Logo
Print this page
Save to disk

Prisoners' data at large after Home Office slip

22 Aug 2008, Janie Davies, Computing

http://www.computing.co.uk/ctg/news/1832895/prisoners-home-office-slip

Inside a prison
Latest data loss affects prisoners

All UK prisoners have become victims of information security failure, after a Home Office contractor lost their details while moving a memory stick between computers on Monday.

The device contained names, addresses, dates of birth and release dates of 84,000 prisoners, all of whom could sue for compensation, The Mirror reported.

Management consultants PA Consulting informed the Home Office of the incident and an investigation is in process.

Reader comments

If USB sticks were encrypted and protected, this wouldn't happen

The Poynter Report recommended a clampdown on mobile data devices in Government departments but people are too used to on-demand data in their personal lives to give up the habit at work. If you can't ban mobile data, at least secure it - there are ways of protecting USB sticks with encryption and chip-and-pin technology which makes them very hard to crack and in some cases worthless once reported lost, so why does no-one do this?

Posted by: Adrian Burholt  22 Aug 2008

The technology is there - just start using it

For the past five months, I have been trying to get government backing for the country to have a National Data Security Review week. Despite my best efforts, my arguments for this seems to have fallen on deaf ears.

I have contacted various MP's, including Hazel Blears (when her office in Salford "mislaid" an unencrypted laptop a few weeks back) I have also contacted several other government bodies and NHS trusts who have themselves lost data, but have had no reply.

It seems that nobody wants to listen to the fact that data security - and the understanding of data security - is, on the whole, woefully inadequate.

From the government, right down to your local tyre fitting company, everyone collects data (our data) but very, very few people actually have any idea how to look after it.

This is a subject that I am very passionate about. Until fairly recently I knew little about the subject. This changed a few months ago however, when I recently started my own business as a reseller for a new Biometric, fingerprint and Password protected USB Drive.

When I started this project, I knew very little about the subject of data loss/data theft. No more or less than most anyway. However, after conducting extensive research on the whole topic of data security, I was really shocked by what I found. So much so, that I feel strongly that there should be a National Data Security Review Week. With the facts that I found, it is clear that not everyone is singing from the same hymn sheet.

It seems to be that everyone collects data these days for the obvious benefits of marketing, but most have little or no idea of how to look after it securely

This is a view agreed by the Information Commissioner and the Commons Select Committee who recently called for negligent data loss to become a criminal offence. It is clear that everyone agrees that there is a problem but it seems that very few actually know what to do about it.

It is my firm belief that a National Data Security Review week is now a must, to inform organisations and businesses throughout the UK, that they are running a real risk when:

using unsecured USB drives to hold sensitive information,

when allowing remote access, such as working a laptop from home,

carrying unencrypted laptops from the place of work,

using PDA's such as Blackberry, Palm and Sidekick etc.

using a wireless connection to connect to the place of work.

The latest loss of data by the government contractor is just another example of the complete disregard - or maybe ignorance - that businesses have for data security. This company was contracted, by the government of all people, to protect sensitive information, yet they made such a basic, glaring fundamental error.

If they had been using the product that I promote (the same biometric - fingerprint and password protected USB drive - that 15 UK Police forces now use as well as several high profile - but confidential organizations) use, then there would be no concern over this latest loss, as the data would be totally secure.

It seems that some security minded people do actually realise the importance of keeping confidential information secure. It's just that they don't work for the government and they don't work for the companies that the government employ.

Data-loss is something that we are all becoming used to hearing on the news but it really doesn't need to be that way. In every case so far it has been because of incompetence and ignorance. Lessons, they say, are always learned but the same old mistakes keep on happening nevertheless.

I told Ms Blears when I e-mailed her, that what disappointed me most, was that the quote from a Mr Peter Housden that "no damage had been done, because it was not Top Secret" was simply nonsense, because every time something like this happens, it damages public confidence and there is absolutely no reason for it to happen when the correct steps are taken. I told her that his blaze` statement showed a complete lack of understanding and that, in short, I would not even describe it as unprofessional but as amateurish.

Needless to say, I did not get a reply from her and she did not seem to wish to back my campaign. However, I'm not really surprised given the circumstances.

As I said before, I feel very passionate about this subject, and I now feel entitled to think of myself as a bit of an expert on the subject even though I say so myself. However, getting people to listen is another story. They all agree, but don't really want to know.

I have no idea why I have not had even the courtesy of a reply from any of the other politicians and NHS Trust executives that I have written to. It seems they simply prefer to stick their head in the sand and hope it never happens to them.

These are the people that I want to get the message across to: simply that it can and likely will happen to them at some point if they continue to ignore the issue.

look at these facts:

July 19th 2008 - Press reports the MOD lose 658 laptops in just four years. Also 26 portable memory sticks. (now that really is absolutely shocking)

According to the DTI Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks.

In 2006, the Metropolitan Police Force area alone had 6,576 laptops lost or stolen

Gartner research found that 22 % of Flash drives are sold to enterprises. About 80 to 90 per cent of those are not encrypted and organisations know there is a problem with that.

According to the DTI Information Security Breaches Survey 2006, the vast majority of companies still rely on weak, static password security. It is worth bearing in mind that the same survey found that 60 percent of companies that allow remote access do not encrypt transmissions and as a result are more likely to have their networks penetrated.

TJX - parent company of TK Maxx had 45 Million customer records hacked in this way; even though WEP had been activated. This was the biggest loss of credit card data in history. (WEP is the wireless security standard. Currently the world record for cracking WEP, set in April 2007, stands at 3 seconds)

Posted by: DavidEwen.co.uk  24 Aug 2008

© Incisive Media Investments Limited 2012, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093