So, the Government has managed to lose a USB stick containing the details of tens of thousands of criminals.
We should not focus on the fact that this is the data of criminals - that will be of little concern to many - but instead look at what’s happened here in terms of data protection. Once again it has been possible to copy records en masse, save them to removable media unencrypted and walk out with them.
This time it was a USB key, but in the past it has been CD Roms. Discs have been lost containing the data of 4 million people, of 25 million people and there have been many other cases.
This does not breed confidence in the future security of the ID database - a massive bonanza for identity theft if it got into the wrong hands.
It simply should not be possible to export large amounts of data without a high clearance…. and such clearance should only be given to people who have been drilled until their ears bleed about safeguarding that data. In particular, if on usb, it is attached to a lanyard and doesn’t leave your neck until it is wiped. Even then, the data should not be on any removable media unless encrypted (and this should be automatic to prevent the human-error factor).
More to the point, if the data has to be moved from A to B, what is the problem with an encrypted ssh tunnel from one system straight to the other? What’s wrong with ‘dropping’ fields which are not needed at the receiving end before sending?
These data losses indicate a massive systemic failure in the design of government systems, a carelessness with the data with which they’re entrusted, and a laissez-faire attitude at the highest levels. Just as the loss of the child benefit discs was not the fault one one low-level civil servant, this should not be pinned on the unfortunate who dropped the usb stick (though they should know better). This should be viewed as a failure of design - people should not have been able to do this, even if they were trying to be malicious.
It’s just another case which demonstrates the flaws behind the concept of an ID card database, which if ever compromised would be the biggest boon to identity theft ever seen.
All Posts
One Comment
I can’t blink without the government doing something bloody stupid with data. Duh, Gov-peeps, it was portable media for crying out loud! Therefore it can be transported away. Surely your level one defense is a 512 bit encryption at the very least, ideally with a 80 character key and non standard extraction software.
What are they thinking? I fear they are not thinking at all.