet time, to the point of making it practically useless by the time you receive it.
It's not as if there's any real deterrent consequence to delaying a release of information.
And information can also be withheld under soft definitions of security concerns. Never mind that the security involved very well might be to secure their own against consequence so as to continue a bad situation.
So the way it plays out is that you can have the information as long as it's useless to you but if it looks to be useful to you they can effectively neutralize.
If The information were truly freely available a request would not need to be filled it would be publicly posted preemptively to be noticed casually and intuitively.
https://www.bbc.co.uk/news/uk-66510136
But it OK, according to them, 'cos "data was hidden from anyone opening the files"
Those well known sure-fire ways of keeping data private one assumes:
Excel Hide column / Word version history / black superimposed highlighter / White text on white
I wonder which one they used?
Just saw that one surfacing and came over to read the Reg comment.
For all 3, surely creating a fictitious Constable Honeypot and slamming the brakes on any outbound mail or upload that mentions him would not be too difficult?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
