Forgot your password?
typodupeerror
Government Security United Kingdom Your Rights Online

UK Government Staff Caught Snooping On Citizen Data 120

Posted by samzenpus
from the lets-have-a-look dept.
An anonymous reader writes "More than 1,000 UK government staff have been caught snooping on citizen data — including criminal records, social security, and medical records. From the article: 'The U.K. government is haemorrhaging data — private and confidential citizen data — from medical records to social security details, and even criminal records, according to figures obtained through Freedom of Information requests. Just shy of 1,000 civil servants working at the Department for Work and Pensions (DWP), were disciplined for accessing personal social security records. The Department for Health (DoH), which operates the U.K.’s National Health Service and more importantly all U.K. medical records, saw more than 150 breaches occur over a 13-month period.'"
This discussion has been archived. No new comments can be posted.

UK Government Staff Caught Snooping On Citizen Data

Comments Filter:
  • Shocker (Score:5, Insightful)

    by trout007 (975317) on Friday May 18, 2012 @03:15AM (#40038527)

    Give someone access to people's private information and it will be abused. Here I'm giving you this box that contains pure awesomeness. Please don't open it.

    • by Joce640k (829181)

      Wouldn't you want to look up famous people in the database? See how much tax they pay, etc. I sure would!

      • Re:Shocker (Score:4, Informative)

        by jimicus (737525) on Friday May 18, 2012 @03:51AM (#40038681)

        And any half-decent auditing system would catch you very quickly indeed.

        The thing is I'm absolutely sure in my own mind that despite the fact that the means to develop half-decent auditing systems has existed for years, I don't think they're terribly widely deployed. And if they are, I don't think very many organisations have processes in place to make sure that action is taken when the audit blows the whistle on someone.

        This is based mostly on speculation rather than having any hard evidence, though. Would welcome comments from someone who does IT security professionally.

        • Re:Shocker (Score:5, Informative)

          by Anonymous Coward on Friday May 18, 2012 @04:01AM (#40038713)

          Auditing systems only work to stop legitimate users of a database from making inappropriate queries, the database and system administrators, and in most cases network administrators have carte blanche access to anything and everything they are responsible for, and it is always a simple procedure to bypass any audit traps that may be in place.

          Take the example of an Oracle DB on a Unix system, it is a pretty trivial task to make a copy of the entire hard disk (and database contained therein) without leaving a trace of your actions. These systems are both too simple and too complex to prevent access from a lower level of abstraction.

          We put a huge amount of trust in system operators, and there is really no other way. At the end of the day, someone needs lowlevel access to the system to run diagnostics and perform maintenance, even in some security enhanced configuration like IBM AIX or z/OS, there is going to be a hardware maintenance mode, if not accessible by the site admin, it will be accessible by someone at IBM.

          • by Apuleius (6901)

            However, a decent auditing system would limit the number of people able to abuse the data in this way.

            It's one thing to know that there are sysadmins out there with the ability to leak my data. At least the sysadmins, are, well, people like me. Who read Slashdot and have read the same things I have about why it's important not to engage in or facillitate creepiness with databases.

            But when the system is open to abuse by every halfwitted clerk in the government, that's when seriously bad shit happens.

        • Re:Shocker (Score:4, Interesting)

          by Sique (173459) on Friday May 18, 2012 @04:45AM (#40038927) Homepage

          It's pretty easy to overcome audits. Open a trivial case against the person you want to snoop on (littering or something), pull the data, and then close the case with "no further investigation". So everything looks legitimate, and the audit doesn't ring any alarms.

          • by Anonymous Coward

            This depends on the system. The system mentioned by parent I don't think classifies as `half-decent`, even though it is how many CRM based systems work.

            Half decent systems hide nearly all information until the case/person is identified correctly. Also this is recorded in audit information, with the relevant information that is shown initially as a search and the reason for opening/closing the case/person.

            Most rigorous system that I am aware are for Police National Computer (PNC) checks. Most commonly used f

        • by Joce640k (829181)

          And any half-decent auditing system would catch you very quickly indeed.

          They might have database triggers on obvious famous people[1] to catch stupid[2] people being bribed by Rupert Murdoch but what about people who look up school friends or whatever. That's unlikely to raise an eyebrow.

          [1] But don't bet on it: This is government, the very definition of IT incompetence.
          [2] You can bet the smart people can get access without being logged by 'borrowing' a superviser's password or a backup disk or whatever.

        • by Cederic (9623)

          And any half-decent auditing system would catch you very quickly indeed.

          Indeed. For instance, over 1000 people working for the Government in the UK have been caught illegally accessing data - who'd have thought it, auditing systems working.

          I don't think they're terribly widely deployed. And if they are, I don't think very many organisations have processes in place to make sure that action is taken when the audit blows the whistle on someone.

          In the UK, they're deployed extensively, and if you don't work for DWP, it's often a sackable offence when the audit controls catch illicit access.

          Forget the legal mandate to protect data, we have a duty of care to customers (and, cynically, to protect the company reputation).

      • by jouassou (1854178)
        In Norway, the government information about capital, income and taxes is actually made public. If you login to the webpage of the Norwegian tax department [skatteetaten.no], you can snoop in the economy of any other citizen. That's the sneaky way of encouraging people to turn in their neighbors for tax fraud...
    • by oobayly (1056050) on Friday May 18, 2012 @03:39AM (#40038641)

      Just shy of 1,000 civil servants ... were disciplined ...

      WTF, how about sacking these people, they clearly can't be trusted in their position. Better still, make it a criminal offence (if it isn't already) and charge them.

      I worked for the Ordnance Survey in Southampton after Uni. During training we were shown examples of where people had altered maps (someone wrote "HI" in land tiles in the North Sea, and a building was labled "Kate's cradle of filth"). It was explained to us that all work was logged. If caught we would be sacked. If we'd already left, we'd be chased up under the Official Secrets Act.

      Whether it was all a threat, I don't know. But I certainly didn't risk finding out. Neither did any of my friends.

      • by Spad (470073) <slashdot@NOSpam.spad.co.uk> on Friday May 18, 2012 @04:49AM (#40038943) Homepage

        This is the public sector we're talking about, you can't just fire people for gross misconduct, that would be discriminating against people who violate your policies.

        I have personal experience of this, contracting for an NHS trust where one of the people in my team abused their access to snoop through peoples' emails, documents & web logs to try and find information that they could use to blackmail them into giving them perks & preferential treatment. We caught it within a couple of days and had witnesses and audit logs showing what they'd been doing (they weren't too bright when it came to covering their tracks) and handed the whole lot over to HR.

        It took nearly 3 months before they even suspended him; almost 2 years later they had botched everything so badly that they had to pay this person off to leave quietly and not take them to an employment tribunal.

        That anyone ever gets fired from a public sector role without having broken some pretty major laws is nothing short of a miracle.

        • by Inda (580031)
          In a small English town of 120,000 people, the chances of knowing someone who works in the local council offices, for just a little over the minimum wage, is high. They probably went to school together. They probably share drinks. They probably share data too.

          *wink*

          It's rife.
    • I'm pretty sure the vast majority of the data accessed is nothing like a box containing pure awesomeness. In fact, given the people that I see only my daily commute it would be like the Ark of the Covenant, except when you open it pure boredom comes out and melts your face off.
    • Re:Shocker (Score:5, Informative)

      by niftydude (1745144) on Friday May 18, 2012 @04:23AM (#40038835)
      Not just private information. I used to consult to a roads authority that I'll keep nameless for now.

      They had remote controllable ccd cameras all over the place to keep track of traffic flow etc.

      Whenever I went in, one of the cameras would almost always be pointing at the girl who used to sunbathe in her back yard in a property very close to a major intersection.

      Incredibly creepy.
      • And you didn't bother to figure out who it was and tell her? Or file a complaint with management?

        • by am 2k (217885)

          And you didn't bother to figure out who it was and tell her? Or file a complaint with management?

          Yeah, he might even have managed to make the superior glare in a very annoying way at the people controlling the camera!

      • by AmiMoJo (196126)

        That's what happens [bbc.co.uk] when you put minimum wage monkeys in charge of an incredibly boring bank of screens all day.

        • I work with folks who earn 200k+ per year and they would do the same. Its human nature, and we are very social gossipy animals.

          Always write laws and grants of authority with the mindset that they will inevitably be abused.

      • by Apuleius (6901)

        Now picture someone making a database query to find the addresses of all the young girls in town so they can identify a bigger pool of girls who like to lounge in their gardens in summer clothing.

        Probably already happened.

        • Wow. You just reminded me of another time when I was consulting to a financial institution where someone had written a sql query to identify all the girls under 30 who had net worths of over $ 1 million.

          I had totally forgotten about that.
    • by Anonymous Coward

      It depends on what you call abuse - I have in my possession, a database containing serious amounts of information on about 2 million UK housing association tenants. Names, email, date of birth, addresses, history, comments, disabilities, concerns, criminal records, complaints, dependants etc etc etc. There was no access control for this database, I could copy it at will. It would be a scammers dream to get hold if it.

      Have I done anything with it? Nope, never will, sits on one of my archive backups. Would

      • by Joce640k (829181)

        Don't worry. The government leaves an up-to-date copy of that in the back of random taxi every few months to make sure the scammers don't miss out.

  • Nothing to fear... (Score:5, Insightful)

    by yotto (590067) on Friday May 18, 2012 @03:43AM (#40038657) Homepage

    These people, though, were doing nothing wrong so they have nothing to fear from these unelected civil servants poking through their personal information, right?
     
    ...right?

  • Lack of information (Score:5, Interesting)

    by abigsmurf (919188) on Friday May 18, 2012 @04:01AM (#40038707)
    The problem I have with these figures is that they give no details of the nature of the offences.

    Were these all "I want to find embarrassing data on my ex or a celebrity!"? Were some of them just "staff member legitimately needed to access an account and should've waited for his boss to authorise first".

    How many of them were procedural mistakes and how many were genuine cases of snooping? A high number of the former would paint a very different picture and asks different questions to a higher number of the latter. But then Dispatches is a horribly sensationalist program so I doubt they care.
    • by Anonymous Coward

      How many of them were procedural mistakes and how many were genuine cases of snooping?

      This question alone shows a big flaw in the system. It is set up in way that makes it impossible for the taxpayers to check if the government workers are doing their job.
      They can basically waste millions of £ without actually doing anything that benefits society at all and there is no way for you to make sure that they do their best to work effeciently.

      I think it is safest to assume that all of them were genuine cases of snooping, at least that encourages them to improve the transparancy slightly.

      • by abigsmurf (919188)
        To be honest, I think they could've got the information quite easily, in fact they likely have it in the data they received. As I said before Dispatches are incredibly sensationalist, they will always try to aim for the biggest shock they can rather than having a more detailed look.
    • by Anonymous Coward on Friday May 18, 2012 @04:27AM (#40038853)

      These are disciplinary actions, not administrative errors. Verbal ticking offs don't get listed. So they'll all real breaches.

      “unauthorised disclosures of official, sensitive, private and/or personal information”,
      I wonder how many of these are civil servants handing data over to Murdoch's newspapers & TV interests, given we know his newspapers even hacked telephones, buying info from civil servants about celebrities and politicians seems extremely likely. I wouldn't be surprised if a large percentage of those leaks were to Murdochs lot.

      But the big revelation is that there are 200,000 civil servants approved to access the databases. That's an insane number! What did they expect, 200,000 possible leak points, the system is designed to leak private data like a sieve.
      Most likely these are only the leaks that CAN BE CLEARLY IDENTIFIED as leaks. I think that's the TIP OF THE ICEBERG, since most of the data leakers would NEVER GET CAUGHT.

      • by AmiMoJo (196126)

        It came out during the Levison Inquiry that News Corp's papers had access to people's medical records. It seems likely that somoene with access to them handed them over in exchange for cash, since no evidence of hacking has emerged.

  • by Anonymous Coward

    TFA:

    The penalties for a criminal offence go up to £5,000 ($7,900) in a lower magistrates court, or an unlimited fine in a higher Crown court. Some British politicians even called for some extreme data breaches to result in prison sentences — something dismissed by other parliamentary committee members. Rarely does the fine rise to five-figures, let alone six. Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches — the highest fine imposed by the courts to date.

    When you fine the government, they just increase taxes. We need some personal accountability here.

    • by abigsmurf (919188)
      You mean like staff being disciplined?
      • by BlueStrat (756137)

        You mean like staff being disciplined?

        Only if by "disciplined" you meant something along the lines of 100 very brisk strokes of a cane to their naked body in the public square while being nationally televised, ending with a distinctive hot-iron brand to the middle of the criminal's forehead along with a lifelong ban on holding any public job or political office ever again.

        If you meant the more typical docking of salary and/or temporary suspension, then, no.

        I hope that clears things up for you. :)

        Strat

    • by Joce640k (829181)

      When you fine the government, they just increase taxes. We need some personal accountability here.

      Yep. The government 'fining' itself only moves money from one place to another, nobody feels terribly punished afterwards (unless they were planning to 'divert' it for their own use). It should be automatic firing (for minor offenses) or prison (for bigger offenses).

  • This sort of thing always happens. The only way we could even begin to reduce it is to automatically fire anyone caught doing it, followed by criminal prosecution. Even then people will try to get away with it.

    The only sane solution is to just accept that it can't be prevented and not allow data to be made available in this way.

    • by Joce640k (829181)

      Some of those breaches would be done by people who were being bribed to get dirt on other people. Firing somebody won't prevent the breaches, it just raises the price of the bribe.

  • by Coisiche (2000870) on Friday May 18, 2012 @04:11AM (#40038773)

    The FOI request revealled the number of civil servants who had done it but private enterprise is not subject to that act. The same thing will go on but it will never be publicised.

    And I'm not going to buy any arguments that private enterprise security procedures would prevent it.

  • England != UK (Score:3, Informative)

    by monktus (742861) on Friday May 18, 2012 @04:41AM (#40038913)
    If true, this is a Bad Thing (though not terribly surprising). TFS is a bit wrong though. The Department of Health is not responsible for the NHS across the UK, and never has been. It has only ever been responsible for health in England and Wales, with the latter being devolved to the Welsh Assembly in 1999. Arrangements for social services are a little dfferent, but again this isn't necessarily relevant to all of the UK. Not that civil servants in devolved departments are perfect, but this is just another example of the UK stopping at the M25 (don't worry America, it's not just you, the British MSM and Westminster politicians do it all the time).
    • by MrMickS (568778)

      If you read the linked article you will see:

      Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches — the highest fine imposed by the courts to date.

      Furthermore the summary was quoting the original article, hence the quotation marks, so don't take it out on the summary.

  • by Azarman (1730212) on Friday May 18, 2012 @04:49AM (#40038939)
    Sadly this will never get the attension it needs, the goverment will keep pushing for a single centrizied database either for the children for under the need to stop terrorisum, even with their track record of data fail. But we are just numbers right so who cares

    WIkilink to list of UK data loses we know about http://en.wikipedia.org/wiki/List_of_UK_government_data_losses [wikipedia.org]
    http://news.bbc.co.uk/1/hi/7103566.stm [bbc.co.uk]

    We know the goverment can track cars in real time, intercept sms and phone calls in real time, and after the centerized commications they will be able to cross ref that with your internet habbits. All in one super database to stop terrorisum.

    I wrote to my MP who is a tory, I had a bit of a rant about the Goverment U-turning on this retraining data as it is one of the reasons i personally voted for them. The guy replied but it was like reading BBC news, a sales pitch that was all fluff and no content. It was all about stopping terrorisum it was just pure propaganda to push an ageneder that I personally did not think this MP was even aware of, it just seemed he was given a press release, told this is what he is going to be doing and refusing to look at anything else. The funny thing was I also wrote to my councilers and they also sent him letters along the same lines as mine all to be met with the same reply. Everyone is against this, and MPs are not even listening to their own people to pushing their own agenders.

    L
    • by Dominic (3849)

      You realise that absolutely everything the Tories said to get elected was a lie, not just that? Same old Tories.

      • by Azarman (1730212)
        Yes I do, sadly however it is only recently that I started seeing just how much of our political history is just on repeat. And how little it changes. Example in the 1960-1970s there was an enquiry in to the amount of Freemasons in the met office, and while goggling for some more information I find this, http://www.guardian.co.uk/media/2011/jun/08/phone-hacking-scandal-jonathan-rees [guardian.co.uk] I am not some conspiracy nut here there is a direct link between Government and MET office via freemasons lodges. There have a
  • by Anonymous Coward
    I have 2 Police office friends, Well did have 2. One of them has admitted a number of times to just searching the records of people from school, friends and family. Basiclly the system is there he had nothing to do and just have a poke around, it jokes its like a secret facebook for police only. I dont have any secerts to hide, (my record has one instance of "he was stolen from" when i was 13 and lost a bike but some of my family are not so clean and now my friend knows all about them. The abuse of this inf
  • if any of these breaches can be linked to articles that have appeared in the British press.

  • by Tastecicles (1153671) on Friday May 18, 2012 @06:00AM (#40039229)

    ...that we already know about, never mind the ones they've so far managed to bury.

    The simple fact of the matter is, there is no system-level security. It's a system of trust where the ones with access cannot be trusted. They are, to put it mildly, and without exception, un-trust-worthy.

  • Just picture that the austerity measures taken by different European governments means that they will have completely dissatisfied government employees who will still have access to the same data that they had before.

    The creative ways in which they use that power is a problem that will only get bigger.

    For example, in Romania they have a system in which government employees feed information about pre-communist owners of buildings to their business partners so that they can buy the building rights from people

    • oh your fucking God, austerity measures in Greece? Joke. Italy? Beyond a joke. Spain? Don't even go there. Never mind the rest of Europe, who are all in the exact same mess. The Euro is going down the pan and it's dragging the Dollar and Sterling with it. The plug hole is gurgling and gagging on the shit sandwich of which we'll all soon have to take a HUGE bite.

  • by pkinetics (549289) on Friday May 18, 2012 @02:25PM (#40044007)

    Yawn... this happens in the USA too. Anywhere you have personal records, there will be an employee who will access them for purposes other than intended. Do you think the people at the DMV haven't used their access to check on people that they have no business checking? How about the people that manage passports? There was that mess a few years ago.

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Working...