Thursday, May 08, 2008

*** DWP staff breach data security rules ***

I've just been forwarded a copy of a rather interesting email that appears to have been sent by a Security Advisor at the Department of Work Pension to staff reminding them of the security polcies around the transfer of public data of a sensitive nature. It appears, as the email states, that some people at DWP are complete morons (emphasis mine).
Following the HMRC incident last November, increased security measures have been put in place for dealing with data transfers both clerically and electronically.

All staff should be aware of Security Notices 02/07 and 03/07 that were issued by the Departmental Security Team in December. This guidance covers data transfers and use of courier services. Information in these notices should be adhered to, in order for us to protect our customer information and the integrity of the Departments’ Security practices.

I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. However, once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely.

Could I ask you to remind staff of the heightened security surrounding data transfer and ensure that data and passwords are sent separately.
Idiots, morons, fools, etc etc. Don;t worry about ID cards though. It will be impossible to hack!

13 comments:

Carlos said...

Hmm. Now I work in a sensitive environment when it comes to data protection. If I, or any of my staff were found to have breached the DPA as often as this "civil" service under Labour has, I would be sacked. My staff would be sacked and the company would be fined a bucketload of cash, all of which would go to, oh yes, the "civil" service and government.


Surely someone could bring some kind of prosecution?

Benedict White said...

Who cares if they send the password with the disk of data? It is now irrelevant. Odds are that if I were serious I could either find someone who had built rainbow tables already or just hook up a few PC's with dual butt kicking Nvidia cards and calculate some of my own.

If I have physical access to the disk the data is mine, all mine and I really do not care what pr1ck insists that the encryption is secure. It isn't if I have the disk.

The answer is, of course that this data should never leave where it is at least fairly secure and if someone wants access then that can be granted, but in ways that transfer no data.

Chris Paul said...

Seems reassuring that they are following through and insisting on more care. These workers are not all as bright as you Dizzy. Some need reminding.

The reminder is very badly drafted but that's a different issue.

dreamingspire said...

Re the 'send the Transport Minister a birthday card' plea that appears at the bottom of the DWP post: has she been replaced by another Ruth Kelly? The plea shows a lady with short dark hair (as I remember from the Blair century), but last Friday on Newsnight a younger looking lady with long fair big hair appeared as Aunty Ruth. Perhaps she is a job share? Or, as she appeared crumpled in the chair on Friday, is she a ventriloquist's dummy?

lettersfromatory said...

Bloody hell. Surely breaching these rules is a sackable offence?

John Trenchard said...

i can tell you for a FACT that if you did that in the big corporate I.T. sector, you would be hung, drawn, quartered and booted out pronto. and maybe even blacklisted for good measure.

Anonymous said...

Chris Paul is such an utter, utter knob. And he's such a prolific knob Blogger should have a Chris Paul filter built in. On the other hand every time he posts I suppose its another 3 or 4 votes for the tories in the bag.

Bill Quango MP said...

lettersfromatory said...

Bloody hell. Surely breaching these rules is a sackable offence?

Its the Government. There are no sackable offences..only golden early pensions.

Hence the tone of the letter;
"All staff should be aware of Security Notices 02/07 and 03/07"
and
"Could I ask you to remind staff of"

And the same in private sector language..
"You were told once already. If you need a reminder again I will send it stapled to your P45,which will be stapled to your forehead."
and
"If you can't do a simple bloody task like this then you are no use to me, the board, your line managers, your colleagues, the business world or the Bulgarian cleaning staff. You're fired!Now get out."

Mark C said...

Chris Paul said
"Seems reassuring that they are following through and insisting on more care. These workers are not all as bright as you Dizzy. Some need reminding."

They're sending the password along with data in a sinlge packet; this is like keeping your pin number in your wallet/purse along with your cards. How stupid do you have to be to be reminded not to do this?

Anonymous said...

Thought this might be of interest:-

http://www.vote4metcalfe.com/DataProt.html

More must be done to protect our data!

People claiming Social Security Benefits in Essex are seriously at risk of having their confidential details ending up in the hands of identity fraudsters because of a systemic security failure that is probably endemic across Government Departments up and down the country claims Stephen Metcalfe, Prospective Conservative Member of Parliament for South Basildon & East Thurrock.

Stephen Metcalfe explained: “Local Councils have direct computer access to social security records to prevent and detect fraud when processing Housing benefit and Council Tax benefit claims. When the computer link isn’t working the Benefits Agency at Basildon will post, by recorded delivery, a computer disc containing highly confidential records of people claiming Social Security benefits, their full names and addresses, dates of birth, national insurance numbers and type of benefit they are claiming.”

“The loss of 2 discs containing child benefit details of 25 million people was not a one off incident; it would appear to be a systemic security failure endemic amongst Government Departments to post computer discs containing vast amounts of private and confidential data through the post. Benefits Agency offices up and down the country could be posting hundreds, if not thousands of these discs to councils every year.”

“The Benefits Agency carries out no security checks to ensure that these discs are destroyed after they have been used for the purpose intended. The discs could end up forgotten and gathering dust in a council filing cabinet or desk drawer. Nobody would know if they went missing and fell into the wrong hands.”

Stephen Metcalfe added, “It makes a mockery of the Data Protection Act. It’s a serious breach in security and a weak link in keeping peoples details confidential”

Posted 22/11/07

Dave H. said...

I love 'I have been advised of instances...as detailed in Security Notice...'

Could be re-written 'I have examples of staff following data security procedures.' How reassuring.

Do he have to soften the blow of light criticism by starting on a note of praise? What a joke. There wasn't even a mention of negative consequences if they continue to break the rules. You'd think some threat of disciplinary action might encourage compliance.

And this is after the 'increased security measures'.

Glad to see you here, Chris. You never fail to shine.

SJK said...

with the current call centre method of claiming all benefits.there are thousands of printouts of peoples benefit claims being couriered /posted all over the country.

customer makes the claim over the phone.this is then printed and send to the customer to check.it has name, address,national insurance number,where they work ,where they have worked etc.......pretty much all the information one would need to steal somebodys Identity.it was not uncommon for these to go missing.even when they have been checked by the customer,they then have to take it to their local Jobcentre for the next stage pf processing.after which it will,once again,be sent via courier to the actual Benefits Processing Centre.which could be,depending on where you live,the other side of the country.

also on the current online payslips for members of staff.all the information is there also name,address,national insurance number,bank details.

i am sure it will be more "robust"when they bring out the ID cards though.

Anonymous said...

DPA is all rubbish even if someone has acted irrisponsibly there is no way of getting justice, the DPA is only a suggested framework the only legal requirement is for people to pay the Government if they collect data that is able to identify and individual, it all rules and equipment that socalled proffessionals dont understand and really why sould they as there is no reprocussion for the data controller, this government need to fix-up and go back to using slate and chissels, 1 disk worth of data will then become 20 tons slate imagen some tosspot trying to run of with that...........

This Government think they cleaver now but once my child is older and not supported by me im gonna make it my mission to create an event similar to the storming of the bastile in France some years ago, us pesants as they see us deserve more more more & more... poxey people get me all mad... NAT O.