UK Gov't Lost Personal Data On 4M People In One Year

An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone. The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April. And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.)

"Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified. Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs. In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents. In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."

Encryption

[telchine]

Encryption nowadays is so damn easy to use. Why don't they?

Stupidity or Malice?

[EdIII]

experienced 1,993 data breaches between 1 October last year and 24 June

That is almost 10 breaches a day. That is not a leak. That is a fucking river .

I am reminded of a pretty good saying. "Once is happenstance, twice is coincidence, and three times is enemy action". With data breaches this prevalent there needs to be investigations, firings, and serious consequences for all involved. At least fire everybody in charge at once.

Just you wait...

[fuzzyfuzzyfungus]

The magnitude of this crisis clearly indicates that the state urgently requires expanded powers and broader scope of co-operation with private sector stakeholders in order to secure these sensitive records.

Utterly, utterly, wrongheaded; but just plausible enough to work...

Re:Stupidity or Malice?

[smittyoneeach]

How about minimizing the amount of individual data collected?
In the US, the Fed could leave to the states a vast swath of functions currently bogging down DC, making everyone more secure in a variety of ways.

It's principally Government incompetence.

[CountBrass]

It's Government incompetence: constant changes in policy, meaningless targets and, most critically, the replacement of the most senior civil servants, whose pensions and knighthoods depend on not fucking up, with a bunch of consultants on short term (typically 5 year) contracts.

This is the government that wants to have us give us our biometric data, impose the use of id cards and keep DNA records on us all.

Back to dumb terminals

[Tyrannicalposter]

No laptops, CDs, memory sticks, USB drives. Just a dumb terminal. That way the data can live in a secure data center. Until you piss off some rowdy geriatric mainframe hackers.

Re:Just you wait...

[EdIII]

Close your eyes and imagine John Hurt from V for Vendetta screaming that at the top of his lungs in a speech. Gives you tingles up your spine right?

Lazy? Incompetent?

[Timo_UK]

Most of the civil servants are proabaly happy that they have managed to drag and drop a few files to the USB stick. They probably don't even know what encryption is.

Re:Lazy? Incompetent?

[HungryHobo]

Or sending passwords over IM/Email/plaintext.
try to explain about packet sniffers and you'll get a reply along the lines of "oh security would be down like a ton of bricks on anything like that". Cause packet sniffers are easy to detect as we all know.

the standard here is "security handle that so I don't have to think about being secure" when in fact security can't handle that unless people take reasonable measures themselves.

Re:Stupidity or Malice?

[jimicus]

Once you're a permanent employee it's near impossible to get fired for incompetence, but if you're actually good at your job they will let you quit and train up someone else rather than give you a pay rise or promotion.

I can testify to this. My local NHS trust advertises jobs internally but apparently has a policy of deciding who to promote based purely on how well they present themselves at the interview - little or no attention is paid to references, line manager's opinion or past performance. A confident person who's relatively inexperienced and crap at their job is more likely to be promoted than a less confident person who's really very good.

Follow this to its logical conclusion, and you realise that the people at the top can be absolute idiots but the one thing you can be sure of is that they're supremely confident that the sun shines out of their own arse.

Now, I appreciate that this is not far from how things work in the real world for new people coming in from outside, but to make a formal policy of it for internal promotions?

Fuck this shit

[damburger]

Our government hates freedom. Its desire to turn society into a perfect little machine to optimise a bunch of meaningless metrics leaves no room for free will, or dissent from the middle-class, middle-of-the-road lifestyle that we are supposed to lead.

There is no priority for this government than maintaining the status quo, at any cost. Our internet connections must be monitored, our lives recorded in minute detail, our rights before the law curtailed, just so the City can continue to gamble peoples pensions and walk home rich whatever happens.

I hate my own country.

Re:It's principally Government incompetence.

[Candid88]

Sorry, but how can someone misplacing a USB stick be attributed to any of the things you listed?

If I.T. data security needs tightening (which it obviously does) then how about actually changing something in some way related to I.T. data security?

Rather than actually fix the problem at hand though, it seems - as always - everyone would rather copy the mainstream media's cries of wolf and descend into the typical "the world's going to the dogs and it's all someone-but-me's fault" farce.

That's a great attitude to take if you want viewers and readers (everyone wants to hear about problems with someone-else to blame) but it's not very good if you actually want to fix the problem at hand.

Oh well, that's just a humble engineer's opinion, it may be a little rational for the arena of politics & popular opinion.

Re:It's principally Government incompetence.

[CmdrGravy]

I don't expect senior civil servants would ever get their hands dirty enough to be in a position where they have any data to lose but it is there job to ensure everyone else reporting to them understands and is complying with sensible data security procedures. If they aren't doing this then it is their fault as much as it's the fault of the contractor who actually lost the USB stick.

The use of ID cards might stop this sort of data loss but I don't believe for a a second it will do. First of all I think the company who has just lost this data is one of the ones involved in the ID card scheme and they obviously don't have data security very high on their agenda. Secondly the actual database may be more centralised but the data its self is going to be available to virtually every single government employee in the country along with any private company who fancies it so the chances of that reducing the amount of data leaked out don't look very good to me.

Re:Stupidity or Malice?

[EdIII]

That's the sort of stupid, over-the-top thinking which will likely cause much, much bigger problems. So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

No offense, which I am not sure goes both ways here, but your statement is the one that is a little naive and uninformed. The person responsible is the CIO, or director if you will. If you are going to have computers, databases, and information processing in any organization you need a CIO and an IT department. It is the responsibility of those people to create and enforce sensible data handling policies and to comply with any governmental regulations governing that data. Now CIO may not be the proper term, but I am sure there must be some sort of department that deals with this. There usually is, and if not, then the UK's problems are a lot bigger than I thought.

Your assertion that I am stupid, or that my recommendation to fire the CIO is stupid, is just inflammatory and does not support your position that these people should escape unscathed.

This is not the loss of a single USB stick, but rather the pervasive problem of data loss throughout the entire government of the UK . As I stated, that is about 10 incidents per day. The CIO (or equivalent) is wholly responsible. After the first couple of incidents, the CIO should of taken action through the implementation of security and data handling technology and policies.

I realize it's popular these days is to always blame everything on those "incompetent" people in charge of governments. But a little rationality is required.

Whether or not it is popular to blame the government for problems is irrelevant here. The government is responsible for safe guarding the data and it failed, and it is a spectacular failure at that. Blame is required here, and in fact, the lack of blame here would be as bad the problem itself. Your claim that is irrational to assign blame to those responsible is astonishingly irrational in of itself.

Despite all these "data breaches" there is yet to be any evidence of misuse of this data. That doesn't mean it's OK, but to claim it's some sort of "disaster" is a little over the top.

You really must be kidding here. You are not serious are you? This is a huge disaster. You are attempting to downplay the potential for harm here, while completely ignoring the massive scope and scale of the problem. Evidence of any consequences has nothing to do with problem itself. My reaction is not unique, and to say it is over the top is indicates an indifference and apathy on your part to the problem itself.

There needs to be a review of all the policies and laws pertaining to the handling of sensitive data like this. This is a big deal considering it's scale, and the "directors" do need to be removed and policies have to be created with consequences for failure.

Otherwise, as you seem to be suggesting, we just give them a slap on the wrists and say, "naughty little directors! You little buggers :) Do better or next time we might get more serious". Why would you want to treat this lightly and keep the same people, responsible for such widespread breeches, in their positions?

Re:Another USB stick has gone missing

[dintech]

Anyway, look on the bright side. With 4m records lost and only 60m people living here, there's bound to be some overlap so less than 4m will actually be affected.

As an alomst certain side effect, somewhere there's a very pissed off unemployed seasonal worker who's still trying to get his driving license...

Re:Sounds like a job for FLOSS

[Vectronic]

No it doesn't you OSS junkie.

You spat out that long paragraph of "Free the Panda's", but encryption, plug-ins, and OSS or not, this wouldn't solve the problem, the main problem here, is data LOSS, as in "whoops, I dropped it down the drain" (stolen/lost laptops, CDs, USBs, etc) about half of the data was encrypted, which means that there is probably a 75% chance (random pseudo-statistic) that the information is secure, but that has nothing to do with the fact that they lost all that data, although identity theft is a factor, this is mostly about "What the fuck do we know now?"... re-acquiring a lot of that information could take months, sometimes years, and in other cases never happen at all.

Yes the various networks need beter security, but they also need to stop letting Bob and Diane taking their work to the cafe when they have sensitive data.

McKinsey hates freedom

[Kupfernigk]

More specifically, the preferred choice of consultant of the Government (McKinsey) is an authoritarian, secretive and elitist organisation that believes that the only fate for ordinary people is to be monitored, measured and managed. Politicians don't understand this stuff and do what they are told. The real question is how the Government sold out to a completely undemocratic organisation.

I don't hate my country, but I do dislike those aspects of the private school and class system which causes the people in power to be conformist and inward looking, and ready to believe any snake oil salesman in a Boateng suit. People mock Prince Charles, but at least he is prepared to get into trouble by listening to independent experts and then asking questions about the status quo and the desirability of corporatism. The Government appoints independent experts, and then when their conclusions conflict with those of the editors of tabloid newspapers, or McKinsey, they reject them. The inevitable result is pissed off staff and managerial incompetence. As one of my bosses used to say about organisations like McKinsey, when did you last hear of a great world manager? Taylorism takes no account of leadership, which is what gives morale and a sense of direction to organisations. And the only way to bring in things like data security is to bring back a spirit of public service - which means leadership.

thay can and do keep data safe: when they want to

[petes_PoV]

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all

Sure it is. the government (any government) produces thousands of times this amount of covert data each year. Whether it's surveillance, foreign intelligence or simply military planning information.

The point is, that almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands. If they considered the loss of personal data to be important, they could easily stop all leakages except those done maliciously

Department of Justice?

[Rhodri Mawr]

You *know* a country's going to the dogs when it suddenly creates a Department of Justice and puts a Muppet in charge of it. A semantic point - they didn't *lose* the data, they put it in the public domain through incompetence when the data should have been kept private.

Re:It's principally Government incompetence.

[VdG]

I think the point was that it's no longer civil servants doing the work, but short-term contractors. A civil servant who's expecting to stick around for a long time and pick up a very generous pension - and at the top end a knighthood or some other honour - might care more about doing a good job - or at least, not screwing up too badly - than someone who knows they're only going to be around for a year or two before moving on to something else.

I think that there's also more of a tendancy to try to bypass the rules if you're a short-termer, possibly working to a tight deadline and maybe with a one-off need. A long-term employee might realise that they're going to face the same situation again and so take the time to figure out how to do things properly.

Re:4000000?

[Anonymous Brave Guy]

There is no point fining the government in these circumstances, because when they lose almost half the population's details, those people just pay themselves and everyone else effectively gets fined. I didn't vote for for the b*****ds in the first place, and neither did most other people, so I would consider such a fine to be rather unethical on several counts!

IMHO, the only effective response in cases like this is personal liability: someone in charge has to have personal consequences that directly and seriously affect them in the event of a breach. I'm not necessarily talking about jail time or million pound fines for accidental breaches, but something equivalent to barring them from holding any public office, or in the private sector from acting as a company director, for a significant period of time would seem appropriate. Deliberate breaches are a different matter, and I have no problem with major fines or jail time for anyone who deliberately and maliciously abuses access to personal information. Data protection is a serious issue, identity theft is one of the fastest growing crimes there is and also one that is deeply unpleasant and inconvenient for the victim, and it's about time our legal system stopped treating it like a minor misdemeanour.

I believe there should also be a law requiring that any government procedure that can compel a citizen to provide information and/or money or other material goods must come with a corresponding appeal procedure that provides for correcting errors quickly, easily and at no cost to the victim, under judicial oversight, and again with direct personal penalties for anyone responsible for setting up a system that gets things wrong without making adequate provision for correcting the inevitable mistakes.

Bottom line: heads have to roll at high levels before anything will change. As long as anyone who screws up still gets to go to work tomorrow and hide behind corporate responsibility or crown immunity, nothing will change.

Re:4000000?

[k1e0x]

You sure seem to have a lot of faith in laws.

The reason they are not more careful with the data is they don't have to be. The government isn't hurt when it looses your data. They aren't even hurt when they loose your money. I forget what State it is now but they had peoples SSN numbers up on one of their web sites plain as day.

Government bureaucrats are NEVER accountable for anything. (even if they did loose 4 million euros) The best you can do is sue the branch of government and then they will pay that with YOUR tax money.

The real solution is to not collect the information in the first place. Yes, I am really implying that government does not need to know who you are and deal in every aspect of your life.. and that would require a lot fewer bureaucrats around too.

Re:Stupidity or Malice?

[VJ42]

You're not allowed to discriminate based on age. It wouldn't surprise me if some PHB interpreted that as age == experience, therefore we cant discriminate based on experience.