UK: Raising the breach barrier, again

When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?

Never underestimate the Brits. They’ve now pushed the bar even higher.

All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.

The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.

The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.

Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.

Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.

Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.

NZ: Data breach guidelines here

Following several months of consultation on the August 2007 draft data breach notification guidelines, the Privacy Commissioner has now released a final version of the voluntary guidelines accompanied by an information paper.

The guidelines consist of two documents- Key Steps for Agencies in Responding to Privacy Breaches and a Privacy Breach Checklist.

In announcing the launch of the guidelines, Privacy Commissioner Marie Shroff says there is “a good case to require agencies by law to notify customers where a security breach puts those customers at risk…The voluntary guidelines are not inconsistent with New Zealand moving in due course to make breach notification mandatory.”

The Privacy Commissioner will give the voluntary guidelines 18-24 months before deciding if mandatory rules are needed, using her own statutory powers or the Law Commission taking it up as a part of its current review of privacy laws.

The guidelines note that “agencies have duties to safeguard personal information under information privacy principle 5, and are encouraged to follow the guidance.” Guidance on four stages for managing a privacy breach has been described:

1. Containing the breach and preliminary assessment;
2. Evaluating the risks;
3. Considering or undertaking notification; and
4. Putting in place future prevention strategies.

The guidelines remain “harm based” and a critical part is an assessment of the foreseeable harm to the individuals, agencies, and general public. Direct notification to affected individuals is preferred over indirect means such as via a website or media. While “Agencies are encouraged to report material privacy breaches to the Office of the Privacy Commissioner” the guidelines are silent on what constitutes a material privacy breach.

Now that the guidelines are here, it is sensible for government agencies and businesses to proactively conduct a security audit and put into place contingency plans to deal with any breaches that may occur.

And, it is worth remembering, that the source of many security incidents are internal so a parallel review of policies and processes (including offsite backup or transportation of customer information) is a good idea.

NZ: update on data breach law

Back in August 2007, I had called the draft voluntary guidelines regarding data breach notifications as “quick and light.” The Dominion Post/Stuff website today says following public consultation the Privacy Commissioner will give the guidelines 18 months to two years to take effect before deciding whether mandatory rules are required.

Lessons from other countries as well as “how businesses and government agencies abide by the guidelines” will be taken into account to determine if the guidelines become mandatory.

The Privacy Commissioner is further quoted as saying, “Our research has definitely shown there are downsides to mandatory guidelines as well as to voluntary guidelines. Mandatory guidelines always become somewhat rigid.”

The comments Stephen Revill made in the original post are still relevant. He thought that “The criteria used to provide guidance as to what a “material” privacy breach is, can be best described as “fuzzy”….If there are no clear rules, no clear incentives to comply and no way to measure how far the guidelines are being adhered to, then the law makers will be not be in any better position when it comes time to decide whether a security breach notification law is needed.”

Hopefully this will be addressed over the next few weeks as the guidelines are finalised.

My personal opinion remains the same. I don’t think the level of data breaches in NZ is too high and that the actual consequent misuse rate is very low. However, I favour mandatory disclosure to the Office of Privacy Commissioner so that the actual size of the problem is clear, there is no wiggle room from discretion, and there is sufficient incentive for organisations to up their security of personal information they hold.

ID theft from security breaches

How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?

This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.

The question is also important given the moves to introduce guidelines or laws for data breach notifications, in both New Zealand and Australia.

There isn’t a lot of hard data to go by. That makes the recent study by US firm ID Analytics interesting.

The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.

Very few identities were misused following a data breach.

Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.

Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.

Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.

Et tu, Passport Canada?

Even though I have no connection with Passport Canada, for some reason I’m feeling terribly let down by them.

My disappointment may stem from an agency making an elementary security mistake and, rather than fixing the problem, repeating it and looking foolish.

Or, it might be that it is incidents like these that collectively undermine trust people have in dealing with government agencies online.

Sigh…government agencies dealing with sensitive personal information simply have to do better.

What happened? According to Globe and Mail, a security flaw in their website allowed passport applicants to view the personal details (including social insurance number, date of birth, address, driver’s licence number, and gun ownership) of other applicants by simply changing one character in the URL displayed in the address bar. A very, very basic mistake and, worse, evidence of appalling testing.

The site was taken down but when it was put up again, a few key strokes were still all it took to reveal personal information. All the while, Passport Canada was in a public denial mode.

Their website says about Web Security that “Passport Canada is taking the measures necessary to protect the confidentiality of the personal information you provide and to ensure that your electronic transactions with us are secure.”

The problem is, when fine words don’t match reality, public cynicism results. And that hurts.

EC report: New trust pact required

Frank Wilson has authored the latest in a series of Think Papers for the European Commission entitled “Trust and Identity in Interactive Services: Technical and Societal Challenges” (PDF).

In this Paper, he says “… our governments and citizens must together develop an agreement on the acceptable ways of gathering, storing and using data about citizens within a secure electronic service environment.”

“The future of electronic service provision in all European societies relies on development of a citizen-centred European trust network to underpin and facilitate the many secure electronic service networks under development at present.”

I interpret this in two ways.

First, that data breaches of government-held personal information, such as that in the UK recently, undermine the basic trust relationship between government and people. As I mentioned in my first post on this topic, “The real issue goes to the heart of governance and government: trust… The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.”

Secondly, if the trust fabric is strong, people and government can both benefit substantially from richer user-centric online services that require an identity backbone. The trust pact ensures that a framework that protects privacy and offers user-control is in place, i.e. a framework that both reflects and enhances the trust relationship. Without such a trust relationship, efforts in building a user-centric identity or information metasystem that involves the government as an Identity Provider is inherently flawed.

How, then, should the trust relationship be built and nurtured? The Think Paper offers a somewhat simplistic view on that vital question by recommending “achieving a balance between the need to hold data and the duty to use it and protect it responsibly.” Hopefully, a future Think Paper will do more justice to this critical question.

Placing data in silos

Talk about timing.

Just hours before UK’s Chancellor Alistair Darling revealed to MPs the loss of 25 million personal records, Government CIO John Suffolk gave a blunt warning about the danger of creating more giant government databases. He said, “To put more eggs in single basket is a foolhardy approach. The best way to protect data is to say: this data is for specific purpose, put protection around [it].”

He went on to say, “There is a balance to be struck. It’s nonsense to assume or even think about a central database or central clearing house.”

As Kim Cameron said in his blog post, “To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.”

“There is no need to store all of society’s dynamite in one place, and no need to run the risk of the colossal explosion that an error in procedure might produce.”

In my first post about the data loss, I mused, “Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.” On the same lines, Kim said “the information that is the subject of HMRC’s identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components… no official (A.K.A insider) should ever have been able to get at enough of it that a significant breach could occur.”

That got me to do a mental check about the online identity and authentication systems being put into place in New Zealand. Though the service is presented to people as a single, integrated service (igovt), under the hood there are two separate services (Government Logon Service and Identity Verification Service) run by two separate government agencies with two separate databases.

This ensures that in the unlikely event that a breach does occur, even then no single database has all the information. The check provides a measure of confidence that the NZ services are designed right from a breach perspective.

Lose data, lose trust 2

I thought I’d check out the fallout from the massive loss of personal information in UK. It isn’t a pretty picture:

- Boris Johnson in the Telegraph describes it as, “In the annals of government cock-up, this is surely the single most astonishing and ludicrous episode of the past 25 years.” He goes on to say, “Alistair Darling has invented a kind of reverse National Lottery, in which the giant finger hovers over our streets. It could be you. It could be me… Invisibly, inaudibly, without so much as a whoosh or a slurp, large sums will disappear from our bank accounts.”

- The banks have contradicted Chancellor Alistair Darling’s statement that they had asked for a delay in making things public to put in place protective measures.

- Given that Prime Minister Gordon Brown had run the department at fault for a decade means that the blame is being placed on a single individual rather than systemic failures.

- Tory leader David Cameron believes that it would be “weird” and “truly bizarre” if the government continues with its plans for a national identity register. For campaigns such as NO2ID, it has become an opportunity to collect money to fight the national ID plans.

Life goes on… what could push this off as the leading story?

Try soccer: England crashing out of qualifying for Euro 2008 by Croatia. Henry Winter in the Telegraph puts things in perspective, “Forget the 25 million people losing their identities in the post; a whole nation lost its identity at a drenched Wembley.”

Lose data, lose trust

Reports of loss or thefts of personal information have now become routine enough to be not-news. It’ll take a really big one to register on people’s attention radar.

This is the one.

Personal details of all families in the UK with a child under 16: 25 million individuals and 7.25 million families. Personal information of nearly half the UK population. Mind boggling.

There is obviously a lot of media coverage, both within the UK and around the world. Words like debacle are being used. Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.

Many reports are quite rightly dismissive of Chancellor Alistair Darling’s explanation of a junior official who “had broken the rules by downloading the data to disc and sending it by unrecorded delivery.”

As the Chancellor himself pointed out, the data originally sent in March by HMRC (Her Majesty’s Revenue and Customs) to the National Audit Office was in breach of HMRC’s procedures. The data was returned to HMRC, only to be requested again in October. This time the entire database was sent by internal mail on two discs. They never got there.

The real issue goes to the heart of governance and government: trust. Questions are of course being asked about competence, why the data was sent on discs, why it was unencrypted, staff morale following re-structuring, and the culture of an organisation that allowed the said junior official to think what he did was OK.

But, those are only sideshows. The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.

At the same time, there are probably many other similar disasters waiting to happen. Hopefully, as the message is obviously not getting through, it will be another wake-up call to everyone who has a duty of care for peoples’ personal information all over the world.

Cyber attacks on NZ

Today’s Dominion Post’s leading headline is “NZ spies uncover cyber attacks” with the sub-heading “Department computers hacked by foreign governments, says SIS.” That made the topic of today’s post obvious.

Head of the SIS or Security Intelligence Service, aka Chief Spook, indirectly blamed China, adding NZ to a growing list of countries around the world who now name China as the cyber enemy. He talked about websites attacked, sensitive information stolen, and software surreptitiously installed.

Perhaps not so surprising was that in some cases the government departments were unaware that their computer systems had been breached.

Lots of press coverage on this, including the Prime Minister on TV news, but no one really had much more other than what the Chief Spook said. Peter Griffin in his blog speculated about “patriotic hackers” out of China while Bruce Simpson somehow even found a way to use this to attack Microsoft.

It isn’t government agencies alone that have been attacked from overseas. A recent survey published in the CIO Magazine (print edition only unfortunately) painted a similar picture of cyber attacks on private organisations.

I suspect many NZ organisations have been lulled into a false sense of complacency. Hopefully this and the coming of data breach notification guidelines will be sufficient for them to start beefing up their online security. Before it is too late.