Posts filed under ‘data_breach’
I thought I’d check out the fallout from the massive loss of personal information in UK. It isn’t a pretty picture:
– Boris Johnson in the Telegraph describes it as, “In the annals of government cock-up, this is surely the single most astonishing and ludicrous episode of the past 25 years.” He goes on to say, “Alistair Darling has invented a kind of reverse National Lottery, in which the giant finger hovers over our streets. It could be you. It could be me… Invisibly, inaudibly, without so much as a whoosh or a slurp, large sums will disappear from our bank accounts.”
– The banks have contradicted Chancellor Alistair Darling’s statement that they had asked for a delay in making things public to put in place protective measures.
– Given that Prime Minister Gordon Brown had run the department at fault for a decade means that the blame is being placed on a single individual rather than systemic failures.
– Tory leader David Cameron believes that it would be “weird” and “truly bizarre” if the government continues with its plans for a national identity register. For campaigns such as NO2ID, it has become an opportunity to collect money to fight the national ID plans.
Life goes on… what could push this off as the leading story?
Try soccer: England crashing out of qualifying for Euro 2008 by Croatia. Henry Winter in the Telegraph puts things in perspective, “Forget the 25 million people losing their identities in the post; a whole nation lost its identity at a drenched Wembley.”
Reports of loss or thefts of personal information have now become routine enough to be not-news. It’ll take a really big one to register on people’s attention radar.
Personal details of all families in the UK with a child under 16: 25 million individuals and 7.25 million families. Personal information of nearly half the UK population. Mind boggling.
There is obviously a lot of media coverage, both within the UK and around the world. Words like debacle are being used. Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.
Many reports are quite rightly dismissive of Chancellor Alistair Darling’s explanation of a junior official who “had broken the rules by downloading the data to disc and sending it by unrecorded delivery.”
As the Chancellor himself pointed out, the data originally sent in March by HMRC (Her Majesty’s Revenue and Customs) to the National Audit Office was in breach of HMRC’s procedures. The data was returned to HMRC, only to be requested again in October. This time the entire database was sent by internal mail on two discs. They never got there.
The real issue goes to the heart of governance and government: trust. Questions are of course being asked about competence, why the data was sent on discs, why it was unencrypted, staff morale following re-structuring, and the culture of an organisation that allowed the said junior official to think what he did was OK.
But, those are only sideshows. The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.
At the same time, there are probably many other similar disasters waiting to happen. Hopefully, as the message is obviously not getting through, it will be another wake-up call to everyone who has a duty of care for peoples’ personal information all over the world.
Today’s Dominion Post’s leading headline is “NZ spies uncover cyber attacks” with the sub-heading “Department computers hacked by foreign governments, says SIS.” That made the topic of today’s post obvious.
Head of the SIS or Security Intelligence Service, aka Chief Spook, indirectly blamed China, adding NZ to a growing list of countries around the world who now name China as the cyber enemy. He talked about websites attacked, sensitive information stolen, and software surreptitiously installed.
Perhaps not so surprising was that in some cases the government departments were unaware that their computer systems had been breached.
Lots of press coverage on this, including the Prime Minister on TV news, but no one really had much more other than what the Chief Spook said. Peter Griffin in his blog speculated about “patriotic hackers” out of China while Bruce Simpson somehow even found a way to use this to attack Microsoft.
It isn’t government agencies alone that have been attacked from overseas. A recent survey published in the CIO Magazine (print edition only unfortunately) painted a similar picture of cyber attacks on private organisations.
I suspect many NZ organisations have been lulled into a false sense of complacency. Hopefully this and the coming of data breach notification guidelines will be sufficient for them to start beefing up their online security. Before it is too late.
In 2002 California mandated notification of data breaches involving personal information. The ripples of this step are still spreading across the world.
Now, it continues down the same path with the state’s Senate joining the Assembly in barring employers from requiring workers to have identification devices implanted under their skin.
Sen. Joe Simitian, who proposed the measure, says “RFID is a minor miracle, with all sorts of good uses. But we shouldn’t condone forced ‘tagging’ of humans. It’s the ultimate invasion of privacy.”
One company, VeriChip, has been licensed by the federal government, implanting more than 2,000 people with the rice grain sized chips so far. Once scanned at the proper frequency, the VeriChip responds with a unique 16-digit number: amazingly, the data is unencrypted.
The company touts 24×7 patient identification as one of its major solution areas.
A counter-movement We The People Will Not Be Chipped with the logo “No VeriChip Inside” has sprung up.
Of course, chipping people will never happen in New Zealand. No, we only chip dogs. Maybe we should make an exception for old people who forget their way home? Also, perhaps for people on home detention? Also, perhaps for children at risk? Also, …
I wrote yesterday about the folly of absolutes in Australia. This provides one good reason why England’s plans for a national children database are a bad idea.
As I mentioned, the Australian Taxation Office spokeswoman admitted that government cannot make sure that it will keep taxpayer information that it is legally required to be kept confidential safe from unauthorised employees. This is probably true across governments across countries- insiders are the biggest security threat.
On the other hand, England is charging ahead to introduce a massive national database (ContactPoint) which will contain details of every one of the 11 million under-18 children in the country, listing their name, address and gender, as well as contact details for their GP, school and parents and other carers.
Given that 330,000 users will have access to this database, it’s not surprising that fears of misuse and unauthorised access are growing.
Tellingly, information about the children of celebrities and politicians is likely to be excluded from the system.
The database may or may not be able to achieve its aims of preventing another Victoria Climbié. Following on from the folly of absolutes, what will most certainly happen is unauthorised access. The question then is whether the resulting harm will be more than offset by the good it will do.
And, even if the net result is positive, that will be of little comfort to the children harmed.
Two stories from Australia serve as a timely reminder about the folly of thinking in absolutes.
The first one is the Australian Government’s efforts around porn filters. They proudly announced the launch of free porn filters for families at the considerable cost of (AU) $84 million. Imagine the government’s embarrassment when a 16 year old schoolboy broke the filters in half an hour and an updated version in 40 minutes.
The government was forced to declare that, “… the government has always maintained, no filter is foolproof.” Right, now that’s backing away from absolutes.
The second story comes from the Australian Taxation Office (ATO). Investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006. Now, a dozen people have been sacked or resigned after being caught doing the same thing.
An ATO spokeswoman said, “While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing.”
“Inevitable” is a way of saying that government cannot absolutely make sure that it will keep taxpayer information that it is legally required to be kept confidential safe from unauthorised employees.
It’s realistic not to set up expectations of absolutes.
On another note, this leads to a re-emphasising of a security truism: the biggest threat to privacy and protecting personal information comes from the inside while the popular notion about security is keeping the bad guys out.
Clearly timed to start the Privacy Awareness week with a bang, the guidelines are modelled on the Canadian ones (pdf, 253 KB).
The guidelines are “harm based” and leave it to organisations to make their own assessment and decisions about key aspects including which breaches require customers to be notified. They recommend that agencies ask the following questions to determine if notification is required:
- What personal information was released or otherwise compromised?
- How sensitive is the information?
- What is the context (nature) of the personal information?
- Is the personal information adequately encrypted, anonymised, or otherwise inaccessible?
- How can the personal information be used?
- Who received the personal information?
- Will notification assist the affected individuals to mitigate harmful consequences?
All of this sounds sensible but the fact remains that they will be voluntary guidelines. How effective is that going to be? We’ll have to wait and see once the guidelines come into effect at the end of the year.
My guess is that they will be ineffective… and will become mandatory sooner rather than later. After all, most organisations when faced with a choice of burying an embarrassment with the help of legal eagles or coming clean in public are going to make the obvious choice.
The answer is to give them no choice.