More lost data...

What the hell are they doing? Yet more details stolen from our wonderful government. Why aren't they encryted? Why do they leave the offices? Why do they repeatably leave these laptops alone/exposed? But most of all why do they feel the need to have such databases?

Quote:

The data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces.
Banking details were also included for around 3,700 people, he said. Letters are being sent to all involved.
Ministers were informed on 14 January that the information was not encrypted. The police were called and all similar laptops were recalled within the next four days.

http://news.bbc.co.uk/1/hi/uk_politics/7199658.stm

[anna]

unbelivable... and if this was an ordinary company i wonder how many times they would be in court over this??

[the_lone_wolf]

nothing to see here, move along...

Quote:

Originally Posted by anna

unbelivable... and if this was an ordinary company i wonder how many times they would be in court over this??

The people that lost the HMRC details were a private company, but they were deemed not to be liable.

My understanding of the MOD laptop case, was that the laptop was stolen. Yes their IT policy could of been better, but again, their policy is not the fault in the system, it's the physical security for the laptop itself (are we to propose that all laptops, regardless of content, are kept 100% secure at all times - just to be sure we're OK?).

I've just had a quick look around the internet, and I find that in 2005 EDS won a contract to run the Ministry of Defence Defence Information Infrastructure. So I would assume that EDS had something to do with the laptop in question. I'm not sure if they dealt with the data storage though, and it would be silly of me to accuse them of that.

The HMRC data that was lost recently however, was enroute from an EDS office. I also know that EDS deal with HMPS IT systems and data storage. Again, I feel the need to re-iterate the point that during investigations, no fault has been found with EDS procedures.

Anna, EDS is a private limited company, part of the Atlas consortium.

I can't help but feel that these published security lapses are just a convienent slight of hand though. Give people bad news in order to hide terrible news. There is a commonality in them, but no-one is really to blame, and it gives the public at large something to complain about - let's face it, as a nation, it's something we're good at.

Where has all that debate about WOMD gone? Or the one about Iraq and soldiers pulling out? Hmm.

it's all worth it for the pathetic letter.

http://forums.sv650.org/showthread.php?t=103773

priceless
xx

Quote:

Originally Posted by Baph

I can't help but feel that these published security lapses are just a convienent slight of hand though. Give people bad news in order to hide terrible news. There is a commonality in them, but no-one is really to blame, and it gives the public at large something to complain about - let's face it, as a nation, it's something we're good at.

Where has all that debate about WOMD gone? Or the one about Iraq and soldiers pulling out? Hmm.

I do agree that the government will deliberatly cause controversy when they want to distract the public from issues they want us to forget about. But, if they wanted to distract us then showing their complete incompetance in their ability to keep data secure when they're looking to introduce ID cards seems an unlikely way of doing it.

[Lissa]

We've just completed a contract for EDS of 140 cases which are off to Afghanistan.

They may not be able to stop things being stolen, but at least they won't get broken

[anna]

Quote:

Originally Posted by Baph

The people that lost the HMRC details were a private company, but they were deemed not to be liable.

My understanding of the MOD laptop case, was that the laptop was stolen. Yes their IT policy could of been better, but again, their policy is not the fault in the system, it's the physical security for the laptop itself (are we to propose that all laptops, regardless of content, are kept 100% secure at all times - just to be sure we're OK?).
.

point taken about being a seperate company ... i stand corrected..

but to your second point .. a laptop that contains secure data of such nature should be encrypted. It's not a case of all laptops regardless of content it's a case of laptops that contain this data... yes it should be encryped and to me that is a company being incompetant if it does not secure such things and, as such liable.

Quote:

Originally Posted by anna

point taken about being a seperate company ... i stand corrected..

but to your second point .. a laptop that contains secure data of such nature should be encrypted. It's not a case of all laptops regardless of content it's a case of laptops that contain this data... yes it should be encryped and to me that is a company being incompetant if it does not secure such things and, as such liable.

I have had very close dealings with EDS in the past, in respect of their data handling procedures.

I know first hand that there is a lot wrong with the company, however, I wouldn't go so far as to accuse them of being liable. Afterall, if the laptop wasn't stolen, there would be no issue regardless of any cryptography used.

Specifically in the case of HMPS databases maintained by EDS, I know there is security on those databases, to an extent whereby if you don't have the correct software, there's no chance of you getting in. However, the software to access it is freely downloadable by all. Then you only need the password, which is (usually) stored in plain text within the data itself.

I know EDS are very careful in their wording of all their contracts. The process involves EDS recommending to their clients what they feel is suitable. Then the client either OK's it or not, and you have to bare in mind that the person giving the OK may not be a technical person in respect of computing. I also know that specifically on the HMPS contract, the equipment put in place at EDS' recommendations was not sufficient for the task. I also feel the need to emphasise the past tense on my last sentence, I don't know if this is still the case.

In the case of the MOD laptops however, it's my understanding that MOD policy is now (I don't know if it was at the time of the theft) that all data is to be securely encrypted when it is not on physically secure sites (ie, authorised personnel only). MOD staff not following this procedure are disiplined pretty severely (data released into public domain may be of higher importance than that already leaked for example).

If the above policy was in place before EDS won the MOD DII contract, and they are responsable for the data in question, then they will only claim that they recommended both hardware and software, and this was OK'd by the MOD. EDS will claim that they had no working knowledge of MOD internal procedures, and lay the blame directly at the feet of the MOD.

The anecdote in computer security goes "There is no such thing as a secure system, if an attacker has the time, resources and determination, they will gain access regardless." This is true even of the most complex cryptographic procedures the MOD have available to them. Just that by the time the data is decrypted, we'd all probably be dead. Unless it's been cracked...

[anna]

sure I understand what you are saying Baph but fundamentally a laptop is much more portable then a pc and as such data held of such delicate nature should be encryped it doesnt matter if this machine was stolen or not it should be part of their procedures and back in my insurance days covering IT based companies we would recomend this. It really doesnt matter if the machine is held in a physically secure site or not.

Having the laptop stolen has just highlighted their error.. and yes if it hadnt been stolen no one would be any the wiser that this was their practices.