UK Government Data Loss
There are not many silver linings on the cloud sitting over Information Security experts who work for the UK Government this Christmas. Following the loss of personal information on welfare recipients by HMRC (twice), learner driver information by the DVLA, personal information on policemen binned in an unencrypted and intact form by Devon police, and the medical records of potentially hundreds of thousands by the City and Hackney Primary Care Trust.
One silver lining is that the issue of Information Security is now at the front of the minds of IT decision makers everywhere. If you store any information about customers, suppliers, or any people whatsoever, and you don’t already have a plan for how you will move this data securely, permit access to it by your staff, and destroy the data when it’s nolonger needed or the holding assets are destroyed, then you will be tomorrow’s headline about data loss.
Secondly, this catalogue of failure will contribute to burying the enforced ID card scheme, or rather, the associated single database which is planned to hold all medical, criminal, and financial records about you, for use by civil servants. Civil liberty concerns aside, if the government show little regard for the safety of our data when it’s in a de-aggregated form, then how will their IT systems and policies cope with the sort of attack that would follow putting everything the government knows about British people in one place?
Unfortunately, the Government have not taken the data loss stories at all seriously. Ruth Kelly is on record explaining that the loss of 1.5 million learner drivers is “not substantial.” This means that she does not understand the risks of Social Engineering, a process where confidence tricksters use any trivial information that they know about you, to fool an individual into giving more information. Claiming that the DVLA data loss is unsubstantial because bank details were not included in the data that is lost shows that the department have no understanding whatsoever of the motivations for stealing personal data. If you take a call starting, “Hi, I am calling from the DVLA about the test you took on the 3rd of December in Cardiff, which you failed - would you like to rebook a test?” then following the potential loss of your records as a driving student, you may have been telephoned by a thief. Further more any con-man could use the data they have stolen as ‘pretext’ - sharing enough data about you with you in order to make you believe the call was genuine.
Comments
Leave a Reply
You must be logged in to post a comment.
