UK: Raising the breach barrier, again

November 3, 2008 at 11:17 pm 1 comment

When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?

Never underestimate the Brits. They’ve now pushed the bar even higher.

All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.

The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.

The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.

Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.

Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.

Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.

Entry filed under: 2FA, authentication, biometrics, data_breach, government, personal_info, privacy, security, trust, UK. Tags: .

The next best thing to the next best thing Showing us a better way

1 Comment Add your own

  • 1. Stop it Now!  |  November 4, 2008 at 5:19 am

    The fact that anyone has the authority to download this much information is in itself open to question. It is true, people like myself, will question the ability of any government to gather even more information, when they cannot secure what they have. So far, these breeches of security seemed to have passed without major incident, but that is more luck than judgment, what will we be saying when this type of information does get into the wrong hands. It seems to me we are more at risk from our won government than we are of the risks they keep using to justify the holding the level of information on use that they do.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

  • I've written about the 3 areas that companies can find opportunities to get started with IoT kotahi.net/enterprise-iot… 11 hours ago
  • RT @KotahiNet: We think the newly available Bluetooth 5 offers excellent options to combine with LoRa for hybrid networks- low... https://t… 16 hours ago
  • Amazon Go (retail with 0 staff) will kill low end jobs like check out operators, packers. Gives coming jobs impact a stark, human-less face 1 day ago
  • Like it each time I come across it: “If privacy is outlawed, only outlaws will have privacy.” — Philip Zimmermann, creator of PGP 3 days ago
  • RT @ChristopherWr11: Scientists have long feared this 'feedback' to the climate system. Now they say it's happening wpo.st/L-pI2 1 week ago

Feeds


%d bloggers like this: