Thursday, November 22, 2007

The savaging continues

Attacks on the incompetence of the Government are coming in from all sides. Even from ComputerWorldUK:
Jonathan Armstrong,partner at international law firm Eversheds, warned: "The breach is likely to give birth to a number of phishing scams. Even if the data on the CDs does not get into the hands of fraudsters it is likely that even now a large email campaign is being planned to prey on the British public.

"We have been involved with a number of major multinational breaches and have spoken with clients after the event to help others learn from their experience," said Armstrong.

"In many cases the consequences of the data breach are worse than first anticipated."

Fred Piper, a professor at Royal Holloway University of London, said it was extraordinary that the data loss occurred.

"It shouldn't happen. It beggars belief as to who authorised this, and whether they had authority to send the data or just did it," he said.

...

Bob Ayers, associate fellow at Chatham House's International Security Programme, said any inquiry needed to get to the bottom of how this happened.

"But you have to ask: what kind of data protection regime is there in place in which highly sensitive information is stuffed in an envelope and given to guy on a motorbike to courier across London? What kind of protection regime treats such vitally important information in such cavalier fashion?"

...

"We are getting a lot of head-patting from the government reassuring us that they are in charge and are trying to figure out what happened. We are being told not to panic and not to change our bank accounts," he said. "I would want to know how this happened. I'm not talking about the mechanics, but how did we get to the position that such critically sensitive information is being treated like a package of fish and chips and moved around London?

"Until we understand the answer, there can be no assurance that this is not going to happen again and again and again."

FBI fraud expert, Frank Abignale said:

"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch me if you can and a fraud expert who has worked extensively for the FBI over the past 32 years.

Governments, corporations and local authorities do a "horrible job of protecting data" said Abagnale.

"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The UK government needs to do a much better job of protecting the information of it citizens," he said.

"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."

He added: "This is what scares me about the concept of UK ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain, for instance, a criminal to approach someone to steal information," said Abagnale.

...

If the data was stolen, then it is likely the thief would sit on this information for a number of years before harvesting identities, said Abagnale.

"Because the records are for younger people, many may not have a credit record yet. Once they reach adulthood, they could find their identity has been sold before they've even started on life."

HMRC's data loss highlights the difference between data breach notification laws in the US and the UK, said Abagnale. The UK government waited more than 10 days to notify parliament and the public of the breach. But n the US, under current laws, the government would have had to notify everyone affected immediately.

And Nick Robinson of the BBC says about the exchange of emails between the National Audit Office and HMRC:
The key thing we learn comes not from the detail but the tone of all the exchanges. They demonstrate little concern from either the NAO or HMRC about data protection. The NAO wants, it would appear, simply to reduce the size of the files it is sent. The HMRC is worried about the cost of filtering information in order to send the smaller files the NAO request. What about our privacy and our rights? No mention is made of them.
And now the good news:
New measures to increase government data sharing are included in bills announced in the Queen’s Speech.


Wednesday, November 21, 2007

The gift which lasts-incompetence

With over 10,000 comments on the BBC Have your Say page, the Beeb is catching on about the scale of the data-loss scandal.
Now they're actually quoting some experts:
Children whose personal data has gone missing could be at risk of identity fraud for many years, credit reference agency Experian has warned...
Compliance director Helen Lord said this could have a "catastrophic effect" on their ability to buy or rent a home or obtain a loan or credit card.
According to a director of RSA security:
What also made the data attractive to fraudsters, said Mr Moloney, was that much of the data in it, such as names of children and birth dates, cannot be changed and will be valuable if it reaches criminals in the next week or the next year.

No doubt we'll be told again that there's no evidence that the data's fallen into the wrong hands. It's equally clear that the Chancellor's career hangs by a thread. The PM will cut that thread if he thinks it will help him at all.

Tuesday, November 20, 2007

A cataclysmic error

Today we heard Alistair Darling admit that
"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing... with name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

For this, HMRC (Her Majesty's Revenue and Customs, the amalgam of the Inland Revenue and Customs and Excise) are to blame, and the chairman, Paul Gray, rightly resigned.

Thereafter, we had the usual covering of portions of anatomy with Darling blaming all and sundry at HMRC and the Financial Secretary to the Treasury, Jane Kennedy , stating on BBC's PM that it had no relevance to ID cards because the computer systems "would be more modern and single purpose unlike the HMRC's" completely ignoring the fact that the fault was entirely people-driven and unrelated to HMRC's computer system [Listen Again, Radio 4, PM Tuesday 20 November, about 28.20 mins in].

The chancellor defended the government's plans to introduce ID cards. He said that "without the protection of the scheme, information was more vulnerable than it should be."
He announced the usual investigation and plans to stop "this ever happening again".

The shadow chancellor told Darling to "get a grip" and described the incident as "catastrophic".

And they all missed the damn point. Again.

If this data is out there, in some criminal's hands, it's the most valuable data set ever lost in this country.

This is exactly the sort of personal data that enables criminals to claim successfully that they've forgotten "their" password. So that's seven and a half million bank accounts at risk. There's a bad start.

What is far worse is the opportunity for 25 million cases of "identity theft". 25,000,000 fraudulent ID cards. 25,000,000 fake passport applications.

This data isn't going to go away and no-one can change it [25 million applications for a change of name by deed-poll, anyone? Anyone know how to change your date of birth?].
This is a one-off irreversible loss of security for 25 million citizens.
If this data is in the hands of criminals, it's going to be on sale on various websites for the next forty years.

This is not a cock-up. It's not even an administrative catastrophe.

What this is is a cataclysmic failure by the state in its highest priority: the job of protecting its citizens.
Let no-one blame just the civil servants who boobed-they shouldn't have been in a position where this could happen. Let no-one blame just the chancellor-he's just one member of the cabinet which is collectively responsible for the largest loss of civil liberties and privacy we've seen outside the second world war.
This farce, this farrago, this most obscene of gross derelictions of duty should be a cause for wholesale sackings in the civil service and the dismissal of the government. It should be the cause of mass demonstrations outside Parliament. Oh sorry! Of course, that's illegal now.

Of course it won't be a cause of anything much. We'll all go along with it. We'll moan and wring our hands and think bitter thoughts for a few hours or days at the most and then we'll forget it.

Why? Because we don't expect any better from our politicians. We expect neither honesty nor competence, merely a bit of a show and the occasional simulation of contrition.

Thursday, November 01, 2007

Rough Justice

So, Sir Ian Blair had another close shave as the Jury finds the Met guilty but Cressida Dick innocent in the De Menezes shooting case. The Met mounted a defence of the most cynical variety, continuing their character assassination of de Menezes which started on the day of his shooting just before they shot him: he ran when challenged, he vaulted the barrier, he came towards the police. This was followed by photo-shopping his picture to make him look more like the suspected terrorist, saying that he had taken cocaine (implying he was still under its influence, when he wasn't) and pointing out that his visa had expired (presumably a capital offense).

A sorry picture of incompetence, dishonesty and lack of principle emerges and you hope that the public sees through it. Then, if you read the Have Your Say feature on the BBC website, it is quite clear that mud sticks. Half of the commenters are mouthing these half-truths and lies as defense of our glorious police.

The truth is simpler. Individual police are usually brave and most are doing their best in difficult circumstances, but their organisation is deeply flawed at the deepest (and highest) levels. The fast track graduates with little on the street experience and heightened political sensitivities who run our police forces shouldn't be trusted with organising a milk-round let alone armed police and counter-terrorism.
For a BBC timetable of the whole glorious cock-up go here.