Government security failure

November 20th, 2007 at 13:37 UTC by Ross Anderson

In breaking news, the Chancellor of the Exchequer will announce at 1530 that HM Revenue and Customs has lost the data of 15 million child benefit recipients, and that the head of HMRC has resigned.

FIPR has been saying since last November’s publication of our report on Children’s Databases for the Information Commissioner that the proposed centralisation of public-sector data on the nation’s children was not only unsafe but illegal.

But that isn’t all. The Health Select Committee recently made a number of recommendations to improve safety and privacy of electronic medical records, and to give patients more rights to opt out. Ministers dismissed these recommendations, and a poll today shows doctors are so worried about confidentiality that many will opt out of using the new shared care record system.

The report of the Lords Science and Technology Committee into Personal Internet Security also poitned out a lot of government failings in preventing electronic crime – which ministers contemptuously dismissed. It’s surely clear by now that the whole public-sector computer-security establishment is no longer fit for purpose. The next government should replace CESG with a civilian agency staffed by competent people. Ministers need much better advice than they’re currently getting.

Developing …

(added later: coverage from the BBC, the Guardian, Channel 4, the Times, Computer Weekly and e-Health Insider; and here’s the ORG Blog)

Entry filed under: Legal issues, News coverage, Politics, Privacy technology

21 comments Add your own

  • 1. Ross Younger  |  November 20th, 2007 at 16:03 UTC

    Ordinary post? Given my experience this year I’d wager that it is stuck in a Royal Mail warehouse somewhere and will mysteriously turn up in mid-December or so.

  • 2. Ross Younger  |  November 20th, 2007 at 18:05 UTC

    … Strike my earlier comment, the missing discs are now being described as having been posted in the “internal mail”.

  • 3. Bob Dowling  |  November 20th, 2007 at 18:25 UTC

    So what exactly does “password protected” mean?

    If the data had been securely encrypted I am certain that Darling would have been boasting in the Commons about how the discs were useless to any third party. As it is, I suspect the worst.

  • 4. Verity  |  November 20th, 2007 at 19:16 UTC

    Mm, when they said ‘password protected’, I immediately thought of all the research your group (and others) have done into passwords, and thought ‘damn, someone will have cracked that in a week or so’.

    I’m also mildly amused by the BBC report saying that there isn’t enough information on the discs to allow identity theft. I’m sure there’s enough there to cause fairly major security problems for anyone involved.

  • 5. Ian Mason  |  November 20th, 2007 at 19:37 UTC

    For the record, the information on the disks is:
    Name -Parent(s)
    Name – Childs
    NI Number and/or Child Number
    Bank account details (“where relevant”, whatever Alisdair Darling means by that)

    25 million people in total, 15 million of them children.

    To my mind that is “enough information … to allow identity theft” and if it isn’t then at least it’s a very good start.

  • 6. Watching Them, Watching Us  |  November 20th, 2007 at 21:09 UTC

    The risk of so called ïdentity fraud” (or financial reputation libel) is not the only risk in the loss of this Child Benefit Agency data

    Alistair Darling only mentioned the financial risks of this massive potential data breach, but he ignored the confidential name and address information which could be life threatening to, say, battered wives and their children, victims of stalkers, people in witness protection schemes, families of Judges, police officers, prison officers, armed forces. intelligence agencies etc.

  • 7. Jimmy  |  November 20th, 2007 at 22:02 UTC

    CESG is a civilian agency…

  • 8. Simon Bradshaw  |  November 20th, 2007 at 22:15 UTC

    I’m a little confused by your suggestion that CESG should be replaced by a ‘civilian agency’. It is one already; it’s staffed and run by civil servants, and the only military personnel I ever encountered there were the liaison staff representing the MOD (admittedly one of its bigger customers).

    If you’re suggesting that CESG’s role should be taken away from HMG employees and outsourced to the private sector, that is something I and I’m sure many other readers would be deeply unhappy about.

  • 9. igb  |  November 20th, 2007 at 23:12 UTC

    If CESG were competent, they wouldn’t leave HMRC offering advice like this on phishing and how to spot legitimate website: “The padlock – when you log on to HMRC Online Services you are always in a ’secure session’ – which is shown by the padlock in the bottom right hand corner of your web browser.”

    We’ll gloss over the fact that it’s the top right hand corner on Safari, because we know that the much vaunted IT skills of CESG get confused when it’s not Windows. I get that padlock when I access my webmail, on my private squirrelmail server. It uses a self-signed certificate. Yes, I know how to click on it and make a reasonable stab at tracing the path back to root certificates, but presumably CESG can’t. Or think it’s too hard.

    So they offer advice which is actively bad security: it tells people to regard as a sign of security something which is easily forged, and therefore may make sites which make other mistakes (spelling, lock and feel) seem more secure because of the padlock.

    A tip of the hat to Ross on Newsnight just now. Do all stupid Labour MPs talk slowly as though addressing small recalcitrant children, or is it just when they’ve been caught screwing things up? Shall we club together and buy Ian Brown a good meal?

  • 10. Tom  |  November 20th, 2007 at 23:17 UTC


    I was very pleased to, at last, see you on Newsnight.

    Integrity is a rare and valuable virtue. Keep up the invaluable work that you and your colleagues do.

    To “Jimmy” and “Simon Bradshaw”, CESG is a Government Agency, funded and salaried/pensioned by the state, staffed by civil servants.

    As Ross says, “The next government should replace CESG with a civilian agency staffed by competent people.”

  • 11. Simon Bradshaw  |  November 21st, 2007 at 06:49 UTC

    Tom: I fear we are talking at cross purposes. To me, ‘civilian’ means what it commonly means, i.e. not part of the military or, to stretch things a bit, MOD.

    If we have a new body replacing CESG, who will it be staffed by? As I see it, its personnel would be either employees of the Government, in which case they would be civil servants, or private sector contractors, presumably operating under a PFI contract. Which would you prefer?

  • 12. Peter Davies  |  November 21st, 2007 at 07:17 UTC

    I watched Ross on Newsnight last night. He was calm measured and sensible.

    The Labour minister looked very nice, very “mumsy” and very clueless. She had no idea about the scale of the problem, the seriousness of data prtoection. She was not willing to listen to expert advice despite it being very obvious that Ross’s knowledge was huge and hers was less than a grain of sand.

    Keep on going. eventually the huge incompetence of government with data will be fully known.

    Surely ID cards and the NHS IT scheme must now be shelved.

  • 13. Dan Cvrcek  |  November 21st, 2007 at 09:10 UTC

    Well, I listened to Radio 4 last night and here are my thoughts.

    Password protected disks but not encrypted – hmm, let me think. The disk does not have processor -> it cannot check correctness of the password -> where can it be checked? -> during export/import -> check is only within the HMRC system && the disks are not encrypted -> the disks contain unencrypted data, readily readable by anyone, easily importable into any database you can install on your laptop/PC.

    Labour MPs said that it is a mistake of an individual and we shall judge the government according to how they deal with the situation – It is not a mistake of an individual! No one should have any chance to lay their hands on the whole database. If it is possible, my question is – what is the price for which would this “junior official” copy the database for X (X being an advertisement company or supermarket chain or criminal organisation or …)

    The data was requested by an audit office which says it wanted anonymised records – i.e. the disks contained much more information than “just” name, address, NIN, bank details. So what do people fill in the forms for child benefits and what information does HMRC collect about you regarding the benefits?

    After the ID cards were attacked, Darling said that they would be much more secure, because they are protected by biometric information. This is bullocks. I do not expect politicians to understand technology (far from that) but he apparently did not expect this attack. If he did, even worse.

    A claim that no fraud has been detected yet. Thank God but no one has yet explained the government the value of the data.

    Newsnight with Ross does not need a comment.

  • 14. Ian Bedford  |  November 21st, 2007 at 09:13 UTC

    “The next government should replace CESG with a civilian agency staffed by competent people. Ministers need much better advice than they’re currently getting.”

    Replacing existing CESG civil servants (the majority of whom, contrary to your opinion, are extremely competent) with non-HMG employees from “outside industry” is going to do nothing to help the problem other than to increase the cost of designing and implementing the same broken solutions.

    CESG’s role (albeit as self-styled “authority”) is an advisory one, and as such government departments are free to take it or not. In situations such as the HMRC debacle, it is less to do with CESG *advice* (“thou shalt encrypt data in transit… please”) and more to do with following Cabinet Office *policy* in the form of the Manual of Protective Security.

    As you said on Newsnight, such aggregations of data should be treated as, well, something above UNCLASSIFIED at least, and handled accordingly. There is no CESG rule that I’m aware of that says you must encrypt CDs full of data when sending them between departments using official channels.

  • 15. Dan Cvrcek  |  November 21st, 2007 at 09:33 UTC

    Oh yes, one last bit that I forgot. When the disks remained undelivered after three weeks, they made a new database dump and tried it again. :-)

  • 16. C Lambert  |  November 21st, 2007 at 11:43 UTC

    Ministers pick-and-choose advice – CESG can’t beat anyone around the head with a stick: as some of the previous posts have pointed out – CESG is merely an advisor. As for a CESG replacement: industry subcontractors; perish the thought. Stick with underpaid, competent bunch we have now.

    And the loss of those discs; whatever happened to common sense and individual responsibility? Of course you send things like that by special delivery.

  • 17. Carlotta  |  November 21st, 2007 at 12:26 UTC

    Very grateful for the performance on Newsnight, Ross.

    Am off to GP in a minute, and will be asking them not to put my information on their database…(this all over again…have already asked once, but noticed that they were still putting stuff in last time I went.)

    In my experience of working GP surgeries, it was hard enough respecting patient confidentiality with paper files and natural human curiousity. How on earth they plan to make this information widely available yet still confidential beats me.

  • 18. Simon  |  November 21st, 2007 at 13:27 UTC

    The biggest worry is that it has taken a the loss of these disks to prompt a public announcement. If a nefarious person with access to the mail network used has simply opened this letter, copied the disk and replaced them back in the mail (assuming the letter had no tamper-proofing), would we be none the wiser? Would HMRC be none the wiser? If this practice of sending unencrypted, sensitive information over unsecured channels is in use, there is no way to tell if this scenario has happen before.

  • 19. Stephen  |  November 21st, 2007 at 21:52 UTC

    Im not very knowledgeable about how the different Government agencies interact over there in the UK, but I suspect the situation is quite similar to the way things work over here in Australia. Your CESG fulfils a role similar to our DSD – the provision of IT Security advice to, and setting of IT Security standards for Government departments. However (over here at least), listening to that advice and applying those standards is done completely at the discretion of each individual agency, with the agency head being responsible for each agencies individual security. If a breach occurs, the agency is held responsible.

    The problem with this situation (here at least) is that while the security standards exist, and the advice is provided, it is to a large extent ignored as soon as it interferes too much with regular agency business. Why is this the case? Because there is no visible penalty for not following the advice and applying the minimum standards. Compliance with the standards is also not audited (unless you count audits covering 2% of agencies conducted every 5 years). Its incredibly difficult to be in a position where you have to argue for compliance with IT Security standards to agency executives based solely on their being Government minimum standards. When the executive asks “what happens if we dont comply” all you can answer is “well, probably nothing, unless a breach occurs and someone finds out about it”. To get any results you need to justify any security based on risk management principles, and just hope management doesn’t consider IT Security to e a load of rubbish.

    So I dont think that changing the structure and organisation of CESG will make a difference. However, auditing and enforcing the standards already in place might.

  • 20. Ian Jackson  |  November 22nd, 2007 at 08:27 UTC

    Well they really done it this time ….thats the bosses following the Government cut backs in saving money.
    Sent un registered mostly 2nd class post why because the big white chief says so, he saves £20 but causes all this trouble.
    With all that important data on the discs they should have been hand delivered, yes it would cost man hours but the data would not be lost. This Government should go and call an election NOW.We need new ideas, better management and a wake up call in all departments that they will get kicked out if thinks go wrong starting from the top down… but not the lowest of the low who is just following the rules set by the bosses.

  • 21. Pete Austin  |  November 22nd, 2007 at 15:16 UTC

    @Ross:kudos. It’s not that this outrage happened; it’s that nothing was done to prevent it. And, while it’s incredibly serious, it would have been even worse had it happened after NH IT went live.

    A private sector company doing the same job as this HMRC office would not have had all this information in a live database in the first place. My company for example regularly advises our clients to only load the information that’s actually necessary for each task.

    Also do other people find it ironic that the idiots who exposed their fellow citizens to the crooks and spammers are having their own privacy protected?

Leave a Comment


Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


November 2007
« Oct   Dec »