« Thousands of Mobile Phones seized in UK Prisons - evidence of corruption ? | Main | Terrorism Act 2000 amended, with new offences, with prison penalties - by Order - no proper Parliamentary scrutiny »

Data privacy and security breaches still continuing despite the HMRC scandal publicity

Another week, and there is still no sign of the missing unencrypted CDs containing personal details of 25 million people, which were lost by Her Majesty's Revenue and Customs (HMRC).

It is clear that even the massive publicity over the HMRC affair has still not had any effect on the culture of incompetence, which has infected public sector organisations, who are continuing to betray their duty of trust and confidentiality when dealing with people's data , the protection of which they merely pay lip service to e.g. The Scotsman summarises::

First, it emerged two computer discs with details of more than 7,000 Northern Ireland motorists had got lost in the post after being sent to the DVLA in Swansea.

Then it was disclosed that confidential personal details of dozens of prisoners, including their criminal records, had been delivered to a private company instead of going to Norfolk Police.

And trade unions on Merseyside revealed that personal details of 1,800 health-authority staff, including their salaries and pension details, had been accidentally sent out to a number of private firms.

This is in spite of the Cabinet Office Review, of all Government Departments and Agencies, chaired by Robert Hannigan, the newly appointed Head of Intelligence, Security and Resilience, which was supposed to have reported on Monday 10th December 2007.

Will politicians and the media be pressing for this to be published, or will the Government spin doctors try to supress it until the New Year ?

See - How many Reviews will it take to sort out the HMRC and other UK Government data privacy and security scandals ?

The other Review, resticted to just Her majesty's Revenue and Customs, by Kieran Poynter, the senior partner at accountants PricewaterhouseCoopers (note the stupid "brand name" capitalisation) is due to report this Friday.

There do seem to have been some "locking the stable door" diktats at HMRC::

Written answers Thursday, 6 December 2007

Treasury
Revenue and Customs: Data Protection

John Hemming (Birmingham, Yardley, Liberal Democrat):

To ask the Chancellor of the Exchequer if he will ensure all CD burners are removed from HM Revenue and Customs computer departments until security

Jane Kennedy (Financial Secretary, HM Treasury):

I understand that staff access to removable media has already been disabled. Desktop PCs and laptops in HMRC are no longer able to read CDs, floppy disks, USB storage and other memory card devices. This facility can only be re-enabled with the authorisation of a director or the senior member of staff responsible for data transfer in the appropriate business area.

On 20 November, the Chancellor announced an independent review of HMRC's data handling procedures to be conducted by Kieran Poynter, the chair of PricewaterhouseCoopers.

Does "staff" mean all the EDS IT subcontractors and other consultants as well as HMRC permanent staff ? Probably not.

"Desktop PCs and laptops" does not include all the file, application, print and media servers.

"no longer able to read" does not necessarily mean "no longer able to write" !

What about the higher capacity DVD disc writers rather than CD writers ?

What about USB external or removable hard disk storage ?

What about backup tape systems of all sorts ?

What about NetBIOS based Windows file sharing over ethernet ?

What about WiFi or BlueTooth based file transfers ?

It sounds as if all they have done is tick a few boxes in the Windows Security Policy on the Enterprise Domain Controllers rather than actually physically removing or disabling these devices and interfaces.or installing the extra software necessary to do this properly.

Given the prevalence of USB keyboards and mice and even of USB Smart Card readers, these days, how do they really expect to prevent USB hubs and memory sticks (some models of which can appear to the BIOS and operating system as bootable CD or external hard disk devices) from being used by those people determined to steal valuable personal data, rather than those who just handle it ineptly but without malice ?


Comments

The BBC reports 800 DWP loan application forms have gone missining in transit

http://news.bbc.co.uk/1/hi/england/south_yorkshire/7141195.stm

Loan application forms go missing

Hundreds of forms containing personal and confidential information about members of the public were lost by the Department for Work and Pensions (DWP).

Staff were told that 800 budgeting loan applications have been lost in transit between Sheffield and Newcastle.

In an email, DWP staff were told that customers had been querying the status of their missing applications.

[...]

Depots of courier company TNT are being searched for the latest missing parcels.

'Extremely concerned'

Interest-free budgeting loans are available to people who claim benefits such as income support so they can spread the cost of one-off expenses, such as household appliances.

Lee Rock, from the civil service union PCS, told BBC Look North the forms contained applicants' names, addresses, dates of birth, National Insurance numbers and bank details.

[...]

In a statement, the DWP said: "Clearly we are extremely concerned that these payments have been delayed and we are striving to ensure no one is in hardship because of what has occurred.

"We are carrying out extensive checks with TNT to track down the whereabouts of the claims concerned."

[...]



"I understand that staff access to removable media has already been disabled. Desktop PCs and laptops in HMRC are no longer able to read CDs, floppy disks, USB storage and other memory card devices."

Quite. So now how are the poor bloody infantry able to carry on their work investigating tax irregularities, when their *main means* of exchanging information is via CD? Answer: they can't. The words 'shot' and 'foot' come to mind.


'Lessons will be learned', eh? Of course if these idiots hadf any competence whatsoever it would not be necessary for them to 'learn lessons'. It's rather like an adolescent youth learning to drive an expensive and lethal piece of machinery. After they've crashed and scraped and generally mistreated the machine they 'learn the lessons'. In the meantime the rest of us can only watch and hope that they don't do too much damage - to themselves or us.


Post a comment