Wednesday, November 21, 2007

Is this just the beginning of more security breaches going public?

Fraser Nelson over the Coffee Hosue has hit the nail on the head it seems. The Government just don't seem to get how serious this failure in security with our data has been. Working in the IT industry I have spoken to quite a few people today about it, and amongst the incredulous reactions to such incompetence there have also been stories from others who have worked on, or know people that have worked in Government.

I think this big bang of a story could just be the beginning. Over the coming days and possibly weeks I will not be the least bit surprised if we hear of other security breaches, bad practice and other systems that have design flaws. We should not forget that it is not just central Government that holds our data. Local authorities hold, for example, bank details for Council Tax reasons. Marked electoral registers, the Land Registry, the tax credit system, local authroity benefit systems, there are numerous localised systems out there where problems could be going on too.

Frankly, the level and complexity of the IT infrastructure in the country that contains data on our lives, and the manner in which it is held and managed, are all potential ticking timebombs. If central Government can be so lax with 25 million records, what's the likelihood that a temp in your local Council office isn't equally cavalier?

11 comments:

Anonymous said...

Dizzy

You are obviously au fait (that's Welsh for shit hot) re IT issues so could you give your considered view to the following.

Should this/these discs 'turn up' in the next few weeks whether from Police searches or being found behind the radiator by the mail company what information should it contain about when it was produced (date/machine etc etc)in order that we can be reassured that it i s the real one and not another one made up to try and cover/reduce damage of this sorry episode.

Also, would we be able to tell if it has been reproduced in any way whilst 'missing'

Gwil ap Tomos

dizzy said...

Good question. Frankly, bugger all in terms of knowing it is the disc. They could make another and fake timestamps etc, or they could just say it is the disc. There is no way really you could be sure. The question would be "how many people would you let know, and could you trust them not to blow the whistle".

As for the second one, you probably couldn't know, although, if it is found in a case and not in the envelope then it would mean someone had opened it right. Mind you, what's to stop someone opening something and then resealing it during a "sucessful" transfer with TNT?

In my mind I would say that you have to assume that the data has been copied because you cannot prove that it hasn't. This is simply because it's been sent through the postal system and been handled by god knows who.

Anonymous said...

There is also the possibility that they never existed in the first place. The ‘they must have been lost in the post’ ploy could have been used to cover up that the muppet couldn’t be arsed to created them when originally requested.

Either way, you are right - the government have no understanding how bad and widespread this is.

We must also take into consideration what is going on with overseas outsourcing too.

Anonymous said...

The point is, everyone in the country, in fact almost everyone in europe, in fact almost everyone in the western world, now knows that these disks/details are out there.

That includes a lot of dishonest/dodgy people.

There is a well known internet black market for this kind of information, and information of this nature on 25 million people is worth a lot of money.

So even if the disks 'turned up' right this second, there is NO WAY to know that the data on them has not been compromised already (copied, and originals replaced).

All Darling was saying when he said "there is no evidence that this has fallen into the wrong hands" is that this data is not yet for sale in this black market (which is obviously monitored by the powers that be - however once this data is out, it is out, and it doesn't really matter if the person who sold it on gets caught, if hundreds of ID fraudsters buy big chunks of this data.

Zorro
--

Anonymous said...

Dizzy

May I tap into your expertise too?

Firstly, what size do you think the data would be approximately - I suspect not as big as 25million records would make most think?

Secondly, how do we explain the suggestion that the provider of the information didn't have the time to anonymise or otherwise exclude data fields that the NAO hadn't requested - but just sent the whole database instead?

Surely the data resides in a relational database and would have required someone to perform a query to extract and join the data into a table that could be sent to the NAO. So, the query would actually have been quicker to write and then run the less fields that were included.

Or, might it be that the data was already sitting around in a file that had been prepared for some other purpose and it was just easier to send this. That would explain why a 'junior' official had access. They weren't going into the production database but were copying data that someone else had extracted previously.

Let's see whether the PWC enquiry gets to the bottom of any of this.

SP

Shug Niggurath said...

personally I think this is probably the biggest failure of a government department I have ever heard of.

We can never trust government with any of our data ever again. Never mind ID cards - although that's a huge issue now - medical records, local government, tax records, benefit records and every single item the government holds on us is potentially open to abuse.

Bear in mind that these are the same two disks that were lost two weeks ago and we were told it was only a few thousand records - which was bad enough. This turns out to have been the standard practice in government - lie and hope everything is OK.

I personally think we were told about the lost disks two weeks ago, in the hope they would have turned up by now - so they took that risk with this information and have now hit a point where they had no choice other than to tell us.

Seriously, we need to push for a vote of no confidence in Brown, and failing that organise protest that he's now clinging on to power while being so cavalier with the systems.

I for one am furious.

Anonymous said...

Thanks for that, Dizzy, and others. I rather thought there might not be a damage limitation angle of a 'recovery' of the disc.I'll tell Al when I meet him later.

Gwil ap Tomos

flashgordonnz said...

1 employee has been sacked and 19 disciplined after accessing medical records of celebs in public hospital.

www.nzherald.co.nz/index.cfm?objectid=10477269

Want to know who's got an STD? Boob job gone wrong? Miscarriage? Maybe the newspapers pay for this info. Useful suppliment to junior doctor salary?

dizzy said...

To the anon (and probably sql monkey) asking for my advice! :)

what size do you think the data would be approximately - I suspect not as big as 25million records would make most think?

Depends on the block size on the OS for start. These are horribly dirty calculations but if we assume that each row is 1k and we have 1k block size, then that's what? (25m \ 1024) \ 1024 to get the number of Gigs? That's about 24Gigs then add 90% compression in? So what's that 3 Gig (ish)? Now obviously one row is probably not going to be 1K by any stretch of the imagination, so that would explain why it can fit on a cd.

Regarding your other point it's certainly valid, and perfectly possible. You then of course have the question, why was that data available to this person (who has been reported as a "computer expert" this evening) to burn? Was it on a file share? Why was it ever extracted etc etc.

The whole thing sounds like one giant clusterfuck, that's for sure.

Anonymous said...

More public sector security breaches? One very good thing to keep an eye on would be stories about the Armed Forces Joint Personnel Administration (JPA) system, which deals with their pay and allowances.

It's clearly not fit for purpose, but users say it's not secure either - no https for one thing.

See here:
http://www.pprune.org/forums/showthread.php?t=219026

Here:
http://www.pprune.org/forums/showthread.php?t=295923

And also here (which shows what happens when someone had the brass balls to nominate the evident clusterf**k for an IT award) - 37 pages of bile!:
http://www.computing.co.uk/articles/comments/2199039

Anonymous said...

Did you see the rather worrying Guardian piece this morning http://politics.guardian.co.uk/economics/story/0,,2215025,00.html

Hidden away in the middle is a story of a fraud lawyer who regularly received material on disc from HMRC with either no password or (if it had a password) the password scrawled on the disc. This seems to have been lost in the fuss, but I thought you'd be interested. I excerpted the relevant bits of the article at my LJ this morning.