UK Gov't Lost Personal Data On 4M People In One Year

An anonymous reader writes "The U.K. government has lost the personal information of up to four million citizens in one year alone. The astonishing figures, calculated by the BBC, added up as Whitehall departments slowly released their annual reports for the year to April. And the trend has not stopped — in the latest revelation, HM Revenue Customs, which infamously lost the details of 25 million child benefits claimants last November on two unencrypted discs, experienced 1,993 data breaches between 1 October last year and 24 June." (More below.)

"Earlier this week, the Ministry of Justice admitted it had lost 45,000 people's details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified. Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs. In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people's data in five incidents. In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants. The Liberal Democrats have called for 'data guardians' to be appointed to monitor the government's handling of information."

4000000?

[ricebowl]

The U.K. government has lost the personal information of up to four million citizens in one year alone.

That's quite impressive, I assumed it was a much larger figure given all the stories. Mind you, that's just an estimate, so it probably is a larger figure. I do wish that people entrusted with this type of data, and any other type to be honest, would have to prove competence to be trusted with it.

Re:4000000?

[Vectronic]

How do you propose that they "prove competence", as far as I can tell, that seems to be what's happening, some organizations, have proved their competence, others, such as this, have failed.

Granted, information distribution isn't exactly new, however the method and/or media used to transfer the information is/has changed, and is being increasingly adopted, so they all have to figure it out.

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.

That said, I'm not really making excuses, as even 4 Million is much larger than it should be, that's what, 6 to 7% of the population? That's basically epidemic, and is certainly pandemic given that the UK isn't the only one.

Hardware Encryption

[Anonymous Coward]

If memory serves, don't most drives have the capability in the spec to password protect the drive?

Re:Stupidity or Malice?

[Candid88]

"At least fire everybody in charge at once."

That's the sort of stupid, over-the-top thinking which will likely cause much, much bigger problems.

So even if a director is doing an excellent job he should be fired because some guy lost a USB stick which is most probably behind the back of some filing cabinet?

I realize it's popular these days is to always blame everything on those "incompetent" people in charge of governments. But a little rationality is required.

Despite all these "data breaches" there is yet to be any evidence of misuse of this data. That doesn't mean it's OK, but to claim it's some sort of "disaster" is a little over the top.

Re:Encryption

[Spad]

User resistance.

I've been involved over the last couple of months with implementing fixed disk, removable media & email encryption at an NHS trust in the UK and the amount of complaints and stupid problems we've had from users is astounding.

Most of them go straight to one of the directors to complain, before kindly informing IT that they've done it, so we'd better hurry up and fix the issue. Then staff go out of their way to find ways around the encryption, exerting far more effort than it would have taken just to use it in the first place.

Thankfully we've got a CEO & IT director who don't want to be the ones going on TV to explain how they lost X thousand unencrypted patient records and so are making sure the policy is enforced, but I can easily see how "weaker" management would allow lapses to keep staff happy and risk this kind of data leakage.

Re:4000000?

[joto]

How do you propose that they "prove competence",

One suggestion would be to

1. Make legislation that outlines procedures for handling privacy data that will be mandatory to follow
2. Make everyone handling privacy data require a certificate that proves they are licensed to do so
3. Make it illegal for somone to hire an unlicensed person to handle privacy data
4. Make it mandatory to document whatever you do to privacy data in paper documents or electronic equivalents
5. Enable a government bureau to periodically control these documents to see that procedures are followed
6. And also to periodically do other kinds of tests, to test security procedures, e.g. "social engineering tests"

Besides, I don't think it's "humanly" possible to transport this amount of information with absolutely no spillage at all.

Sure it is. You need proper procedures and regulations. Sure, if you put it on a laptop or memory-stick, and let your employees carry it around without any oversight, accidents will happen. But if you treat the information as valuables, all will be fine. Money-transports don't usually go around losing money.

The trouble is that there is no real accountability for losing data. If someone loses 4 million euros, they know somebody will be pretty unhappy. But losing the private records of 400 people, which given todays identity-theft-plagued society could easily result in damages of 4 million euros, is somehow not taken as seriously.

Re:Another USB stick has gone missing

[apathy maybe]

This is a great point, and it is a pity it is being modded "funny" rather then insightful.

Even if you think you have nothing to hide from the government, and thus they can collect what they will on you, they will loose that information.

And you don't want scammers, fraudsters, identity miss-users and other people to get hold of that information.

So even if you think you have nothing to hide from the government (the people whom you should trust the least (next to corporations) out of society), you certainly wouldn't be handing over this information to your friendly neighbourhood Mafia.

(Oh, and you certainly do have something to hide from the government. Even if it is the fact that you sometimes speed or jaywalk.
In this comment I made the point about nothing to hide, http://slashdot.org/comments.pl?sid=645245&cid=24591399 [slashdot.org] and linked to this http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 [ssrn.com] paper. Read it.)

Re:4000000?

[OriginalArlen]

Me too, I was reading a story on El Reg the other day that asserted 29m (25m being the child benefit agency CD) - can't find it now, of course, but stumbled over this instead [theregister.com]. No wait! here it is. [theregister.com] Non-Brits may not be aware that this morning's lead story on the Beeb (radio and web) was the loss of an unencrypted flash stick with details of all current guests of Her Majesty's pleasure [bbc.co.uk] by PA Consulting. Not quite sure how the tabloids will whip up a "think of the children" angle on it, but I'm sure they will. It's great they've been picking up on these stories, but typical that they've not worked out that the answer isn't "hire more clueful contractors", but "don't have the data in the first place" (at all if possible, but if really needed - obviously child benefit records and lists of prisoners are in the "essential" category - never allow records to be pulled onto client systems. And really drill it into people that they should flag up naughty behaviour they come across - ie., inculcate a security culture. That's the trickiest bit.

Re:Data Guardians?

[fbjon]

Data guardians? Who guards the guardians?

The data guards the data guardians. Simply put all their personal info in there, including credit card numbers, and suddenly the guardians will be Nazis about keeping it safe.

Re:thay can and do keep data safe: when they want

[elguillelmo]

almost none of this sort of stuff - the info that governments really care about - gets into the wrong hands

I wouldn't be so sure. From today's news [timesonline.co.uk]: "Confidential records [...] on tens of thousands of the country's most prolific criminals have been lost in a major breach of data security [...] Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm"

And, how do you know covert data is never lost if you wouldn't even get news it was collected in the first place?

ID Cards

[www.bnp.org.uk]

If you are a tyrannical government attempting to introduce (force) the use of ID cards then this is how you manipulate the public into accepting them. "Losing" the data can easily be organised, but informing the public over and over again is what the media do.