Blundering London council emails unredacted version of notorious Gangs Matrix to 44 people. Data ends up on Snapchat Newham Council has been fined £145,000 after an employee sent out a mass email containing an unredacted version of the police database that ranks people's likelihood of gang-related violence. According to the UK's data protection watchdog, some 203 individuals' personal data was shared with 44 people, and screenshots of the …
From my personal experience if staff steal a couple of A4 notepad it'll be taken more seriously than breaches of this from a disciplinary perspective.
It doesn't matter if the employer didn't have specific guidance on this document, we don't put signs up everywhere detailing what staff shouldn't break or steal. There's a need for common sense to start applying when it comes to information security across the board. People have to start feeling repercussions of their actions.
I am absolutely not letting the council off the hook here, but part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously.
part of the problem I face daily is the lack of acceptance by staff and management that people should be held responsible for their actions and when it comes to personal information it should be taken very seriously
Yes, this is absolutely the core of the problem. I don't buy services from Talk Talk because I simply don't trust them after their leaks and woeful attitude of their board & CEO in the aftermath. If others choose to use them, that is their business.
We, however, have no such choice in the public sector - we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision. Given that, we can't decline to have our data processed by these organisations and continue to enjoy provision of the services they exist to supply. It is for that reason that when data is leaked in this manner, careers must end: there's nothing else that will force them to take privacy and data security seriously.
You've hit the nail square on the head when you suggest that theft from the stationary cupboard will be treated more harshly than spaffing our data up the wall like a half baked CEO.
"we have to have public healthcare via the NHS, policing via, well, the police, and passports from the passport office etc etc It's a monopoly provision"
Well privatisation is all the rage these days, so if you're really lucky some of these services in your local area will be taken over by Capita.
I bet you can't wait.
The staff member can always claim, if they haven't, they were never given training on data protection. This is the problem with local government. Sometimes the person at the bottom of the chain is innocent and under pressure from shit management. Shit management that are being forced to push through practices that aren't best practise. Some of these are yes people and just want to keep their job. We'd all like to stand up and say no, but when stuck with a mortgage, the difficulty of getting a new job and pressure, you can somewhat understand why said people act the way they do. Doesn't make it right though.
"Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."
I have no doubt they'll be in PR mode attempting to cover it up. The amount you read in Private Eye in the Rotten Borrowers section is shocking.
Councillors should also be probed in this as, despite it being against electoral law, and a breach of the Councillor Code of Conduct, you'll still get some trying to force their views of "how to do things" and what to do with "reports". When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do.
I've sat on disciplinary panels where staff have claimed "But I wasn't trained on information governance and protection". It's a legitimate defense too.
But IG training is mandated these days by pretty much every employer so the issue because "why didn't you undertake your MANDATORY training?" the defense then shifts to "I wasn't given time"
At which point you can pull out the hours they spent looking at holiday websites outwith break periods.
The best way to sort that one out would be that they have mandatory training, tested and get a certificate to prove it. Without the certificate they don't get anywhere near sensitive data and anyone who tries to force them to do so is committing a disciplinary offence and gets their certificate revoked. Needless to say anyone who then does something stupid like this also gets their certificate revoked. If there aren't any posts that don't require certification, tough.
In the public sector, of course, there's an alternative: misfeasance in public office. We need ICO enabled to prosecute for that.
The average person barely understands legal and regulatory standards. I consider myself a technical academic and frankly there are a myriad of regulations that I barely comprehend myself (perhaps being semi-aware is more confusing than unaware?).
I always try to imagine the council worker is my gran in this situation. My gran can barely operate her VHS recorder, why would you think she'll a) read an e-mail and understand the legal ramifications in their entirety (as a lawyer would), b) have the technical capacity to be 100% certain the document your sending isn't confidential, c) is 100% capable of knowing the difference between "To:" "Cc:" and "Bcc:".
In that situation - I recommend a big red text at the top making it clear to junior colleagues what the context is upfront. That way if they ignore the capslock red text warning "CONFIDENTIAL - DO NOT FORWARD. ASK FOR MANAGERIAL ADVICE AND USE THE BCc FUNCTION" and still fuck it up, no excuses, frankly someone needs to be fired (or for really terrible public sector workers, a quiet career change to become a trade union rep).
My personal favourite is the spoon at work who continually sent out confidential Word documents with the full tracked change history visible (or even funnier, when he tried to hide confidential figures by hiding it behind a white 'text box').
Agreed, but insert here the discussion about how email programs could have better highlighting and prompts to warn when an email might be going to the wrong people. Of course, that won't get it 100%, and training and policy enforcement are necessary, but email programs need improvements too.
Of course, if your email program comes from a monopoly (at lease in the business software market where software needs to fully support policy compliance), then you may find it hard to sack the software. Why else have the oh so obvious improvements come so slowly?
That's a good point. It does not seem that implausible to get Outlook to have a data security mode that scans the e-mail addresses, when more than 2 people from external agencies are receiving a file having a popup to point out the bcc field has not been used - check it does not include sensitive personal info - then press confirm.
It'll be just like software license agreements - many will ignore it anyway, but at least you have active and unavoidable control systems that must be intentionally ignored.
"When in fact they aren't allowed to interfere directly with how a council or council officer does their job, but some still do."
As an elector I'd like to think that overseeing that council officers was what councillors were for. That way my vote might have some effect. As ever, British public life gets things arse about face.
This post has been deleted by its author
There's a difference between overseeing and trying to directly influence.
A world of difference.
If you can't see that, you're as bad as what seems to be 90% of our local councillors. I know of what I speak, having been one once.
It's also those (apparent) 90% who ensure that morale and service quality in our local government remain appalling.
British public life absolutely gets it right in principle. The elected body sets policy, and ensure that the resources are available to deliver it, the paid staff implement it. Of course, in local government that all falls apart thanks to the responsibility/authority mismatch enforced on LG by Westminster - all of the responsibility to deliver delegated, none of the authority to ensure adequate resourcing delegated.
Shit management - who will actively cover things up when they realise they've fucked up and then when the inevitable is unavoidable will do everything they can to push the blame to flunkies.
The fines aren't nearly large enough and there aren't elements of personal accountability for management to drive the point home.
"£145k fine.... to be paid by taxpayers either directly or in reduced services."
That's what always baffles me. How can one department of government fine another department of government? Obviously, if the money is deducted from somewhere, they can't meet payroll or do the things that money was budgeted for and where does the money from the fine go? Lobster dinners for some other mob? Is it re-allocated to MOD?
It's better to sack the bonehead and the person that hired them and then get everybody else properly trained and the software fixed. There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button the same way they do at large market's cash registers. If that forces somebody to send messages out one at a time, maybe they won't be so keen to hit "reply all" and limit where the message is going.
"There has to be a gateway setting that can prohibit or limit recipients on an email or just put those messages on hold until somebody higher up hits the "ok" button..."
Also, some gateway setting that delays emails sent (to all recipients or only those out of the organisation) by a couple of minutes, giving time to recall if it is caught in time. Won't be foolproof but at least can save some 'butterfingers' or 'temporary brainfart' moments
I'm not sure that the person who sent the e-mails is the problem here. The problem that needs to be looked at is "who released it to Snapchat?". Governments, businesses, etc. send confidential e-mails all the time. The issue that's been overlooked is who violated the standard of trust and released it publically.
A paltry £145,000?
No doubt the Chief Executive could pay that out of their salary (not to mention other remuneration eg pension) and still live a comfortable life.
In other articles on here, ie HPE/Autonomy, the overwhelming sentiment appears to be that Apotheker, as CEO, was responsible for everything, including a detailed knowledge of UK published accounts and accounting standards.
Applying the same logic, why isn't the Chief Executive of the Council being dismissed, together with the head of IT? As with our LA, they take the large rewards yet never accept responsibility.
Given there appears to be no security or central control I'm betting that this "Database" is an excel spreadsheet or maybe Access at best.
As far as I am concerned all copies of this disaster should be destroyed for its blatant violation of data protection controls, how the hell can it comply with the requirements to for accuracy and proportionality when the police clearly don't even know who has a copy?
I am sure there is plenty of relevant data on proven violent individuals but I'm also willing to bet that the bulk of the people on there just happened to be in the wrong place at the wrong time.
You can just see the wrecking the lives of innocent people. they go to work in an environment that requires record checks and only then finding out a copy of this $%1t was uploaded and they are blocked from a job because of the awful crime of wearing a hoodie after dark.
Am I the only one that thinks the home office is being run by Constable Savage.
"having simply forwarded the email they received from the Met police"
Well, there's the initial problem. Sending (Sensitive) Personal Data *by email* (and I really would be most surprised and impressed if it were actually an encrypted email) to the council in the first place?
"The police probably see it as a solution rather than a problem"
Plausible deniability. That's the government way. Why else do all of those laptops get stolen loaded with sensitive information by a gov worker that left said laptop on the car seat while they popped into church on the way home. A fictitious worker is sacked for being naughty and the information on the laptop can be used in ways that wouldn't have been permitted. They can use a name of somebody that was sacked in the proper time frame, there has to be 2 or 3 government workers that are sacked each year if not 6 or 7. That way if anybody digs they will find a sacked employee with the name given. I guess it doesn't have to be too close to when the laptop was stolen. Most cases like that the employee is put on leave (paid or unpaid) while the matter is being "investigated".
> This is utter incompetence and someone needs to be sacked.
"Here's the list that John asked me to send to you. Please pass on to your anti-gangs team".
This arrives in your shared mailbox. John is not in the office at that moment. What do you do?
No mention of the sensitivity of the information. No mention of the difference between the two versions. No encryption with password being sent by a second channel; no warning flags as to how sensitive the data is. Nothing to give the person who received it any warning that it was anything other than the hundreds of run of the mill emails received every day.
But it must be okay, because you know that you have a secure means for transferring sensitive information with the Police and if that isn't being used then it's okay, isn't it?
Loving the quality of the journalism here - I am feeling better educated with every word I read. ..... Justin Case
A note of caution for those fed on paranoia and drinking of the KoolAid of hubris, and a timely word to El Regers? .......
“The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken
“The most dangerous man to any government is the man who is able to think things out for himself, without regard to the prevailing superstitions and taboos. Almost inevitably he comes to the conclusion that the government he lives under is dishonest, insane and intolerable, and so, if he is romantic, he tries to change it. And even if he is not romantic personally he is very apt to spread discontent among those who are.” …… H.L. Mencken
And why would an individuals mindset change to such?, no smoke without fire perhaps?
I mean its not as though any sophistication Western Country would embark on such frivolous activities such as psychological torture, abuse, and intentional infliction of emotional distress on one of its citizens surely?, perhaps even worse, unlawful human experimentation?, or genetic modification?, the list goes on.
Of course such activities would only happen elsewhere, right?
And why would an individuals mindset change to such ....[to be able to think things out for oneself, without regard to the prevailing superstitions and taboos.]? ......... Cliff Thorburn
Natural human progression? Alien Advancement? Virtual Machine Programming Rethink?
And that's only three very likely positive, possible reasons, CT, with all of them having an extraordinarily high probability of being a universal default improvement for a greater mutually beneficial and exciting co-existence with other elements in fundamental components ....... aka media hosted realities.
Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.
Is that the stock undereducated human condition in failed and rapidly failing exclusive elite executive office SCADA systems of administration .... Arrogant Ignorant Madness with petrifying self destructive bouts of hubris highlighting myriad series of psychotic episodes?
It certainly does nothing to support the perpetual ‘well being’ of either the behaviour or mindset of an individual so overwhelmingly promoted by face values, but demonstrates nothing other than sheer rampant frustrations of such failed Scada systems and crossover conflict-ions in both Live Operational Virtual Environments.
Garbage instructions in = Garbage Results out.
“Anything lesser has one surely trapped and tricked/captured and conned into servering a feudal lauded federal system stuck in the past? And one would have to be surely mad to think that acceptable in any day and age or place and space.”
And one would completely agree with such amFM, however like the dog chasing its tail, it would of course help if such media presentations would present such solution rather than repeatedly bleat such nonsense as ‘You ran’ would it not?, which of course is, as such with all presentations thus far simply being a pre fabricated regurgitation of lies if it did not align correctly with the program?
Fortunately, CT, there is alway at least this one systemic easily exploitable vulnerability full of crazily available opportunities which just keep on giving ........
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. .... Albert Einstein
Can you believe that is what makes everything so simple for some, who may or may not be just a chosen few, to do everything they want to without anyone ever knowing how very easily everything is done.
Is it any wonder that simply complex plain texted information on and in novel out of this world developments, and suitably beyond corruptive command and subversive perverse control, is so absolutely terrifying to failed intelligence operations. And what sort of an answer to such is an ineffective knee jerk reaction which delivers the white feather defence of fight or flight or FUD rather than a SMARTR Engaged AI Deployment and Remote Virtual Employment well worthy of the preeners of three feathers.? :-)
I am not sure that the Met should even be sending an unredacted version to the council in the first place. Why would the council need all of thst info?
The 'Savage' approach to policing is bad enough but allowing council clerks access is not responsible, having worked in and with a couple of councils I don't trust them with any of my data.
Not surprised Newham has cocked up, Cockups R us could be on the borough coat of arms.
Is it a policy to send redacted versions with obvious redaction such as blacked out information, headers, etc? Does an un-redacted sensitive document have "un-redacted, sensitive" label on the top? It's not always obvious what might be considered sensitive. The police would know better than some local council members in their first term. If you get a document with a load of recipients or CC's, you might not think that keeping mum is in order.
I do agree that the council probably didn't need to see the document. They may have only needed to know that it exists, the type of information that it contains and that it can be viewed at the police station or by special application.
That's almost in the same league of stupidity as fining the NHS or a local health trust for a medical mishap. If you fine a council, the people who pay that fine in the end are the residents, not the people responsible for the breach. If there were personal liability at the top of the hierarchy, just as there is in the case of software piracy in a company where the directors are personally liable, then I think you'll find these sorts of things will happen much less.
It's difficult to know what to do when confronted with incompetence of this nature. It's not just the initial breach that's the problem. It's also the attitude that the council decided they could deal with it as an internal matter. Either they didn't know about the GDPR provisions about reporting or simply decided they were too important for that. I'd like to think there was a mechanism for placing them under some sort of adult supervision but where would one find suitable adults? Certainly not in central government.
One possible solution occurs to me. A couple of decades ago I had a gig working with material which had similar sensitivity. I and everyone else had to have clearance to S/C. Shouldn't council staff with this exposure also need clearance?
If anything the need should be greater than in my gig as the whole of the database is going to be local to the area from which council staff are likely to be recruited. Without clearance there's an unacceptable probability that a data subject might be known or even related to one of the staff.
A failure like this should then result in the entire command chain losing their clearance and having to be redeployed within the council if they were even able to retain their jobs. This would result in greater awareness of all those involved about their responsibilities and what actions would be permissible.
From what I can see in the article, data went out, but to relevant responsible people tackling gang problems.
So how did it end up in the hands of rival gangs on Snapchat?
Yes, the council employee is wrong for sending the data in the first place. But isn't one of the recipients guilty of re-sharing here?
Once a document gets into a council office, the world, his missus, snot nosed kids and his dog have access, council clerks are locals and are as likely to know some of the 'naughty' boys as anyone else. I have also seen desk tops left on all night to save firing up in the morning so the cleaners or anyone else in there at night could have access.
The best security in a local council is when there is a meeting in the chambers, nobody gets to know what is discussed there.
"key people are removed and then the two gangs become one larger, more powerful unit"
There _are_ ways to take the wind out of gangs. The prime reason they exist with the power and danger they do isn't "cred", it's _money_ - specifically the insane profitability associated with drugs(*) and trading in stolen goods to pay for them.
(*) A medically pure knockout dose of heroin or cocaine is less than a pound. It's a hell of a lot more on the street and cut with "godknowswhat". Every pence of the difference is why you have gang wars.
Might be worth remembering that the "enemies" of these gangs - as seen by the gangs - just might not actually be members of other gangs. And even if they are, their murder, as you are apparently "hopeful" of, might be disproportionate. And even then, more murder - even of supposedly worthless gang members - is unlikely to make a positive contribution to the wider public interest. Especially if the "winners" of such a gang war are the most ruthless, violent, and best armed of the lot.
Councils face a real problem when it comes to employing competent - and particularly experienced - IT staff and developers. There's a skills shortage industry-wide, and when you're one of the lower payers, and perceived to be neither competent, nor an exciting place to work, the result is never likely to be great.
The government's clamp down on IR35 in the public sector has made this much, much worse as this is how the skills gap used be filled in many a council.
Councillors rarely have any insight or experience here either. It's hard to imagine them coming to the conclusion that they need to employ more competent people and pay them more in these roles when they're simultaneously contending with year-on-year budget cuts.
Under GDPR there is now individual responsibility and culpability for the data protection officer. Who on earth would do this job?`
Others on here are making the same point, but it bears being made until it's heard and acted on:
"Newham Council has been fined £145,000" gives the distinct impression that guilty parties working for or elected to the council are in some way being penalised.
They are not, though they should be.
Until those responsible are punished in person, nothing will ever change.
By responsible, I mean all of those formulating and enforcing inadequate security policy and those who make the individual screw-ups.
Feel free to suggest cruel and unusual punishments here, we might as well enjoy the fantasy. I don't expect to see effective measures in my lifetime.
However, in this case, a staffer within Newham shared both versions, having simply forwarded the email they received from the Met police with the January version of Newham Matrix.
This person has since been retrained.
Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe.
Internal review found nothing, doesn't surprise me.
Cue the usual statement, we take privacy seriously blah blah blah, lesson have been learnt blah blah blah.
"Moreover, the council didn't report the breach to the ICO, it waited until December 2017 to launch its own internal investigation, and then failed to produce a final report of the probe."
In some countries, covering up like that results in a multiplier of the fine being applied - and the decision to coverup _IS_ criminal misfeasance.
Of course getting the Met to accept a criminal complaint is impossible because then they'd have to admit culpability too.
We have seen breach after breach of privacy by phone companies, councils, and other organisations. The ICO gets richer, and the victims get nothing.
In this particular case, I can live with it. A gang member doesn't deserve anything even if his privacy has been breached, but in almost every other case the victims deserve compensation yet receive none at all.
If data is negligently shared then each victim should receive £20 as a MINIMUM as an apology. It's not much, but it will encourage companies to not keep too much data in the same place, don't you think?
"A gang member doesn't deserve anything even if his privacy has been breached"
What? Some person, without any judicial process being followed other than a copper's 'through my judgement and experience' that a certain person is a 'gang member' spaffs their personal details to rival gang members, there's a murder of one of them, and they don't deserve any recompense if it turns out the council was responsible?
Are you a complete idiot or something? Do you read the Daily Express? Is you brain broken in some way that excludes a sense of compassion?
A reliable assumption in local government: Anybody without a professional qualification (e.g. borough solicitor, survey, planning officer) is incompetent. Those with a professional qualification may be too - particularly if that skill could be used elsewhere more profitably.
I think that the best you might get is dismissal and a ban from government employment for several years. For the really naughty, loss of pension standing.
The Thieves Code won't allow passing laws with harsh penalties on politicians by another mob of politicians. It smacks too much of cannibalism and why would they pass laws that might put them in prison themselves at some point?
More than once, I've been tasked to publish a "redacted" PDF document on the web.
The authors had employed the "lite" version of redaction: black boxes over existing text.
However, when printed or highlighted with the cursor, the entire text was exposed.
Many people understand privacy, just not how to achieve it.
I understand that organisations / companies etc need to be held accountable for when they're are breaches like this one.
Unfortunately nowadays, its becoming almost a cultural thing... fine the hell out of anything, everything and everyone!
Look at all of the companies popping up to cash in on this "fine culture" PPI fines been the most notable.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
