UK: Raising the breach barrier, again
When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?
Never underestimate the Brits. They’ve now pushed the bar even higher.
All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.
The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.
The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.
Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.
Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.
Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.