Crap Government IT Rules OK? Oh well, pass the biscuits. |...

Bloor IM Blog Philip Howard 8th February - Bribery

Bloor Security Blog Nigel Stanley 8th February - Conficker grounds police checks

The Norfolk Punt David Norfolk 3rd February - What's wrong with "security"

Laurie McCabe Laurie McCabe 2nd February - What is Total Cost of Ownership, and Why Should You Care?

Bloor IM Blog Philip Howard 2nd February - Calpont finally comes to market

Laurie McCabe Laurie McCabe 29th January - Does IBM Lotus Really Want to Get Small? My Take on Brent Leary's Podcast

Blogs > Nigel Stanley

Crap Government IT Rules OK? Oh well, pass the biscuits.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research
Published: 20th November 2007
Copyright Bloor Research © 2007

As I sit writing this rant I can feel the collective blogsphere seething at news that HM Revenue and Customs have managed to lose millions of child benefit records - up to 24 million according to BBC News at the time of writing.

Apparently the data, on CD, was lost as it was being couriered to the National Audit Office (Why by the way?). Apparently the discs were "password protected" but I haven't seen mention of the "encryption" word yet. I assume the data was not suitably encrypted, if it was then the loss would have been an irrelevance and the data safe and sound.

I have written so many lines covering data leak prevention and loss protection that I am starting to see double. I'm currently researching over 70 vendors that have products that prevent data going missing (data leak prevention) or encrypt it so that if it does go missing it is protected (data loss protection). Almost anyone of these vendors could have flogged HMRC a product that could have saved them a lot of pain today, and it is appalling to hear of such a data loss.

For heavens sake, you can pop down to PC World and buy an encryption product for the price of biscuits at a civil service meeting.

Enough must be enough.

The loss of 26.5 million war veterans' data from the United States Veterans Association a couple of years back when a laptop, containing unencrypted data, was stolen in a burglary is often cited as the event which changed a lot [but certainly not all] of organisational attitudes to data encryption in the US, but we obviously have a long way to go.

With a government intent on building ID and DNA databases I shake my head in horror at the sheer incompetence of those charged with designing, implementing and managing the systems. Of course there must be pockets of excellence in government IT that are as freaked out as I am about this news, but I believe them to be a shrinking minority.

I really hope that this disaster is the beginning of a change in attitudes to data protection in the UK and the importance of data leak prevention and loss protection. Somehow I think I may be disappointed though.

Anyone for another Jaffa Cake?

Reader Comments

We are no longer accepting comments against this item. We suggest contacting the author directly.

20th November 2007: 'Sean' said:

This is utterly appalling.

Everywhere says ID theft is on the increase and the government misplace millions of records!

What is this country coming to?

Reply to Sean?

20th November 2007: 'John Stelling' said:

Okay the government screwed up. What about the courier? Surely they are to blame too.

Reply to John Stelling?

21st November 2007: 'Jerome' said:

And we are supposed to trust these jokers with a complete national identity database with all our personal information in one central place? They must be joking!

Reply to Jerome?

21st November 2007: 'Del' said:

I carry no brief for HM Government on this, but it was a bit ironic to hear the Conservatives' outrage at this lapse of data protection. After all, their own recent policy review announced pledged them to cut back the UK's data protection laws if they ever get back in office.

Presumably that particular brainwave will be allowed to die quietly now under the cover of obvious public disquiet with HMRC.

Reply to Del?

21st November 2007: 'Peter Abrahams' said:

If a relatively junior employee was able to create a copy of all the data and pop it in the post can we be sure that he or someone else has not created a copy and just put it in their briefcase?

If we cannot be certain we have to assume it has happened, now what?

Reply to Peter Abrahams?

22nd November 2007: 'Dave Nesbitt' said:

The blogosphere is certainly seething and quite rightly so. It's simply ridiculous. Three things need to come out this: we private citizens need to understand the value of their private data to fraudsters and hang onto it when they can; organizations that train us to hand over our privacy and then store our ID data insecurely need to wise up before they are the next ones making the headlines; the UK Government needs to give up the ridiculous idea that is the ID Card database.

http://icanhasidentity.wordpress.com/2007/11/22/sober-reflections-on-the-child-benefit-agency-debacle/

Reply to Dave Nesbitt?

11th January 2008: 'wtsurview?' said:

THe most obstructive degrading untrustworthy people and they all seem to be running the country ,I personally love ,with a constant stream of mistakes and corruption what did my grandfather fight for ? disgusted is one word that comes to mind. As I am a 18 year old that should be more bothered about whos going to be playing the next big gig's ,or when my team are going to make the big four in the premiership (or the FA)and not politic's i feel WE HAVE A SERIOUS PROBLEM. will anyone listen .... NO!

Reply to wtsurview??