UK Government Staff Caught Snooping On Citizen Data

An anonymous reader writes "More than 1,000 UK government staff have been caught snooping on citizen data — including criminal records, social security, and medical records. From the article: 'The U.K. government is haemorrhaging data — private and confidential citizen data — from medical records to social security details, and even criminal records, according to figures obtained through Freedom of Information requests. Just shy of 1,000 civil servants working at the Department for Work and Pensions (DWP), were disciplined for accessing personal social security records. The Department for Health (DoH), which operates the U.K.’s National Health Service and more importantly all U.K. medical records, saw more than 150 breaches occur over a 13-month period.'"

Re:Shocker

[jimicus]

And any half-decent auditing system would catch you very quickly indeed.

The thing is I'm absolutely sure in my own mind that despite the fact that the means to develop half-decent auditing systems has existed for years, I don't think they're terribly widely deployed. And if they are, I don't think very many organisations have processes in place to make sure that action is taken when the audit blows the whistle on someone.

This is based mostly on speculation rather than having any hard evidence, though. Would welcome comments from someone who does IT security professionally.

Re:Shocker

[Anonymous Coward]

Auditing systems only work to stop legitimate users of a database from making inappropriate queries, the database and system administrators, and in most cases network administrators have carte blanche access to anything and everything they are responsible for, and it is always a simple procedure to bypass any audit traps that may be in place.

Take the example of an Oracle DB on a Unix system, it is a pretty trivial task to make a copy of the entire hard disk (and database contained therein) without leaving a trace of your actions. These systems are both too simple and too complex to prevent access from a lower level of abstraction.

We put a huge amount of trust in system operators, and there is really no other way. At the end of the day, someone needs lowlevel access to the system to run diagnostics and perform maintenance, even in some security enhanced configuration like IBM AIX or z/OS, there is going to be a hardware maintenance mode, if not accessible by the site admin, it will be accessible by someone at IBM.

Re:Shocker

[niftydude]

Not just private information. I used to consult to a roads authority that I'll keep nameless for now.

They had remote controllable ccd cameras all over the place to keep track of traffic flow etc.

Whenever I went in, one of the cameras would almost always be pointing at the girl who used to sunbathe in her back yard in a property very close to a major intersection.

Incredibly creepy.

England != UK

[monktus]

If true, this is a Bad Thing (though not terribly surprising). TFS is a bit wrong though. The Department of Health is not responsible for the NHS across the UK, and never has been. It has only ever been responsible for health in England and Wales, with the latter being devolved to the Welsh Assembly in 1999. Arrangements for social services are a little dfferent, but again this isn't necessarily relevant to all of the UK. Not that civil servants in devolved departments are perfect, but this is just another example of the UK stopping at the M25 (don't worry America, it's not just you, the British MSM and Westminster politicians do it all the time).

Re:Mrs May you're useless!

[coastwalker]

I have come to the conclusion that it isn't the politicians that are the problem. Its the Civil Service. Governments are just a passing inconvenience to them, all the policies floated by the last government that were called out as being hated by the people are steadily being re-introduced by the current government. It seems that the reforming Tories in power actually have no power at all. So there is no point ranting at an individual politician because they may as well not be there for all the good it will do.