The Mail on Sunday has a scoop report, picked up by the other mainstream media, under a somewhat misleading headline, Yet Another Government IT Security Failure:
By Daniel Boffey
Last updated at 11:06 PM on 01st November 2008Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.
The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.
An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.
The Department for Work and Pensions insisted that the system's security has not been breached, but a computer expert told The Mail on Sunday that in the wrong hands the data on the memory stick could enable hackers to access personal details of the 12million people who have registered on the system, including their passwords.
Users trying to log on to the site yesterday were met by the message: 'The Government Gateway is temporarily offline. We apologise for any inconvenience. Normal service will be resumed as soon as possible.'
The Government also closed down access to self-assessment tax applications via the Revenue and Customs website.
The HMRC income tax self assessment system is still the Government department which uses the Government Gateway website, even after all of these years of alleged "joined up e-government".
The Government Gateway website appears to be back online, for now.
[...]
The lost memory stick was found two weeks ago outside a Brewers Fayre chain pub in Cannock, Staffordshire, but the Department of Work and Pensions, which owns the Government Gateway, was made aware of its loss only last week when the 2in device was passed to this newspaper.
An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'. The memory stick is now in the hands of the police.
Therefore this USB memory device must have been unencrypted
Concerns have been raised before about the concentration of personal information on the system, but Ministers have repeatedly assured taxpayers that the system was secure.
When The Mail on Sunday told the Department of Work and Pensions that the memory stick had been left outside The Orbital pub in Cannock, a spokesman said they were taking the matter 'very seriously'.
He added: 'We have launched an immediate and urgent investigation into this. We are going to assess what needs to be done and senior people are involved. The implications are obvious.'
Yesterday, after the service had been shut down, the department added: 'We have moved immediately to make sure there is no conceivable risk to users of the Government Gateway.
'We are convinced the integrity of the Government Gateway has not been compromised and there is no risk to users.'
The department said no credit card details were contained on the USB memory stick, also known as a flash drive.
What was lost was much worse than that !
[...]
The memory stick was lost by Daniel Harrington, 29, an IT analyst at computer management firm Atos Origin.
The multinational company, which boasts an annual turnover of £4billion, won the five-year £46.7million contract to manage the Government Gateway in 2006.
Worryingly, the same company has been selected to supply IT systems for the London 2012 Olympic Games.
Yesterday, Mr Harrington was in emergency meetings all day at Atos Origin's offices in Cannock.
His mother Sylvia said: 'It was lost. He is such a lovely lad. He went into work today, I don't know whether he was dragged in, but he went in. It is just so upsetting. I keep telling him, mistakes happen.'
There must also have been data about Daniel Harrington and Atos Orign on this USB memory device, or with the lost device, which enabled the Mail on Sunday to track him and his mother down.
If the Mail on Sunday could identify them, then so could serious organised criminals, terrorists or foreign intelligence agencies, who would all be interested in access to this centralised Government system.
[...]
As well as the system blueprint, other files on the stick included samples of personal information. One document held the names, addresses, wages, individual tax liabilities and National Insurance numbers of a group of taxpayers.
A spokesman for the Department for Work and Pensions insisted that the security software and passwords on the memory stick had been protected so that a stranger would not be able to access the Government Gateway easily.
She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'
Note the weasel words:
"Passwords are hidden using an industry standard technique which is difficult to break"
Rubbish !
If the files on the USB device or the entire USB device itself had been strongly encrypted (even the manufacturers of the USB device illustrated in the Mail on Sunday photo make a model with built in AES 256bit encryption), then there would be no problem with losing them in this way.
Given the presence of source code, we should assume that some of these passwords were system passwords to which this IT analyst had access to, and which could have been used to insert malicious computer programmes into the Government Gateway system, nullifying the normal security procedures.
If the USB device only contained some normal user account details and passwords, which could have been disabled in a few seconds, then there would have been no need to take the whole Government Gateway system offline, would there ?
She added that the source code was old, that the step-by-step guide to the system provided in a text file was a 'low risk', and that other items on the memory stick provided only a 'rudimentary guide' to the system.
She also said that it would be 'impossible to intercept details of transactions' and divert money to another account.
Is this spin doctor really claiming that there was no security sensitive data in the the "old source code" whatsoever i.e. that security routines have only been added to the system very recently ?
Will this anonymous Government spokesman, or her Minister resign if that statement is proven to be false or misleading ?
However, Mr Erasmus said the source code was only a few months old and that the password encryption would be 'relatively easy' to crack, given the information on the device.
He said: 'I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information.
'If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12million accounts and those details.
'There is even a map on the memory stick of how the whole thing works, to help an attacker.'
[...]
Yesterday morning, the finder of the memory stick was asked to deposit the device at his local police station. And seven pages of printouts were handed over to a civil servant seconded to collect the documents.
The finder will be lucky if the untrustworthy government bureaucracy does not attempt to "shoot the messenger" and to smear or prosecute him, instead of the culprits i.e. the senior management at the Department for Work and Pensions, at Atos Origin, and the hapless Daniel Harrington.
The finder will be lucky if the untrustworthy government bureaucracy does not attempt to "shoot the messenger" and to smear or prosecute him, instead of the culprits i.e. the senior management at the Department for Work and Pensions, at Atos Origin, and the hapless Daniel Harrington.
Those responsible should also be prosecuted under the Official Secrets Act 1989 section 8 Safeguarding of information, which specifically applies to a "Crown servant or government contractor".
See the previous Spy Blog article Official Secrets Act prosecutions and media spin - Richard Jackson has been treated more leniently than Corporal Daniel James
An Atos Origin spokesman said: 'Atos Origin can confirm that a single memory stick has been misplaced by one of its employees.
'The company takes the loss of this device very seriously and we are currently carrying out a full investigation of both the circumstances surrounding its loss and the data content of the stick.
'It is clear that the employee removed the device from company premises in direct breach of our own operating procedure.
So what ?
Why was this data allowed to be on an unencrypted USB device in the first place, regardless of whether or not it was inside Atos Origin's offices ?
'Atos Origin is working very closely with the Government and the police. The company takes full responsibility for this loss and will discipline the individual involved.
'It is inappropriate for us to comment further at this stage.'
The BBC, which is often accused of an inherent pro-labour government bias, does appear to have fallen for some Government damage limitation media spin , as their report (without a tagline), Probe into data left in car park claims that
But a spokeswoman for the Department of Work and Pensions said the device contained user names and passwords for testing an old version of the system, and all the information was encrypted.
If "all the information was encrypted", then how exactly could either the member of the public who found the USB memory device in the pub car park, the Mail on Sunday, or their computer security experts actually determine that it contained anything to do with the Government Gateway at all, let alone any passwords or source code or samples of personal data ?
Why should we trust this Government or its slapdash bureaucrats and IT sub-contractors with massive centralised IT databases like the National Health Service Data Spine or the planned National Identity Register when they continue to breach the most elementary principles of data security and privacy in this way, again and again and again ?
How many other lost or stolen or copied USB or other removable media devices dull of such sensitive or secret information are there out there, which have not been found in pubs, car parks, trains etc. and handed in by members of the public ?
]]>
Very interesting that this kind of things can happen. I'm a Sweed and the Swedish guvernment is far from perfect, but I'm pretty sure that the same problem will never happen in Sweden since most of this kind of information is public information in Sweden. www.extrakoll.se/en is a webpage where everyone with a Swedish mobile subscription can get this kind of information directly into the mobile phone. So maybe this is actually where the discussion should start, why not let all this information be public? The IT-security will never be perfect anyway:)
Very good and "hard hitting" comments..All true. So, WHAT will happen to ATOS origin and their contract? By rights it should be taken away immediately ! but will it? Were they just following Purnell's lead.."hey let's leave some info on a train" who in turn follows Orange Hain's much hyped term in DWP.
Will they lose their contract? Hmmm, ask Labour peer Lord Barnett to disclose his interest in ATOS and just HOW they got the contract in the first place ! Frightening that Atos Origin have their grubby fingers in so many UK interests..( look at Warburton's bread! what used to be a friendly family company now think they run the "bread world"..oh! ATOS has just taken over their customer service dept!!! and IT)As you state, the 2012 Olympics has ATOS stamped all over it, rather strange when thay are being investigated over Human Rights issues following the 2008 Olympics...The list goes on..ATOS have an extremely bad rep. over DWP medicals ect..read many tales of misery and torment caused by a firm "dabbling" in something they know NOTHING about.
As you say..they should be prosecuted ! along with Purnell and the man responsible for giving them the contract.....
Is there any way of keeping tabs on the well being of the man who found the item?
As you hint, he is at risk of being prosecuted for finding it and blowing the whistle on it.
I am also reminded that many years ago, some bank disks turned up on the New Zealand second hand market with their data still intact. The whistleblower was found dead in a hedge a few weeks later from a "car accident". It seems not to have been the end of other disks-with-data being sold secondhand, but it did make sure that no-one else reported their find!
We just had a similar case here in Utah, where student information was stolen. The problem.. It was all on a little USB Storage device. Talk about stupidity right there!
----
Safety & Spy
www.bunkerspy.com
Having been trained on databases in the 1970s I am just totally confused as to how this data and much of the data lost in other scandals find their way onto memory sticks, CDs or laptop computers.
I can see no reason at all for this set of passwords to be stored anywhere but on the main centralised computing system.
I accept that subsets of data may be needed, eg in the loss of the prision officer's data lost recently, there could be a case that a mailing house might need all the prison officers' address to send out a specific letter. But in this case there was a whole lot more data on the lost device.
It seems that the government has lost control of its computing contractors, has no proper control - eg external auditors - of projects and does not seem to enforce recognised computing standards.
All the government's personal information should be held on large centralised systems, which are too large and too heavy to carry and therefore lose on a train or a pub carpark.
Access to all data should be carefully controlled by someone, who used to be called a database controller or administrator. Users should then be externally audited to see that they are using the data correctly and deleting the data effectively, when they have finished using it.
There seems to be no valid reason for specific personal data to be downloaded in quantity to a memory stick or laptop.