Manchester plods cop £120k fine for USB-stick-inna-wallet data gaffe The Greater Manchester Police Force have paid a £120,000 fine after losing the details of more than a thousand people under investigation for serious drugs crime. The personal details were kept on an unencrypted memory stick with no password protection, belonging to an officer with the Serious Crime Division team. Kept in the …
Beat me to it, again taxpayers are paying the fines. What is the point in them? The orginisations that get them don't care.
What should happen is heads should roll (not literally) rather than a fine. And far quicker than over a year later. How long did the year long investigation etc. cost?
Or is it used to part justify a bigger police precept on council tax bills next year - IE another way for Central Government to tax us further by the back door. sackings (with a life-time disqualification from holding further office) and jail time for really serious offences would be far better
Oh well. Maybe the burglar will find some heavy characters who will buy him a pint or two to get the details of their competitors.
Or maybe he slung the wallet and contents in a hedge after removing the cash.
Who knows. I'm not overly desperate for another British 'gritty urban' crime thriller.
£120k buys a lot of secure memory sticks as offered by most major thumb stick brands... it buys even more bog-standard memory sticks and a free download of TrueCrypt.
Yes but Truecrypt is effort (not much I grant you) but it's free, been around for years - WHY are they not using it.
I use a Corsair Padlock USB drive - it had a code you have to enter before it even appears as a drive and then I store the data on it in TrueCrypt.
There must be plenty of secure USB drives around - even if they just required a 6 digit code and wiped if the wrong code was entered 20 times it would be much better than they are using.
>Yes but Truecrypt is effort
Curiously, searching for 'secure memory stick' returns Hull University's guidance to staff on the subject, and it recommends TrueCrypt Portable. Then, under FAQs, it says it can't be used by students on faculty machines because thy don't have admin privileges, and something else about OSX...
So yeah, for a use-on-any-machine solution, specialist sticks would appear to be the way forward. But still, you can buy a fair few for £120k... Shit, it would buy a fair few laptops with a custom Linux distro for the sole purpose of accessing sensitive data, such as the nuclear industry use.
it says a heck of a lot about their network that allows USB devices to be attached to it. Obviously not using something like McAfee ePO (just for example sake) to control what can and cannot be connected to the network. So why not just take in your laptop from home and suck off all the data you want?
And how many other of our wonderful forces out there are the same?
What delinquent lunatic of a marketeer dreamt that up? Obscurity is little enough security but still better than anything these arrogant clowns are doing - just imagine little Johhny picks up an unlabelled USB stick with some spreadsheets on it, there's a fair chance he says "BOOOOORING" and wipes it to store music, but once he knows it's proper copper stuff he's surely going to go looking.
Sod these little fines that just have Public Peter paying Public Paul - time for some serious criminal prosecution for systematic and reckless endangerment.
Of course it could be that they think this will deter staff theft ... then it's time for some more criminal prosecutions of that staff...
<quote>
Sod these little fines that just have Public Peter paying Public Paul - time for some serious criminal prosecution for systematic and reckless endangerment.
</unquote>
Do you also advocate criminal charges against anyone who loses a company USB stick, or just those who work in the public sector?
How many people in the private sector go "Oh, I'll take a copy of this home with me to work on" and then lose it, and say nothing, so it does get reported like this.
I don't advocate routine harshly punishment, however in this case I'm responding to these factors:
(1) this is a repeat offence - the ICO says "Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection."
(2) there is a very real potential for catastrophic outcomes: both the frustration of serious prosecutions and the risk of (suspected) informants suffering harm. These lie far beyond the likely outcomes for most company data leaks.
(3) the police are uniquely empowered and trusted in our society. They swear an oath to uphold this: "... I will, to the best of my power, cause the peace to be kept and preserved and prevent all offences against people and property; and that while I continue to hold the said office I will to the best of my skill and knowledge discharge all the duties thereof faithfully according to law." - this is at odds with (1). (fwiw I'm incensed that policemen caught perjuring aren't automatically prosecuted to the greatest extent possible for corroding this trust)
(4) probably a private organisation can't prosecute an employee for such an act, however where it is breach of communicated company policy they can summarily dismiss that employee
And I don't think it's automatically the specific cop's fault - it may be he requested an encrypted drive, VPN access, etc, and was told "go on, just do it the easy way" - then the fault lies with his superiors. But somebody(s) should be publicly hauled over the coals for this pour encourager les autres, or it simply becomes an operating expense with a line in next year's budget: 300 new USB keys, pay one ICO fine.
Stop trying to pretend this is equivalent you muppet.
If you want to phrase the question appropriately then we could try;
"Do you advocate criminal charges for repeated and systematic failure to implement or follow processes to control personal data, the release of which is likely to cause a direct threat to the lives, reputations or employment of those concerned?"
Or are you the sort of daily mail reading tosser who thinks that everyone "investigated" by the Plod is guilty of something, they just haven't found the evidence yet?
And for the record, yes, I think that if, say Experian, were this careless with data then the responsible parties should be dismissed for gross misconduct and then face investigation for possible criminal charges. The fact here is that because it was Police the worst that will happen is that the IPCC will make a show of pretending to investigate and then back off like the puppet it is as soon as the Plod union barks. After which the employees responsible can go back to beating up suspects and trawling through our personal data under RIPA without a warrant, oversight or due process.
"Do you also advocate criminal charges against anyone who loses a company USB stick, or just those who work in the public sector?"
If it leaks personal data then - yes - I do advocate the full weight of legal sanctions should apply. My partner works in the Civil service... but I am not privy to the day to day details of work.... just office gossip which is how it should be.
Private sector workers should and must be just as careful with confidential data especially when it is about individuals data or "community security".
In the same way a doctor/teacher/social worker can be barred from a profession - the same should apply to jobs where people handle data. Only with the toughest penalties can we hope to instill a real sense of responsibility in those handling this stuff. The threat of jail/being reduced to menial employment might help focus some of the more air-headed or those just too lazy to follow the correct procedures. Stuff like that should NOT be in the domestic environment. Data Protection laws need re-framing to allow for this, in the same way as a bus/train/truck driver or other professionals can stand criminal charges for mistakes/omissions that can hurt individuals - data loss can be exactly the same - especially when you have to spend months cleaning up after identity theft aided by data theft/loss
There is a frighteningly lax attitude to the data we entrust to others and data which other hold about us of which we have no knowledge. It desperately needs tightening up. Time to stop pussy footing around.
>Do you also advocate criminal charges against anyone who loses a company USB stick, or just those who work in the public sector?
If it harms people - ye. If I take home a list of people's credit card numbers and pins and lose it then I should get the same jail time as if i had gone round and robbed them.
Get drunk and smash a window at work = arrested.
Get drunk and leave a list of all the undercover MI5 agents in a strip-club = laughed off.
Big difference between Joe Bloggs losing a stick with the AGM minutes or a corporate presentation on popular colours for cars, and the plod losing personally identifiable information on members of the public, which could include informants risking their lives to keep scum crims off the streets, and thus be used as a hit-list for drugs barons.
So the force has a data controller? Sounds like a good place to start with the redundancies then. If your job is to look after the data and you are not then you should loose your job. This is a basic point, no sensitive data leaves the systems unless it has been encrypted.
It does become a bit of a scape-goat job though.
It's like the Met's race relations office.
1, Some copper beat up a black guy it's on the news.
2 Ok, fire the race relations officer
3, Whose next on the list to be race relations officer ?
Want to find the biggest criminal organisation in the UK, look for the uniforms.
When they aren't conspiring over their evidence to IPCC or supplying dodgy coroners to sweep a murder under the carpet they are wandering off with uncontrolled data. Can't imagine why people object to the government and Police collecting data about them.
The one saving grace is that they don't call themselves the "serious and organised crime" division, somebody there clearly realised that "organised" would just get them laughed at.
From this level of security the officers computer at home was presumably used to access this and also unsecured, unless he carried it home each night for safe keeping.
In the worst case it would be an easy target to find what (the just as lax computer) may have been spewing out to a botnet or inadvertant p2p share, just need some names and backtrack through your botnet booty with some assumptions about file size, type etc and dates. I don't know how much of this stuff the herders keep but they could make an effort and maybe get other stuff zero day through better data mining and similar briefly open windows of attack.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
