Monday 29 June 2009

Another day, another laptop loss...

Yesterday it was a HSE laptop with sensitive financial information on the public. (Don’t forget the HSE has form - with multiple data losses just last year - and has now shown that it has broken its promise to encrypt all laptops containing sensitive personal information.)

Today it’s the turn of Bord Gáis to lose another unencrypted laptop containing bank account and credit card details of 75,000 customers.

We’ve been banging on about this for a while, but it’s worth repeating that in light of these fiascos, a law to warn you that your data has been stolen is long overdue:

At the moment, there is no legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied.

What’s being done on this front at the moment? The Minister for Justice has kicked this issue to touch for the time being, setting up a working group to consider whether mandatory reporting should be introduced - and we’ve made submissions to that group. But if you want to see action taken sooner rather than later, now would be a good time to let your TDs (firstname.surname@oireachtas.ie) and MEPs (contact details here) know that you support a right to be warned when your data has been stolen.

Perhaps most importantly, you might want to ask yourself this question - if this is what happens to your financial information, what can you expect to happen to your email and web information if the government is allowed to continue with its plans for data retention?

Monday 15 June 2009

MoD admits loss of secret files

Laptop
A report said the MoD needed to improve some areas of data protection

More than 100 USB memory sticks, some containing secret information, have been lost or stolen from the Ministry of Defence since 2004, it has emerged.

The department also admitted that more than 650 laptops had been stolen over the past four years - nearly double the figure previously claimed.

The Liberal Democrats condemned the latest security breaches as evidence of "shocking incompetence".

But the MoD insisted its policies were "generally fit for purpose".

Previously the MoD had confirmed that 347 laptops were stolen between 2004 and 2007.

The Mod said it has no idea on when, where and how the memory sticks were lost.

Defence Secretary Des Browne issued revised figures after "anomalies in the reporting process" were discovered.

The official total is now 658 laptops stolen, with another 89 lost. Just 32 have been recovered.

Sarah Teather MP: This government simply cannot be trusted with keeping sensitive information safe

In a separate response, ministers said 121 of the department's USB memory sticks had been taken or misplaced since 2004.

Some 26 of those went this year - including three which contained information classified as "secret" and 19 which were "restricted".

BBC security correspondent Frank Gardner said the incident was "embarrassing" for the MoD as they had no idea how or when they had been lost or stolen.

Liberal Democrat MP Sarah Teather received the information after tabling a question in parliament.

Ms Teather said: "It seems that this government simply cannot be trusted with keeping sensitive information safe.

"This shows a shocking degree of incompetence."

Shadow defence secretary Liam Fox said: "To treat national security in such a cavalier fashion is unforgivable."

A Ministry of Defence spokesman said any loss of data was subject to a full inquiry and measures were being put into place to improve data protection.

This is the latest in a series of data loss incidents:

• November 2007 - Revenue and Customs officials lost the personal details of 25 million people

• June 2008 - A computer was stolen from the office of Communities Secretary Hazel Blears and files on counter-terrorism were left on a train

• January 2008 - The MoD revealed that one of its laptops - containing the details of 600,000 people - was stolen from a car

Ms Teather added: "How can they expect us to trust them to keep our personal information safe in their unnecessary and expensive ID card scheme?"

Last month the MoD was heavily criticised by a review of its data procedures which warned that basic security discipline had been forgotten and there was "little awareness" of the danger of losing information.

'Action plan'

But an MoD spokeswoman said officials were taking the situation very seriously: "Any loss of data is investigated fully.

"The recent report on data losses by Sir Edmund Burton found that MoD policies and procedures are generally fit for purpose, but also identified a number of areas where MoD needs to do better in protecting personal data.

"MoD has developed, and is now working through, an action plan to address all of the report's recommendations and bring the department's handling of personal data to an acceptable state."

Since the Burton report in June 2008 the MoD has recalled 20,000 non-encrypted laptops and are now encrypting them.

So far half have been through the process. About 2,000 are unable to be encrypted so have been taken out of service.

Source - BBC News

Wednesday 10 June 2009

New data fiasco as Home Office loses the secret records of thousands of Britain's most dangerous criminals

Secret personal details of Britain's most dangerous criminals have been lost by the Government.

The public could now face an enormous bill to protect paedophiles, rapists, drug runners and killers from vigilantes or rival gangsters.

The names, addresses, details of convictions and even jail release dates of almost 130,000 people were all in Home Office files lost when a computer memory stick went missing.

Home Secretary Jacqui Smith

'Livid': Home Secretary Jacqui Smith with a group of special constables on Wednesday. She learned of the missing data the day before

It was being used by an employee of a private contractor working for the department.

The astonishing security blunder plunges Home Secretary Jacqui Smith, who was told of the scandal on Tuesday, into the greatest crisis of her career.

Miss Smith informed the Metropolitan Police – who are now frantically hunting for the portable data storage device – but chose not to tell the public immediately.

It took the intervention of a whistleblower for details to emerge. The delay is likely to lead to damaging questions for the Home Secretary, whose mood last night was described by aides as 'livid'.

The Office of the Information Commissioner said the data – a list of all 84,000 prisoners in England and Wales, plus details of 43,000 most serious and persistent offenders – was a 'toxic liability'.

Tory spokesman David Ruffley warned of huge costs for taxpayers if criminals sue the Home Office for breaching their privacy and the Data Protection Act.

The Home Office

Another blunder: The Home Office are already responsible for losing sensitive information including the details of child benefit claimants

Mr Ruffley added: 'This shambles proves this accident-prone Home Secretary hasn't even got a grip of what goes on in her own building. Taxpayers will be absolutely outraged if they are made to pick up the bill for compensation to serious criminals.'

It is the latest in a string of cases where the Government has lost highly-sensitive data, most seriously the personal details of 25million child benefit claimants.

The latest shambles centres on a Whitehall project known as JTrack, to share details of the country's worst offenders.

A private firm working on the project, PA Consulting, was sent the convicts' personal details by the Home Office.

An employee of the company – which has Government contracts worth millions and has worked on the highly-sensitive ID cards project – placed the data, unencrypted, on the memory stick, which went missing at an unknown location.

The Home Office was told on Monday and Miss Smith informed on Tuesday. Officials are desperately hoping the data on the stick, worth many thousands of pounds to criminals, does not fall into the wrong hands or be made public.

The worst-case scenario is having to protect notorious criminals – such as sex offenders – at risk of vigilante attack.

Dominic Grieve
ruffley

Criticism: Shadow Home Secretary Dominic Grieve (left) and Tory spokesman David Ruffley have slammed the Government for their latest mistake

There are also fears of rival criminals, such as drug dealers, using the information to settle old scores, possibly even waiting in ambush outside prison gates.

Protecting these villains could cost millions and place an enormous strain on police resources.

But changing release dates would cause mayhem in crowded prisons. There is even the prospect of gang bosses obtaining the data and using it to recruit convicts with useful skills.

Shadow Home Secretary Dominic Grieve said: 'This is a massive failure of duty. What is more scandalous is that it is not the first time that the Government has been shown to be completely incapable of protecting the integrity of highly sensitive data, rendering them unfit to be charged with protecting our safety.'

David Smith, deputy commissioner for the Information Commissioner's Office, said: 'It is deeply worrying that after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost.

'It demonstrates that personal information can be a toxic liability if it is not handled properly.'

The Home Office said: 'Arrangements were in place for data to be sent securely to the contractor, in a fully encrypted form to a secure location. It appears that an employee of the contractor then transferred the data to an insecure memory stick.

'All transfer of data has been suspended pending investigation.'

PA Consulting had no comment last night. The company, which has 3,000 employees in 35 countries, was paid a reported £2million a month by the Passport Service for its work on ID cards.

Monday 1 June 2009

Data loss firm contract axed

Memory stick
The information contained on a memory stick was not encrypted

A company which lost the details of thousands of criminals held on a computer memory stick has had its £1.5m contract terminated after an inquiry.

Home Secretary Jacqui Smith said PA Consulting had lost the data after it was transferred securely to the firm.

PA Consulting apologised for the loss of data and had accepted its "responsibilities".

The work had now been taken in-house and PA Consulting's other Home Office contracts, worth £8m, are under review.

The Cabinet Office will also launch a review of all contracts signed by the government with private companies to ensure they were "appropriate", said Ms Smith.

"Our contract had stipulated the sort of security provisions that needed to be in place and that had not happened," added the home secretary.

"We are cancelling this contract and we are urgently reviewing the way in which PA Consulting are meeting the requirements of other contracts we have with them.

"Our investigation has demonstrated that while the information was transmitted in an appropriately secure way to PA Consulting and fed to a secure site, it was subsequently downloaded on to an insecure data stick and that data stick was then lost."

Unlocked drawer

She said the memory stick had not been encrypted or "managed properly" and had not been found despite extensive searches.

RECENT LOSSES
Nov 2007: 25m people's child benefit details, held on two discs
Dec 2007: 7,685 Northern Ireland drivers' details
Dec 2007: 3m learner drivers' details lost in US
Jan 2008: 600,000 people's details lost on Navy officer's stolen laptop
June 2008: Six laptops holding 20,000 patients' details stolen from hospital
July 2008: MoD reveals 658 laptops stolen in four years

A risk assessment was being carried out about the data that was missing, alongside the internal inquiry into what had happened, she said.

And no more information was being passed to the firm while the investigation continued and the government was "reviewing the terms of that contract and other contracts" with PA Consulting.

The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales - and 33,000 records from the police national computer.

Cancelling the contract will not cost the taxpayer and any expenses incurred will have to be met by PA Consulting, Ms Smith said.

The memory stick contained the details of 84,000 prisoners held in England and Wales.

The device also contained the names, addresses and dates of birth of 30,000 people with six or more convictions in the last year, as well as the names and dates of birth of 10,000 criminals regarded as prolific offenders, from the police national computer.

The loss of data on this project was caused by human failure, a single employee was in breach of PA's well-established information security processes
PA Consulting

It also carried the initials of people on drug treatment programmes.

It was left in an unlocked drawer in an unsecured office at its offices in Victoria, central London.

The loss led to fears prisoners would attempt to claim compensation but Ms Smith reassured MPs that "appropriate measures are in place for individuals seeking information about the data held on them".

Critics say the mistake raises further doubts about the government's controversial ID card project, in which PA Consulting is involved.

Ms Smith said: "The inquiry that we have carried out ... suggests that the most likely thing to have happened was that the data stick was pilfered or lost.

"I think (PA Consulting) recognise that what they have done is against the terms of their contract."

'Apologise unreservedly'

In its first public statement on the data loss incident, a spokesman for PA Consulting said: "The loss of data on this project was caused by human failure, a single employee was in breach of PA's well-established information security processes.

"We deeply regret this human failure and apologise unreservedly to the Home Office."

He said the firm had carried out an examination of all of its government and private sector projects which handle sensitive data.

"Our review has confirmed that, apart from in this isolated incident, we are fully compliant with robust policies and procedures and are achieving high levels of information assurance across all of our work," the spokesman added.

Liberal Democrat home affairs spokesman Tom Brake accused minister of trying to escape criticism for data losses by "making scapegoats out of private companies".

"Barely a week goes by without the government being embroiled in another data cock-up, and yet ministers remain intent on pressing ahead with their Orwellian plans for a national identity register.

"The Government has proved it cannot be trusted with even basic information, let alone with something as intrusive and excessive as the ID cards scheme."

At the weekend, it emerged that another private contractor, EDS, mislaid a computer disc carrying personal details of thousands of employees of the National Offender Management Service in July last year.