Government security failure

In breaking news, the Chancellor of the Exchequer will announce at 1530 that HM Revenue and Customs has lost the data of 15 million child benefit recipients, and that the head of HMRC has resigned.

FIPR has been saying since last November’s publication of our report on Children’s Databases for the Information Commissioner that the proposed centralisation of public-sector data on the nation’s children was not only unsafe but illegal.

But that isn’t all. The Health Select Committee recently made a number of recommendations to improve safety and privacy of electronic medical records, and to give patients more rights to opt out. Ministers dismissed these recommendations, and a poll today shows doctors are so worried about confidentiality that many will opt out of using the new shared care record system.

The report of the Lords Science and Technology Committee into Personal Internet Security also poitned out a lot of government failings in preventing electronic crime – which ministers contemptuously dismissed. It’s surely clear by now that the whole public-sector computer-security establishment is no longer fit for purpose. The next government should replace CESG with a civilian agency staffed by competent people. Ministers need much better advice than they’re currently getting.

Developing …

(added later: coverage from the BBC, the Guardian, Channel 4, the Times, Computer Weekly and e-Health Insider; and here’s the ORG Blog)

21 thoughts on “Government security failure

  1. Ordinary post? Given my experience this year I’d wager that it is stuck in a Royal Mail warehouse somewhere and will mysteriously turn up in mid-December or so.

  2. … Strike my earlier comment, the missing discs are now being described as having been posted in the “internal mail”.

  3. So what exactly does “password protected” mean?

    If the data had been securely encrypted I am certain that Darling would have been boasting in the Commons about how the discs were useless to any third party. As it is, I suspect the worst.

  4. Mm, when they said ‘password protected’, I immediately thought of all the research your group (and others) have done into passwords, and thought ‘damn, someone will have cracked that in a week or so’.

    I’m also mildly amused by the BBC report saying that there isn’t enough information on the discs to allow identity theft. I’m sure there’s enough there to cause fairly major security problems for anyone involved.

  5. For the record, the information on the disks is:
    Name -Parent(s)
    Name – Childs
    NI Number and/or Child Number
    Address
    Bank account details (“where relevant”, whatever Alisdair Darling means by that)

    25 million people in total, 15 million of them children.

    To my mind that is “enough information … to allow identity theft” and if it isn’t then at least it’s a very good start.

  6. The risk of so called ïdentity fraud” (or financial reputation libel) is not the only risk in the loss of this Child Benefit Agency data

    Alistair Darling only mentioned the financial risks of this massive potential data breach, but he ignored the confidential name and address information which could be life threatening to, say, battered wives and their children, victims of stalkers, people in witness protection schemes, families of Judges, police officers, prison officers, armed forces. intelligence agencies etc.

  7. I’m a little confused by your suggestion that CESG should be replaced by a ‘civilian agency’. It is one already; it’s staffed and run by civil servants, and the only military personnel I ever encountered there were the liaison staff representing the MOD (admittedly one of its bigger customers).

    If you’re suggesting that CESG’s role should be taken away from HMG employees and outsourced to the private sector, that is something I and I’m sure many other readers would be deeply unhappy about.

  8. If CESG were competent, they wouldn’t leave HMRC offering advice like this on phishing and how to spot legitimate website: “The padlock – when you log on to HMRC Online Services you are always in a ‘secure session’ – which is shown by the padlock in the bottom right hand corner of your web browser.”

    We’ll gloss over the fact that it’s the top right hand corner on Safari, because we know that the much vaunted IT skills of CESG get confused when it’s not Windows. I get that padlock when I access my webmail, on my private squirrelmail server. It uses a self-signed certificate. Yes, I know how to click on it and make a reasonable stab at tracing the path back to root certificates, but presumably CESG can’t. Or think it’s too hard.

    So they offer advice which is actively bad security: it tells people to regard as a sign of security something which is easily forged, and therefore may make sites which make other mistakes (spelling, lock and feel) seem more secure because of the padlock.

    A tip of the hat to Ross on Newsnight just now. Do all stupid Labour MPs talk slowly as though addressing small recalcitrant children, or is it just when they’ve been caught screwing things up? Shall we club together and buy Ian Brown a good meal?

  9. Ross,

    I was very pleased to, at last, see you on Newsnight.

    Integrity is a rare and valuable virtue. Keep up the invaluable work that you and your colleagues do.

    To “Jimmy” and “Simon Bradshaw”, CESG is a Government Agency, funded and salaried/pensioned by the state, staffed by civil servants.

    As Ross says, “The next government should replace CESG with a civilian agency staffed by competent people.”

  10. Tom: I fear we are talking at cross purposes. To me, ‘civilian’ means what it commonly means, i.e. not part of the military or, to stretch things a bit, MOD.

    If we have a new body replacing CESG, who will it be staffed by? As I see it, its personnel would be either employees of the Government, in which case they would be civil servants, or private sector contractors, presumably operating under a PFI contract. Which would you prefer?

  11. I watched Ross on Newsnight last night. He was calm measured and sensible.

    The Labour minister looked very nice, very “mumsy” and very clueless. She had no idea about the scale of the problem, the seriousness of data prtoection. She was not willing to listen to expert advice despite it being very obvious that Ross’s knowledge was huge and hers was less than a grain of sand.

    Keep on going. eventually the huge incompetence of government with data will be fully known.

    Surely ID cards and the NHS IT scheme must now be shelved.

  12. Well, I listened to Radio 4 last night and here are my thoughts.

    Password protected disks but not encrypted – hmm, let me think. The disk does not have processor -> it cannot check correctness of the password -> where can it be checked? -> during export/import -> check is only within the HMRC system && the disks are not encrypted -> the disks contain unencrypted data, readily readable by anyone, easily importable into any database you can install on your laptop/PC.

    Labour MPs said that it is a mistake of an individual and we shall judge the government according to how they deal with the situation – It is not a mistake of an individual! No one should have any chance to lay their hands on the whole database. If it is possible, my question is – what is the price for which would this “junior official” copy the database for X (X being an advertisement company or supermarket chain or criminal organisation or …)

    The data was requested by an audit office which says it wanted anonymised records – i.e. the disks contained much more information than “just” name, address, NIN, bank details. So what do people fill in the forms for child benefits and what information does HMRC collect about you regarding the benefits?

    After the ID cards were attacked, Darling said that they would be much more secure, because they are protected by biometric information. This is bullocks. I do not expect politicians to understand technology (far from that) but he apparently did not expect this attack. If he did, even worse.

    A claim that no fraud has been detected yet. Thank God but no one has yet explained the government the value of the data.

    Newsnight with Ross does not need a comment.

  13. “The next government should replace CESG with a civilian agency staffed by competent people. Ministers need much better advice than they’re currently getting.”

    Replacing existing CESG civil servants (the majority of whom, contrary to your opinion, are extremely competent) with non-HMG employees from “outside industry” is going to do nothing to help the problem other than to increase the cost of designing and implementing the same broken solutions.

    CESG’s role (albeit as self-styled “authority”) is an advisory one, and as such government departments are free to take it or not. In situations such as the HMRC debacle, it is less to do with CESG *advice* (“thou shalt encrypt data in transit… please”) and more to do with following Cabinet Office *policy* in the form of the Manual of Protective Security.

    As you said on Newsnight, such aggregations of data should be treated as, well, something above UNCLASSIFIED at least, and handled accordingly. There is no CESG rule that I’m aware of that says you must encrypt CDs full of data when sending them between departments using official channels.

  14. Oh yes, one last bit that I forgot. When the disks remained undelivered after three weeks, they made a new database dump and tried it again. 🙂

  15. Ministers pick-and-choose advice – CESG can’t beat anyone around the head with a stick: as some of the previous posts have pointed out – CESG is merely an advisor. As for a CESG replacement: industry subcontractors; perish the thought. Stick with underpaid, competent bunch we have now.

    And the loss of those discs; whatever happened to common sense and individual responsibility? Of course you send things like that by special delivery.

  16. Very grateful for the performance on Newsnight, Ross.

    Am off to GP in a minute, and will be asking them not to put my information on their database…(this all over again…have already asked once, but noticed that they were still putting stuff in last time I went.)

    In my experience of working GP surgeries, it was hard enough respecting patient confidentiality with paper files and natural human curiousity. How on earth they plan to make this information widely available yet still confidential beats me.

  17. The biggest worry is that it has taken a the loss of these disks to prompt a public announcement. If a nefarious person with access to the mail network used has simply opened this letter, copied the disk and replaced them back in the mail (assuming the letter had no tamper-proofing), would we be none the wiser? Would HMRC be none the wiser? If this practice of sending unencrypted, sensitive information over unsecured channels is in use, there is no way to tell if this scenario has happen before.

  18. Im not very knowledgeable about how the different Government agencies interact over there in the UK, but I suspect the situation is quite similar to the way things work over here in Australia. Your CESG fulfils a role similar to our DSD – the provision of IT Security advice to, and setting of IT Security standards for Government departments. However (over here at least), listening to that advice and applying those standards is done completely at the discretion of each individual agency, with the agency head being responsible for each agencies individual security. If a breach occurs, the agency is held responsible.

    The problem with this situation (here at least) is that while the security standards exist, and the advice is provided, it is to a large extent ignored as soon as it interferes too much with regular agency business. Why is this the case? Because there is no visible penalty for not following the advice and applying the minimum standards. Compliance with the standards is also not audited (unless you count audits covering 2% of agencies conducted every 5 years). Its incredibly difficult to be in a position where you have to argue for compliance with IT Security standards to agency executives based solely on their being Government minimum standards. When the executive asks “what happens if we dont comply” all you can answer is “well, probably nothing, unless a breach occurs and someone finds out about it”. To get any results you need to justify any security based on risk management principles, and just hope management doesn’t consider IT Security to e a load of rubbish.

    So I dont think that changing the structure and organisation of CESG will make a difference. However, auditing and enforcing the standards already in place might.

  19. Well they really done it this time ….thats the bosses following the Government cut backs in saving money.
    Sent un registered mostly 2nd class post why because the big white chief says so, he saves £20 but causes all this trouble.
    With all that important data on the discs they should have been hand delivered, yes it would cost man hours but the data would not be lost. This Government should go and call an election NOW.We need new ideas, better management and a wake up call in all departments that they will get kicked out if thinks go wrong starting from the top down… but not the lowest of the low who is just following the rules set by the bosses.

  20. @Ross:kudos. It’s not that this outrage happened; it’s that nothing was done to prevent it. And, while it’s incredibly serious, it would have been even worse had it happened after NH IT went live.

    A private sector company doing the same job as this HMRC office would not have had all this information in a live database in the first place. My company for example regularly advises our clients to only load the information that’s actually necessary for each task.

    Also do other people find it ironic that the idiots who exposed their fellow citizens to the crooks and spammers are having their own privacy protected?

Leave a Reply to Dan Cvrcek Cancel reply

Your email address will not be published. Required fields are marked *