Lag log leaks - Home Office contractor loses entire prison population

It's not a memory stick ffs!

I don't know why, but when people refer to what is most likely a USB flash drive as a "memory stick", for some reason I want to kill them. It saddens me that this ambiguous misuse has extended so far as to be used on El Reg of all places! Okay, maybe the Wikipedia-reading public requires a disambiguation at the top of the page (see: http://en.wikipedia.org/wiki/Memory_Stick) , but really, aren't you supposed to know better?

(Unless, of course, it really was a memory stick... but why would they do that?)

What worries me

is not the loss of data but this statement from the BBC website:

http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm

"The data on the stick also includes information from the Police National Computer of some 30,000 people with six or more convictions in the last year."

Have I read that right? 30,000 people have six or more convictions in the last year. How the hell does someone tot up six or more convictions in one year?

Mine is the one with its pocket being picked.

What were they doing?

Can anyone think of a good reason why an entire database should be dumped on to a memory stick?

Have these people not heard of database servers - they're really cool they have security and can be backed up and everything!

If I were the IT manager for one of these outfits I would disable the USB ports on all machines I think.

The UK Government and its contractors

are not fit to run a bath, never mind the remains of a great country.

Sheer Utter Incompetance

This is just yet another example of utter incometance by this Government

"lost" laptops by the MOD, "lost" CD's of data by the NHS, HMRC, you-name-it department

This is unforgivable, not the fact its data from HMP, but that this type of thing happens so frequently.

Surely I have a case to go to European Courts and claim compensation for the Govt putting my personal data at risk ?

what is the difficulty here ? its OUR data and they are playing with it like its nothing.

No wonder there is so much ID theft.

Paris, because, she would never treat her "data" like a toy

Update please ...

We need the story updating! Where is the Home Office comment that if we all had biometrically secured ID Cards, this sort of data loss would be completely immaterial, and could be allowed to become commonplace without inconveniencing the government in the slightest?

We also need a "biometric ID solves everything" icon, so it will have to be helicopters instead.

"a secure format"

That'll be a passworded Excel file then :-)

Why oh why don't they get it

Is it just me or is this just common sense to protect this type of data. Policies, Standards, laws and contractual obligations don't even come into it. It's sensative data so protect it. FULL STOP FFS

It's the same as protecting stuff like the PIN number for your own bankcard. It is just SOOOOOOOOOO simple it's a joke when stuff like this happens again and again and again. A lot of people should be sacked for this kind of balls up.

On the bright side I wouldn't mind being a contractor charged with sorting it all out.....chi ching as the cash rolls in.

Paris as she certainly knows how to handle her sensative details ;-)

I've heard it reported...

that Plod is 'investigating' this.

Strange. I don't recall Inspector Knacker being called in over any of the other cases.

Is this due to it being the apparent fault of a 'consultant' this time round?

new rule required

Government contractor + data loss = no more contract.

Since I am wishing for the extremely unlikely ...

Government agency/ministry/department + data loss = sacked minister

Or for the completely fanciful;-

Data loss = disclosure (as legal requirement i.e. by Law).

And PA and stands for?

When I worked for the Home Office we decided that the PA in PA Consulting stood for Piss Artist. They were a bunch of useless morons back in the 1990s and I see nothing has changed.

Today's conspiracy theory

"In its capacity as one of the Home Office's favourite consultants, PA was the development partner for the ID card scheme"

Hmm, interesting. Wonder if the two are related?

Most likely someone's just pocketed the thing. They're easy to conceal. We have a ban on putting sensitive data on memory sticks for exactly that reason, encrypted or not.

But if someone in the PA office wanted to do their bit for Harry, England and St George by trying to undermine the Home Office's blue-eyed boy, this would be a pretty good trick to pull.

ID Theft? Excel? Shurley shume mishtake?

Should we take any joy in the notion that persons convicted of ID Theft have now had their own identities stolen? - ok, raises only a small titter...

As for the Excel spreadsheet, that seems a preposterous suggestion - I mean, 84K rows...

Obviously that means two spreadsheets...

Paris - cos she too has a record... I'd bang her up... more banality etc. etc....

Nice one. classic.

.....another government initiative of reintegrating lags back into society,

This new "scheme" is called ID FRAUD.

I was always told that crime didn't pay.

Now, it doesn't have a choice, the first it'll know about it is when it gets declined and it realises it's overdraft limit is reached.

Typical home office.

These are the people who constantly tell us they are able to defend our country against security threats.

please stop blaming the contractor,it is the Home Offices fault,,,,they obviously havent put any measures in place since the revelations about other massive losses.

IMO the only way to get public confidence back "IF they ever can" is to make it a criminal offence to lose data.It's a weekly occurrence in government now that a minister stands up ,says its not our fault (venus is out of alignment with saturn)or some such excuse and we will put in place stiffer measures (which hasnt happened in 2 years) in place.

There is absolutely No i repeat NO reason why this or any other data had to leave its place of residence.The contractor should do his work on site and obviously under supervision.......for this very reason !!!!!

Even Paris beefed up security after her data loss.

And they are not using encrypted USB Flash drives

because?

Good timing

Excellent timing by the contractors to lose this data just 4-6 weeks after 7 (yes 7) Data Handling Reviews by the Gov.

The Burton review (MOD)

The Coleman Report

Data Handling in Government (Scottish Gov)

Data Handling Procedures in Government: Final Report

The Walport Report

The IPCC Report (HMRC)

The Poynter Review (HMRC)

Nice to know that the Home Office and it's contractors haven't bother to read or adopt any of the recommendations within these.

@Jeff Bennison

I think that was the first genuinely funny reason for the Paris icon that I've ever seen on a Reg comment. Awesome.

Desktop Virtualisation

So we've all had a jolly good steam out of the ears rant about this.

Back in the old days, users would be sitting in front of a terminal on a mainframe - the data was back in the computer room. Data loss was rare, because it was only physically available in the datacentre.

Today we have various security models, with data slooshing round inside various security domains. In many situations, there are lots of users within some pretty large area with perimeter security - and this is the only security level. In this case, it would appear that a standard PC was inside the security domain where the data was available in plaintext.

We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data. If some Excel jockey wants to play with the prisoners' details, this should be done on a machine in the datacentre to which he has a view - there are now plenty of appropriate technologies.

As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick.

It's about time these sorts of errors were criminally accountable

Perhaps the threat of some jail time would make some of the suits pay attention to things like encryption and physical security.

It works with Health and Safety legislation and posting false company accounts is a criminal offence so why not negligent loss of private data?

Zoink

94,000 files, probably a decent capacity memory stick then.

Probably full of porn by now as i expect anyone at this PA place could just steal the data without 'losing' a memory stick (sorry, USB flash drive).

Paris: Do i really have to explain.

All these portable devices...

It's clear that organisations who handle data about people need one policy change, straight up.

You do not put other people's personal data onto portable computers or storage devices. Period. No special cases, no approval processes; you just don't do it.

First offense is discplinary. Second is sacking. No, we don't care if you're the head of IT security. Sacking.

Bank workers don't take piles of cash home to count as part of their job, do they? The security-controlled data I work with doesn't move off its server: people know they can't have it on laptops, and they don't.

It's not just central government...everyone's losing data!

A couple of years ago a consultant working for Worcestershire lost a laptop containing that county's payroll database. Outside the county. The database was apparently encrypted...

The East of England Strategic Health Authority reported back in March of the loss of a UFD (I refuse to misappropriate the Sony device) containing the records of 35 patients, and printed details of a further 25 dumped in a bin.

Also in March, HSBC managed to lose a CD containing customers names, dates of birth and insurance details.

Back in October, Queen Mary's Hospital in Sidcup somehow lost 25 years worth of employee information stored on microfiche, together with the reader. Leeds Building Society also lost employee records when it relocated its HR department.

A survey by The British Chambers of Commerce covering e-crime and businesses in the UK found that 19 percent of the 3,900 businesses that responded had suffered data loss because of a virus and 8 percent reported having laptops stolen.

Which brings me onto another question. When organisations lose "encrypted" information, would they mind telling us how strong the cipher was? Theoretically you could claim a ROT-13 transformation is encryption, and the ciphers used by MS Office and previous versions of WinZip were notoriously easy to crack...

Fire, because you can be fairly certain data lost in the process can't be reused by people with malevolent intentions...

@Nomen Publicus

That's a good one!

Securing data is not genetic engineering...

... sorry, rocket science is too simple now.

Here are a number of measures which SHOULD be made compulsary wherever government held information is used.

- Put a robust RFID chip as an integral part of each official USB Flash drive.

- Put Shoplifter type security (or even make it prevent operation of the turnstyles) on all exits in secure facilities.

- Do not use generic RFID tags, track specific tags (to stop someone identifying a secure USB device as the holder walks around a shoping center).

- Have Official USB flash drives tracked, and holders made responsible for their loss.

- Do not allow official flash drives to be held for extended periods.

- Have a specific process to allow tracked USB flash drives to be removed from secure sites.

- Change the USB ID on the official drives so that they do NOT appear as a generic storage device, so it becomes more difficult to read on ordinary PCs.

- Put the required driver on all systems required to use the official stick, and have it use automatic strong encryption as the data is accessed.

- Don't allow the specific driver to be installed on non-official PCs.

- Regularly rotate the keys on the specific driver and flash drives (this can be done with the flash drives by making holders regularly check the drives in).

- Clean all data from checked in flash drives when they are checked in to prevent people from using them as a backup mechanism.

- Ban the use of personal USB flash drives (or the use of phones or watches, or whatever else provides this type of function) from secure sites as part of policy.

- Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs).

- Enforce the already existing GSI Security requirements for all government held data.

I'm not saying that this will make our data totally secure, but it would be a step in the right direction. It would prevent casual examination of misplaced devices. It would not stop a concerted attempt to steal data, but what would.

Very little of this is particularly complex or expensive, as most of the barrier security and procedures already exist in secure government locations.

BTW. This counts as Prior Art in the unkilely event that I am the first person to put all of these ideas together.

How do they know that they lost it?

I mean it's possible that they know they find out they lost data. Somebody can come in and say to their manager "Woops, I lost that pen drive you gave me, I think I left it on the bus..." But honestly, it would be so easy to take this data without anyone knowing that you wonder how anyone could get caught doing this deliberately. Or even how long the company took before they gave up looking and admitted it to the government. A pen drive could so easily be down the back of someone's sofa. The conclusion, I guess, is that it's actually quite possible someone wants it to be known that data has been leaked in which case we should be asking who benefits?

Paris, because she knows all about "accidentally" leaking private data.

But unfortunately...

Just as I was building up to demanding that this latest Home office debacle should lead to Jacqui Smith finally doing the honourable thing & resigning, I find it's actually Jack Straws dept.

Damn.

USB memory devices

Unfortunatly, they are just too useful.

Where I am, they have recently effectivly banned their use, and have told everyone to use CD's to move data between discrete security zones, and to ensure that these disks are destroyed after use. Unfortunatly (or maybe by design) there are actually very few systems with CDRom drives, let alone writers, on the secure networks.

This makes it extremely difficult to get things like UNIX patches, new products or bespoke released code to the systems that need them.

In order to get access to a secure machine room to put a CD into a drive in a physical server, it is necessary to have a documented change scrutanised by a weekly security board. The whole process takes at least 3 days, depending on when you realise you need the material. Compare this to using flash memory device which allowed you to just copy, remove insert, and copy the material at will.

I trust you can see why government projects over-run, and are so expensive.

Am I the only person here...

...pleased that criminals are exposed to the possibility of getting a dose of their own medicine? I would find it hilarious if some fraudster had their loot pilfered by another ID fraudster. I also like the idea of some of these individuals suffering from said crime, such that they reconsider the effect of their own actions. The lack of empathy seems to be such a characteristic of such people, that perhaps this might inculcate some.

OK I know the above is pure shite on my part and that by no means all lags/ex-lags fall into the above category, it is pure fantasy really. I also realise the idiocy of saying that 'criminals can't enjoy the protections of the European Convention on Human Rights, but they should respect others' human rights'; but -

perhaps the lesson from these data losses is just that data is no longer sacred and liability for securing title to assets should lie with banks and similar organisations - it should be incumbent upon them to secure the most material assets, and we should just not worry too much about the rest?

Oh, and the other lesson is that until every civil servant is paid £1 million each a year, and has an IQ of 180, and gives a damn, nobody should mention the words 'secure' and 'ID card', in the same sentence?

"Home Office contractor loses entire prison population"?

I thought that this one was going to be SSDD. Then I read the article and found that they'd lost some data about prisoners rather than the prisoners themselves for a change.

Sort of less of a big deal than usual for HMG then.

Oceans 84000?

Perhaps this is just a viral marketing campaign for the latest installment to follow Oceans Eleven, Twelve and Thirteen.

Give it 20 years and there should be enough room to store the prisoners themselves on a memory stick - that should solve the overcrowding problems.

Mines the one with a file, hidden in a cake, hidden in the secret pocket

ReadyPeople - starting up the Essex .NET Developers Group - Interested?

Enough!

I personally don't handle data that's as critical as the data the government and their contractors (mis)handle on a daily basis.

However, I have to say that I consider ANY data that isn't my personal data to be vitally important to the owner or those the data might refer to. My own data's pretty important to me to, because I know what the implications of data loss can be. So my security is my affair.

I'm constantly appalled by the cavalier way such data is treated by customers themselves.

It has to be said that by and large the people in question are basically, muppets.

They have little or no conception of the risks they take on a daily basis - worse, they won't be told. They assume everyone else is stupid, they are smart, and it couldn't possibly happen to them, so precautions are a sensless waste of their, oh so valuable time.

Myself, I've never (yet) lost data by 'loosing' a USB 'thumb drive', CD/DVD, external HD, or a laptop (a laptop FFS! HOW do you manage that?).

Customers REGULARLY loose USB 'thumb drives' and CD/DVDs.

No one I deal with has yet managed to loose a laptop, though with a couple of them I feel it's only a matter of time...

Yes, the Government is ultimately to blame. The decision to employ staff/consultants is their responsibility.

But, it's abundantly clear that individuals and firms are being employed who are of the caliber of many of my customers.

'It won't happen to me, because I'm too smart / know what I'm doing / don't need to waste my time taking precautions'

'Muppets'. All parties involved.

The solution? Accountability. The buck stops at the Cabinet Minister in questions desk. No more 'investigations' designed to stall the matter until it's forgotten. No more 'It won't happen again' - because it clearly will.

Simple rules:

'You lost xxxxxx? - clear your desk'

'Your downstream staff member lost xxxxxx? - clear your desk'

'Your firm lost xxxxxx? - contract terminated and no further employment'

'Your department engaged this firm that lost xxxxxx? clear you desk and kiss your pension bye-bye'

No excuses.

Also - since the government is so damn keen on databases, how about a database blacklist of individuals, firms and directors of firms involved in data loss incidents? So it is possible to ensure none of the individuals involved are ever employed on government work again?

Terribly honest consultants.

At least someone owned up to losing the data.

If your job is on the line.. Lie !

Where's that usb drive I gave you ? Dog ate it... sorry.. I'd already removed all the data on it, here take one of mine instead.

HAHAHAHAHAHAHAHAHAHAHAHA....................

Do 'Private Contractors'* have to pass any sort of certification or vetting procedure before being allowed to lose heaps of personal data - or can anyone do it?

On the bright side - the recruitment of villainous henchmen just got a whole lot easier! HaHaHaHa...etc (Evil laughter echoes around interior of hollowed out volcano).

(*English translation: Money-hungry spivs with the right connections)

Thanks

@ Enough & black lists

"Blacklists won't work.

They'll lose them.."

NOT if they are tattooed on the PM's face :-)

@ the idiots they'll trust with a National ID card

James, it may be worth investigating just who was involved in the feasibility study.

The answer may not come as a surprise, but as a hint, there was no conflict of interest whatsoever (that's meant sarcastically, btw).

got me thinking...

One of the posts above got me thinking. If the UK gov "loses" data on everyone in the country, that means they can do lots of scaremongering about ID theft and the likes. Then they could sell a "National (Anti-)ID(theft)" card to all those scared-silly punters that they claim will make ID theft a lot less likely. There are probably enough stupid people in the UK today to perhaps make such a scheme work.

@Ms Smith cop out

Ahha, I see the hand of D.O.P.E here, well if it was secure then the contactor would not have been able to download it.

Wacky Jacqi, null points

Can we have a WJ icon please?

@ Jack Horner, re vetting procedures

Go to http://www.cesg.gov.uk/site/clas/index.cfm (CESG Certified Listed Advisory Scheme) and fill in "PA Consulting".

A company can only appear in the "competent to perform security work" category on GCAT (Government CATalogue of accredited companies) if it has CLAS certified people.

However:

- a company only needs ONE (1) such an accredited consultant to become listed as a whole (yes, even with the 2..3k people PA Consulting appears to have) so it's made dirt easy to game the system (no idea if the specific people themselves are vetted, given the recent cock-ups I have my doubts)

- the whole process is tick box driven and easy for people with half a braincell. I presume that is because they would otherwise not be able to get anyone at all, a theory underwritten by this latest stunt.

So, let's sum up:

- the club that hacked the ID Card justification and the scheme itself together has screwed up badly, to the point that it has become a political bomb

- so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event

- the selection process for such a company appears to be holed below the waterline as well

- nobody is in the least surprised, just resigned that it happened yet again

What I want to know is which politician will now have the unmitigated gall to state that ID Cards are still a good idea. The Gov lacks competence, and so do their advisers. And it's not like that hasn't been a lot of "I told you so" already.

What I like is that it's now weekend. They'll have to sit on this for the whole 2 days before they can do something about it. Sorry to be a bastard, but I rather enjoy the timing..

Paris, because she at least learned after her contacts were stolen off her phone..

Somebody lend the BBC a picture of a memory stick...

The news.bbc.co.uk coverage of this item featured a photograph of a plug belonging to some USB device or other (as is obvious from the lead trailing out of the back).

I hope the device in question was a USB flash or an SD card rather than the memory stick quoted - wouldn't want public money wasted on overpriced Sony proprietary crap.

Paris because she sticks in ones memory

PA Consulting

Just why are they so favored by NuLab when, according to other comments, they've long since demonstrated their incompetence? Political connections, just perhaps? Or does our Jacqui have a thing for the MD?

And what ever happened to the concept of ministerial responsibility, one of the cornerstones of the British constitution, pray tell? Jacqui Smith should have resigned long ago given the number of complete fiascoes that have happened under her guidance. The issue isn't whether she's personally responsible; it's that she has to take responsibility for both the good and the bad that occur on her watch.The woman's clearly out of her depth; AC's remark "Government for the hysterical housewife BY the hysterical housewife" is absolutely on point.

Of course NuLab as a whole is clearly out of its depth. Its persistent discounting of intelligence, competence, education, experience, and skills in favor of political correctness and adherence to the party line means that now, after 11 years of NuLab, the Civil Service (or what's left of it) is infested with stupid political hacks from top to bottom. With the best will in the world, it will take decades to rebuild the British civil service, once the envy of the world.

Anyone have any insight into the morale of the civil service?

It would be funny if it wasn't so sad, seeing a once-great nation ground down into the current mess by a bunch of dimwitted ideologues.

@@ Enough & black lists

<<"Blacklists won't work.

They'll lose them.."

NOT if they are tattooed on the PM's face :-)>>

Er, what if Obama's our new poodle-caretaker PM? S'pose they'll have to be "Whitelists"?

Not this again

I used to be one of the despised civil servants working for the MoD in a secret job(in fact so secret, not even I knew what I was doing :=} )

On the first day , all the new people were bluntly told:

"You will keep all classified and above materials securely on site, you will not take them off site, and if part of your job does involve you taking them off site and you lose them, you will be subject to various penalties ranging from loss of job to 5 years in prison"

My question to the minister currently in charge is..... whos been fired for the breach, and what criminal charges are being considered?

The database of all UK citizens will be defeated but...

it no longer matters. These data leaks are just the way the government is getting around the issue. No doubt every time there is a leak announced someone in a trilby and reading a broadsheet (with 2 holes cut in it), standing on a corner somewhere in Westminster is collecting it. Surely this is why no minister is having to forfeit their job.

The one with the coat because that's the guy who is uploading the missing data to the government's everyone database.

@ Anonymous Coward

"- so far there is no evidence that there were ANY procedures and policies in place (gov/consultancy) that would have prevented such an event"

Apart from the fact that Jacqui Smith on the one o'clock news specifically said that the Home Office and "The Contractor" had specific processes in place.

Breach of contract...

Is that really as far as Ms Smith will go? FFS heads should roll for this, esp. after all the previous cock-ups. Prison even. This should *NOT* still be happening. The question is not how was the data lost, but how on Earth was the data accessed in the first place. Contractors should not have unfettered access to this kind of data without a very, very good reason.

Like others have said, this is confidential data that's been lost. In any other business you'd be out the door with your p45 in your hand faster than you can say, 'Paris Hilton.'

This governement take the absolute piss and Gordon will be out after the next (soon to be lost) by-election and Labour soon after, I hope!

This is what happens...

When you run government IT on a shoestring.

Actually, PA are one of the better consultants working for the government - I've worked with them, EDS, CapGemini, Detica and Capita, all bid bargain basement prices so the service provided is straight from poundland...

The government is reaping what it has sowed...

Mr Pedant makes a comment

Just a small factoid... but pertinent all the same. The data is not lost. The storage device is lost (flash drive/USB/memory stick whatever). The problem is not one of lost data because the original database is still valid, but more one of "someone ELSE may now have a copy".

PS - recommend we re-introduce quartering for politicians, anyone got a couple of spare horses?

2 things.

"The data was held on PA's computers, in "a secure format" according to the Home Office, but was downloaded onto a memory stick and "for processing purposes." This was then lost. A search of the company's premises has failed to recover "

It's completely irrelevant how secure it was last year, last week, or yesterday, if it has gone balls up today.

Is that honestly supposed to (re)assure ANYONE of ANYTHING? Or has it just become such a habit to include a line like that whenever shit hits the fan?

Secondly, it couldn't have been that secure if it managed to get easily transfered onto a freakin' PORTABLE usb stick by some random person.

THEN subsequently lost.

I suggest that any sensitive data should have to be stored on something so large that it's impossible to misplace it (so I guess it will have to be bigger than a laptop...) I mean, if you REALLY need to use a tiny memory stick, is it too hard to attach it to a keychain/lanyard so that you CAN'T possibly lose it? Or to have one of those beeping key finder devices attached to it?

Common sense people. If you're so stupid that you lose small things then at least have the sense to attach them to something that makes it a bit harder for them to disappear. Or something that can locate them when they inevitably do.

Seriously.. They expect us to believe our information is secure? Why are people allowed to make copies of ENTIRE databases whenever they want, presumably without any sort of special permission or supervision?

You lucky people.

I think we should all have ID cards, not just the few who travel on London trains or break into civil servant's cars.

But then again

But then again the way the current UK has been installing barriers for all the local peons to travel about internationally and all those security cameras beeing installed even in public loos , I would have thought the prison population including all on day release jobs(well some one has to earn the money to pay the wages of the blue coated armed security guards who shoot foreign guest workers on sight without any provocation or probable cause) the current prison population must be about fifty four million men , women , grannies , children and babies inclusive give or take !

Very nice, very nice....

<---- Is this a memory stick in your pants or you just glad to see me?

I will make this "suggested reading" in our small informatics group, including the thread. Maybe I can get past the "gallic shrugs" this time 'round.

implications for the SSEPR being introduced under NPfIT?

... details regarding your most embarassing ailments will be up for sale to the highest bidder.

To be honest I don't see what the fuss is about.

Memory sticks are like Bic Biro's. They fall into a seperate ether from which there is no return, unencrypted or not they are probably far more secure than having an encrypted stick in a known location. Until we've got some way of crossing dimensions there's not going to be a problem.

Mines the one with the Tardis Key in the pocket.

oh goody :)

does that now mean all the prisons are now empty???

so they can start banging up all those chavs n other undesirables still loose on the streets.

hey maybe they could impose new jail sentances, i sentance you to 20 years impisonment on USB stick... (for the worst offenders).

we can but wish i suppose ;p

mines the one with the pockets full of lags on a stick,,,, which im gonna delete as soon as i get home,,,,

Icebergs - tips of

It occurs to me that we only get to hear about the losses that have been confessed. If I lost a memory stick/CD/laptop with sensitive data, but still had access to the original files, I'd replace the device PDQ and keep my head down, so presumably this has only come to light because the stick's former owner can't reproduce the information easily.

One thing this incident will help to ensure is the keeping of extra unofficial copies of everything!

@Peter Gathercole

" Disable the USB storage device handling drivers in all systems that can access private data to prevent non-tracked USB flash drives being used (I know this is difficult, but it should not be impossible, even if it means you have to put PS/2 keyboard and mouse ports back into PCs"

Why have "USB" or"PS/2" ports at all I personally do not see the need for them on data procesing computer terminals have the keybords hard wired keyboard goes down replace the lot or use a DIN socket these can be made with as many pins as are needed some of which need not even be live.

Any thing wrong in this approach?

What?

Was it an access database or something?

Well...

@John Lettice- You could have at least put it in ironic "quotes" to point out how silly the Home Office are,

and

@AC- Yes, I probably am a bit anal.