Thursday, November 22, 2007

The savaging continues

Attacks on the incompetence of the Government are coming in from all sides. Even from ComputerWorldUK:
Jonathan Armstrong,partner at international law firm Eversheds, warned: "The breach is likely to give birth to a number of phishing scams. Even if the data on the CDs does not get into the hands of fraudsters it is likely that even now a large email campaign is being planned to prey on the British public.

"We have been involved with a number of major multinational breaches and have spoken with clients after the event to help others learn from their experience," said Armstrong.

"In many cases the consequences of the data breach are worse than first anticipated."

Fred Piper, a professor at Royal Holloway University of London, said it was extraordinary that the data loss occurred.

"It shouldn't happen. It beggars belief as to who authorised this, and whether they had authority to send the data or just did it," he said.

...

Bob Ayers, associate fellow at Chatham House's International Security Programme, said any inquiry needed to get to the bottom of how this happened.

"But you have to ask: what kind of data protection regime is there in place in which highly sensitive information is stuffed in an envelope and given to guy on a motorbike to courier across London? What kind of protection regime treats such vitally important information in such cavalier fashion?"

...

"We are getting a lot of head-patting from the government reassuring us that they are in charge and are trying to figure out what happened. We are being told not to panic and not to change our bank accounts," he said. "I would want to know how this happened. I'm not talking about the mechanics, but how did we get to the position that such critically sensitive information is being treated like a package of fish and chips and moved around London?

"Until we understand the answer, there can be no assurance that this is not going to happen again and again and again."

FBI fraud expert, Frank Abignale said:

"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch me if you can and a fraud expert who has worked extensively for the FBI over the past 32 years.

Governments, corporations and local authorities do a "horrible job of protecting data" said Abagnale.

"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The UK government needs to do a much better job of protecting the information of it citizens," he said.

"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."

He added: "This is what scares me about the concept of UK ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain, for instance, a criminal to approach someone to steal information," said Abagnale.

...

If the data was stolen, then it is likely the thief would sit on this information for a number of years before harvesting identities, said Abagnale.

"Because the records are for younger people, many may not have a credit record yet. Once they reach adulthood, they could find their identity has been sold before they've even started on life."

HMRC's data loss highlights the difference between data breach notification laws in the US and the UK, said Abagnale. The UK government waited more than 10 days to notify parliament and the public of the breach. But n the US, under current laws, the government would have had to notify everyone affected immediately.

And Nick Robinson of the BBC says about the exchange of emails between the National Audit Office and HMRC:
The key thing we learn comes not from the detail but the tone of all the exchanges. They demonstrate little concern from either the NAO or HMRC about data protection. The NAO wants, it would appear, simply to reduce the size of the files it is sent. The HMRC is worried about the cost of filtering information in order to send the smaller files the NAO request. What about our privacy and our rights? No mention is made of them.
And now the good news:
New measures to increase government data sharing are included in bills announced in the Queen’s Speech.


2 comments:

hut said...

LOL!!! loved the "good news".

Increase data sharing -Put it on billboards on the M25 perhaps?

AmberCat said...

...and continues....

...and continues...

Ambercat's blog highlights the latest acts of incompetence in the Stockport Primary care Trust, The Department of Work and Pensions and The Ministry of defence.