Skip navigation.
Home
orawin.info
Home ยป Blog

Hey Dude - that's my data

Submitted by Niall Litchfield on Wed, 11/21/2007 - 15:40.

As everyone living in the UK should be aware there has been a serious error in data protection involving the UK Tax Authority ,  the auditor of UK Central Government as well as a private  courier firm. In summary

  • The auditor asked for a dump from the UK Child Benefit database. It's unclear whether this was a valid request or not.
  • The data was dumped and recorded onto two disks.
  • The disks were then sent through the outsourced postal operation. This should never have happened.
  • The data never arrived.
  • The disks were resent this time recorded delivery.
  • The data lost and potentially in the wild includes social security details, dates of birth, names , addresses, bank details and so on for 25 million individuals (including my family).

It seems highly likely to me that the "Junior Official" involved was a DBA, though perhaps a systems administrator was involved.

There has been, and no doubt will continue to be, a significant discussion around the appropriate procedures and technologies in use. Oracle might for example cite their Secure Backup product. The relevant junior minister last night spoke on National radio and played down concerns about our proposed national ID Card on the grounds that it was newer technology and so would not suffer the same problem.

For me though the technology is really rather irrelevant - security here is a people issue. There appear to have been a number of people failings

  • First, how does any auditor justify asking for sensitive data on CD.
  • Second, what management instructions were given to the official concerned ("co-operate with the auditors" seems to me to be the most likely)
  • Third, how does any it professional with access to sensitive data consider burning it to CD and sending it through the post.

It doesn't encourage me that the minister apparently believes both that people won't make mistakes with ID data or that it is OK to go on record as saying that the Child Benefit data is stored on an outdated and inherently insecure system. The first is certainly untrue and one would hope that the second was equally untrue.

 

 

 

»

Yeahh, that's terrible

Submitted by Gints Plivna (not verified) on Wed, 11/21/2007 - 21:40.

All security, encryption etc etc are gone with the winds with such a wonderful step. This really shows again that there isn't any cure against peoples' stupidity.
I remember a story I've heard from directly involved persons several years ago when one used floppies and network was absolute luxury. A bank sent quite sensitive encrypted data in a floppy disk from its branch to the main office. As the main person responsible for encryption was not at work others somehow managed to encrypt them but wasn't sure people on the other side would be able to decrypt. So the taken solution was absolutely brilliant, they gave to courier (worker of the bank) both floppy with encrypted data and also other disk with unencrypted data, just to be sure that data would be certainly delivered :)

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

Please solve the math problem above and type in the result. e.g. for 1+1, type 2.
The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options