Links of the day Friday 10th June 2011

Please note these are articles and opinions we found interesting, however they do not necessarily represent the views of Big Brother Watch

Council CCTV award win criticised

Hackers warn NHS over security

Cabinet Office talks to Facebook & co about new ID system

Personal data stolen from UK developer Codemasters

Facebook facial recognition tool probed by UK regulator over 'obvious' privacy issues

Two fined for mobile data breaches

CCTV car plans approved

Links of the day Thursday 9th June

Please note these are articles and opinions we found interesting, however they do not necessarily represent the views of Big Brother Watch

School surveillance: how big brother spies on pupils

Apple iCloud: Same old cage, new height

Judge rules against firm that lost $345k to bank trojan

Please explain the monkey business

Don't lose this chance for better prisons

Will Facebook facial recognition tool invade our privacy?

US school district hit with new Mac spying lawsuit

ICO fines Surrey County Council £120,000 for multiple email privacy failures

Citigroup suffer data breach of 200,000 customers

The banking company Citigroup has admitted to a breach of their online systems, which allowed a hacker to view the names, email addresses and account numbers of 200,000 customers. However, the information did not include birth dates, PIN codes or similar sensitive information meaning it may not be possible for their accounts to be accessed and funds stolen.

Citigroup have now spoken to U.S. police to inform them of the breach, as well as increasing fraud procedures for their online banking. Affected customers are currently being contacted but the bank will not reveal if any suspicious transactions have been encountered since the incident.

Citibank have released the following statement:

“During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number – roughly one percent – of Citi bankcard customers’ account information (such as name, account number and contact information including email address) was viewed. The customer’s social security number, date of birth, card expiration date and card security code (CVV) were not compromised. We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event. For the security of these customers, we are not disclosing further details.”

As usual with incidents like this, the potential for phishing attacks on customers using 200,000 records is extremely severe. Anyone with an account at Citigroup should ensure all communication from them is official and not an attempt to accumulate your data in order to steal from your account.

North Lanarkshire Council fail to protect sensitive data of vulnerable people

The ICO have revealed that North Lanarkshire Council have failed to protect the data of vulnerable adults after paper records were stolen from an employee’s bag. After an investigation the ICO determined there had been a breach of data laws and council chief executive Gavin Whitefield must sign an undertaking to put in place the correct policies and procedures to avoid a repeat of the issue.

The ICO claimed the council had provided inadequate guidance for its employees, leading to a Home Support Worker leaving the bag unlocked with mental and physical health records for six vulnerable adults inside.

Ken Macdonald, the assistant commissioner for Scotland said:

“It is never acceptable for papers containing sensitive personal information to be left in an unlocked bag without necessary precautions. The council's guidance on the handling of this type of information was inadequate and failed to advise staff on the best means of keeping information safe.”

Once again the ICO have avoided fining an institution that has failed to protect the sensitive information of vulnerable people.

What will it take?

Hat-tip: JC

Is the Olympic cultural events database being kept on an unsecured Excel spreadsheet?

A report on The Register has found a job vacancy on the London Organising Committee of the Olympic Games (LOCOG) website which seems to suggest that the organisation’s entire cultural events database is stored on a simple Excel spreadsheet.

The job description states:

“The majority of the Team and Database Administrators work will be to work with the Senior Operations Manager, and Business Manager, in management of the central cultural events database (held in excel)”

Any large-scale projects which involve computers and governmental organisations inevitably seem to end up in disaster in the United Kingdom, after well known problems with schemes such as the NHS database being a prime example.

After being questioned on the matter, LOCOG released the following statement:

“The document you're asking about is just a simple list of information relating to events, it's a tracking tool not a database. ExCel [sic] spreadsheets are a common corporate tool and we use them as and when appropriate.”

“Where data is of a more sensitive nature then we impose stronger security measures and platforms according to the risk profile. Information security is of the up most importance to LOCOG and we are confident that our data is held securely with the stringent security procedures we have in place.”

If there is any truth to this story; it is a catastrophe waiting to happen. This much data, some of it very sensitive, stored on a simple spreadsheet, could potentially be hacked or stolen leading to a massive data loss.

For the extended story, click here

99.7% of Android mobile phones vulnerable to data leak

Following on from the concerns regarding location data in mobiles, new evidence discovered by German security experts at the University of Ulm has indicated that up to 99.7% of phones with the Android operating system are vulnerable to a serious data leak. Using an ‘impersonation attack’, hackers can access phones and view, modify or delete calendars, contacts and private pictures.

With the market share of Android rapidly expanding, and more than 400,000 Android phones activated every day, the potential risks for this leak are huge. Considering a vast amount of these phones are for business and corporate use, there is also the potential for industrial espionage or blackmail.

Hackers can exploit this loophole by stealing authentication ‘tokens’ used to identify the phone, then using this information to log on to websites as the legitimate owner, without their knowledge.

In a blog on the university website, the researchers explained:

“The adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user.”

“An adversary could change the stored e-mail address of the victim’s boss or business partners hoping to receive sensitive or confidential material pertaining to their business.”

Mark Evans, director at IT services provider, Imerja, said:

“That such an enormous proportion of Android phones could potentially be leaking users’ personal data is shocking. Mobile devices are increasingly used for business, more so than laptops, and their security is essential to protect organisations against data breach or other ill-intentioned activities.”

“The message to companies is clear; mobile devices must be properly secured. They should be implementing robust and enforceable security policy structures to support effective mobile working, such as encryption.”

A spokesperson for Google said:

"We are aware of this issue, and have already fixed it for calendar and contacts in the latest versions of Android. We are working on fixing it in Picasa.”

Unfortunately, not all Android phones can be updated to the latest version (2.3.4.) and over 99% are still using previous versions, so the threat is still very real. Although the researchers did not find evidence of hackers utilising the leak yet, it seems inevitable that they will in time.

Google needs to ensure all versions of the operating system are secure against this risk, and all phones are updated automatically as a matter of course to avoid a privacy catastrophe which will rival the recent Playstation Network incident in terms of scale and scope. In the meantime, the Daily Mail lists some suggestions on protecting your Android phone.

One Year On: The Coalition and Civil Liberties

Big Brother Watch has today (11th May) released a research paper outlining the progress the Coalition Government has made on civil liberties issues during its first year in office.

The paper concludes that, while real progress has been made, many of the Coalition's promises to roll back the power of the state remain unfulfilled.

Click here to download the report

Commenting on the report, Big Brother Watch Director Daniel Hamilton said:

"The Coalition has some real achievements to speak off. 

"Ministers should be congratulated for taking steps to scrap ID cards and remove the profiles of the one million innocent people held on the national DNA database.   They should also be praised for doing away with the ContactPoint database of children’s details and reforming the criminal record check regime.

"They do, however, have more work to do. 

"Police stop and search powers remain in place, Control Orders remain virtually unreformed and there has been no opt-out from the European Arrest Warrant.  When it comes to E-Borders, the Summary Care Record and Intercept Modernisation Programme, they have continued to implement the previous government’s policies – warts and all." 

Play.com hit by massive customer data loss

By Frank Manning

Play.com has been forced to contact all of its approximately 7 million customers after a company that handles the marketing of the online retailer had its servers breached and customer’s names and email addresses were stolen. Security experts are concerned the details may be used as part of a ‘phishing’ campaign, where customers are directed to a false website designed to look like the official site, then asked to enter passwords and credit card details which are subsequently used for identity theft.

Numerous customers have contacted news outlets to report spam email delivered to the email accounts they use for the website. Play.com has attempted to reassure customers that their credit card details have not been stolen. Customers have received the following email:

“We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.”

Although Play.com is blaming an as-yet-unnamed third-party marketing firm, ultimate responsibility lies with the online retailer. It will be interesting to see what response, if any, the Information Commissioner’s Office takes to punish the firm. Play.com has previously received criticism for not allowing customers to delete their credit card details from the site, even on request.  Following this case, they must act on this issue immediately.

If you live in Australia, I hope you're not on Vodafone...

Four MILLION Vodafone customers in Oz have had their personal details, including call records and texts, sold on to "criminal gangs. The story, over at Computer Weekly:

Vodafone employees allegedly sold private customer details and records with access to entire lists of calls and messages from individuals. Company employees have been accused of selling the sensitive information to criminal gangs...

Vodafone Australia chief executive, Nigel Dews, said, "We've made swift progress. We've terminated the employment of a number of staff; we've undertaken a review of the security systems and processes, and we're implementing some of the initiatives straightaway."

At least they've sacked people. One better than most responses to data loss. Oh, and one more thing:

Australian Privacy Commissioner Timothy Pilgrim has launched an investigation to determine whether the mobile firm breached the country's Privacy Act.

By Alex Deane

Sensitive Scottish court records discovered at recycling bank

The Information Commissioner's Office has issued a statement condemning the Scottish Court Service for their dumping of sensitive court records in Glasgow skip. The documents carelessly thrown away were related to ongoing appeals cases.

Ken MacDonald, the Assistant Information Commissioner for Scotland had the following to say:

"People involved in court cases should be able to feel confident that their personal and sensitive information is going to be kept secure and not taken outside of the court room.

"Had any of the papers in this case fallen into the wrong hands, the privacy of the individuals concerned might have been threatened."

We couldn't have said it better ourselves.

It is concerning, yet unsurprising, that staff at the Scottish Court Service failed pay due care and attention to the need to dispose of such sensitive material in a confidential manner.  As we have long argued at Big Brother Watch, it is crucial that urgent measures are taken across the public - and indeed private - sectors to ensure that staff members are adequately trained in how to handle personal data. 

Hat-tip: AW

Book launch this evening: ‘Fight Terror, Defend Freedom’ by Dominic Raab MP

This evening will see the launch of civil liberties campaign group Big Brother Watch’s new publication, ‘Fight Terror, Defend Freedom’ by Dominic Raab MP.
 
The launch of the book will take place between 5:00pm and 6:00pm today in the Thatcher Room in Portcullis House, Houses of Parliament.  
 
Mr Raab, who was an international lawyer prior to his election to Parliament, will introduce his publication, followed by a panel discussion including former Shadow Home Secretary David Davis MP, Centre for Technology Policy Research Jerry Fishenden and Big Brother Watch Director Alex Deane.   
 
Commenting on the launch of the publication Raab said:

“Today’s publication of the National Security Strategy, highlights the flaws in the last government’s approach to counter-terrorism. Too much time, money and effort was wasted on ‘sound byte’ security. Too many of Labour’s measures, like ID cards and prolonged detention without charge, were unnecessary or irrelevant to our security. 

 “The government has a golden opportunity to break with this flawed approach. We should be defending our freedoms, like free speech and the presumption of innocence. At the same time, the justice system is an underused weapon in the fight against terrorism. We should be strengthening our capacity to prosecute terrorists – not least by lifting the ban on using intercept as evidence.” 

Alex Deane, Director of Big Brother Watch said: 

“The case for action is now irresistible.  Dominic Raab’s publication shows the injustices being done every day in this country.  Stop and search and control orders are being reviewed – why?  Why review something when you know it’s wrong?“ 

Click here to download a copy of the booklet.

Guest post: My ill-fated evening in Southampton - Britain’s big brother capital

Recently I had the misfortune of being invited for a night out in Southampton.

This visit was a real eye-opener to me and taught me how much the ‘Big Brother’ society is starting to negatively impact on our day to day lives. I also had a lesson in how little power we have to challenge the people who are doing this.

Let’s start with the basics: it is not possible to have a night out in Southampton without carrying some form of identification.

The types that the bars and clubs accept are: a 'Prove it' card (which at 30 I am too old to have), a driving licence (I don’t drive) or a passport (which in line with Home Office guidelines I use for immigration purposes only!). Without one of these documents, snarling bouncers will refuse you entry to almost every club or bar, even if you the last time you got IDed John Major was still Prime Minister!

A review of the current playing field for civil liberties

I have written an extended piece for the website Critical Reaction reviewing the various outstanding civil liberties issues under the Coalition. Part 1 is here - Part 2 is here.

By Alex Deane

4D facial recognition systems in Northamptonshire schools

At Big Brother Watch we were concerned to learn this week of a Northamptonshire school's decision to introduce a new facial-recognition system to track pupils' movements.

According to reports in the London Metro:

"About 200 sixth formers are having their faces scanned when they ‘clock in and out’ at Sir Christopher Hatton School, in Wellingborough, Northamptonshire, along with pupils in schools in Hertfordshire and Cambridgeshire.  The system can deliver messages to pupils when they sign in, using a four-digit pin, and notes whether they’re late"

Speaking to the Metro Kelli Foster, the school's Head of Sixth Form is right to describe the technology as "incredible"; for indeed it is incredible that schools should feel the need to turn to hold information as to the distance between the eyes and noses of their pupils in order to distinguish between them.  Furthermore, Ms Foster explains that prior to the installation of the technology "each pupil had to sign in and out of the reception by filling in a form - but now it takes under ten seconds".  Without wishing to take an antidelivian attitude to new technology, we at BBW have seen few sign-in forms which take as long as ten seconds to fill in...

With a costly £9,000 price tag (equivalent to £45 per pupil to install), such systems have limited benefits yet are wide open to abuse – from the risk of data theft to the misuse of images by unscrupulous individuals.

Rather than spend money on gimmicks like this, teachers and schools should focus on educating their pupils - and getting to know who they are.

By Daniel Hamilton

Facebook: have they got your number?

The Guardian carries a concerning story regarding the latest version of Facebook’s popular iPhone application.

As a result of the application’s new “contact sync” feature, those using the service face having both their personal phone number and those of their contacts uploaded to the internet.  When uploaded, the phone numbers will be automatically cross-checked with those of other members before allocating them to your online ‘phonebook.

Charles Arthur makes the following observation:

“The implications are huge, and extremely worrying. All it takes is for someone's Facebook account to be hacked (perhaps via their phone being stolen) and lots of personal details are revealed. Or, as [in one case], you get your phonebook record of "Steve Car" (a garage mechanic) somehow linked to someone called "Steve Carlton" - who you don’t know”

Facebook have responded to early criticism of the "contact sync" feature and have now introduced a warning to all those opting to use the feature that their details will be uploaded "subject to Faceook's privacy policy". 

The only way, however, to ensure your telephone number is not shared in this way appears to remove this information from your Facebook profile.

Click here for the full story.

By Daniel Hamilton

Another NHS memory stick goes missing...

What started as a cautionary tale, is now fast becoming an epidemic.

If you don't believe us, just click here and read through a collection of stories we have written about in the past few months that show everyone from local councils, to central government departments losing memory sticks, laptops and files of paper holding confidential information.

Today's story from the BBC is a perfect example:

East and North Hertfordshire NHS Trust has been found in breach of data protection after a doctor lost a memory stick on a train.

The junior doctor had recorded details of patients' conditions and medication on the device and was meant to hand it over to the next doctor on shift.

But the doctor forgot and lost the unencrypted device on the way home.

Our patient records report Broken Records was decried by the Government of the time for not being relevant. Yet with every serious data breach ruling by the ICO (and there have been a lot in recent months) the number of non-medical - and indeed medical - personnel with unfettered and easy access to our private medical data becomes more and more pertinent.

By Dylan Sharpe

More private information is lost by local authorities

The Information Commissioner's Office has said that West Sussex County Council shows 'poor regard' to the importance of protecting children's personal information.

An unencrypted laptop containing information about children was stolen from the home of a Council employee - it contained sensitive personal data about children and families involved in childcare proceedings.

The employee had not received any formal data protection or IT security training and also discovered that more than 2,300 unencrypted laptops were likely to be still in use across the council's various services.

WSCC was one of three councils in England, including the London Borough of Barnet and Buckinghamshire County Council which were found to be in breach of the Data Protection Act. The ICO said that there had been 'a systemic lack of staff training on how to handle personal information'.

ICO's Sally-Anne Poole said:

These three councils have shown a poor regard for the importance of protecting children's personal information.

It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children.

A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.

All of which is right. So who's going to be held responsible? Who's going to be punished?

Readers will note that this is the not the first data loss article we've written this week... if you look to the column on the right you'll see a "losing data" category in the cloud. It's getting bigger.

By Alex Deane

Yet another disgraceful example of data loss by councils

Over at the ICO, a press release that should send a shiver up the spine of any resident of the following areas (and probably the rest of us too, given the slack behaviour it suggests):

Over 9,000 child details put at risk by councils

The Information Commissioner’s Office (ICO) has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act. A systemic lack of staff training on how to handle personal information has led to the loss of sensitive personal information relating to thousands of children.

Sally-Anne Poole, Enforcement Group Manager at the ICO, said: “These three councils have shown a poor regard for the importance of protecting children’s personal information. It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”

A theft from the home of an employee of the London Borough of Barnet was reported by the council. An unencrypted, non-password protected USB stick and CDs containing the sensitive personal information of over 9,000 children and members of their families were taken. An employee had downloaded the data onto the unencrypted devices without any authorisation to do so, although it was later revealed that there was no training provided or security in place to prevent such downloads. The ICO had conducted an audit of the London Borough of Barnet prior to this incident that had also highlighted this lack of staff training.

West Sussex County Council had a laptop stolen, also from the home of an employee, which contained sensitive personal data relating to an unknown number of children and families involved in childcare proceedings. The laptop was unencrypted and enquiries by the ICO revealed that the employee had not received any formal data protection/IT security training. It was also discovered that over 2,300 unencrypted laptops were likely to be still in use across the council’s various services, although steps are now being taken to encrypt these.

Buckinghamshire County Council provided a report regarding the loss, at Heathrow Airport, of documents containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee who was travelling to another UK city in connection with the children’s social care case. After further analysis by the ICO, it was apparent that no real thought had been given to the security of this personal data during travel. It was also revealed that some of the council’s policies needed revision and that staff training in data protection was insufficient.

The ICO has found all three councils in breach of the DPA.

This is extremely worrying. Children are entitled to privacy just like adults: these authorities have had scant regard for the safety of their private information.

Whilst I applaud the ICO for naming and shaming the councils, to get real change in the culture of contempt for privacy on show here the Commissioner should be able to order or recommend dismissal of individual personnel.

This is the data loss we know about. Residents with children must be wondering - What else has been lost by these councils?

Remember of course that national government is just as bad as local government - in 2006 the DWP lost the entire child benefit database, containing the very private details of some 25 million people.

By Alex Deane

Why I am against bin chip "incentive" schemes

You may have seen the tremendous news that "pay as you throw" schemes have been abandoned. Big Brother Watch wholeheartedly approves. As we documented in our report on this topic, those underhand plans symbolised the worst of our Big Brother state - snooping on our private waste and charging us for the privilege, without any sort of democratic mandate to boot.

On the other hand, you may have seen that the Government is embracing a supposedly alternative scheme in the Royal Borough of Windsor and Maidenhead, which also uses bin microchips. Those who chose to opt into the scheme are given reward tokens when they fill their recycle bins which can be used in local shops.

I oppose such a scheme too, and have been challenged on this by the (generally admirable) Leader of the Council, David Burbage. I thought that I would set my thoughts out here.

The Coalition has performed a disgraceful u-turn on the Summary Care Record

The Government has announced that it will continue building the Summary Care Record database of our medical data.

This contradicts the Conservative position outlined last year: 'A Conservative government would "dismantle" central NHS IT infrastructure, halt and renegotiate NPfIT local service provider contracts and introduce interoperable local systems.'

It also contradicts the Liberal Democrat position outlined this year, when Norman Lamb, then Liberal Democrat health spokesman, said: "The Government needs to end its obsession with massive central databases. The NHS IT scheme has been a disastrous waste of money and the national programme should be abandoned."

This is a disgraceful u-turn. The Coalition wants us to believe that they are serious about privacy and civil liberties – this is their first real test, and they have failed it.

The SCR is an unnecessary and intrusive piece of bureaucracy, as well as being wildly expensive. Doctors have managed without it until now. Our research has shown how vulnerable the NHS is to breaches of privacy – this will make things much worse.

Finally, I note that it was "announced" by brief Written Answer, without debate, on the day of the statement made to the House on the Cumbrian shooting, so it didn't get picked up anywhere. A Jo Moore 9/11 situation writ large, but after weeks in power rather than New Labour's years in office by the time of Moore's disgrace. New government, old tricks. No change, and no shame.

By Alex Deane

Another day, another data loss

This time West Berkshire Council has managed to lose an unencrypted memory stick containing sensitive information on children and young people.

As reported by Public Service:

The memory stick, which was neither encrypted or password protected, contained information relating to the ethnicity and physical or mental health of the children.

West Berkshire introduced encrypted memory sticks in 2006. But following an investigation by the Information Commissioner's Office (ICO), it was also discovered that council employees were still using unencrypted memory sticks.

Nick Carter, West Berkshire's chief executive, has now signed a formal undertaking to ensure the appropriate devices are encrypted and that all staff are trained appropriately.

Bit late now ain't it Nick? More to the point - what were your staff doing walking around outside of the council with this data?

After this case...and this incident...of private information being lost or misused in the past few weeks, it is about time that the public sector woke up to their horrendous record of data loss.

By Dylan Sharpe

HMRC send out the wrong data to 50,000 people

The ever-vigilant Register have uncovered the latest unbelievable data mistake from the always woeful HMRC.

As they report:

Her Majesty's Revenue and Customs apologised today for sending out private information to 50,000 tax credit recipients.

One taxpayer who contacted The Register said: "We received our tax credit notice with our National Insurance details but on the back were two strangers' work, childcare and pay details."

He then received a note from the Revenue which blamed a print supplier for wrongly preparing the notices.

We asked HMRC how many of the 50,000 letters were wrongly printed and how many included other people's details but they could not tell us.

In case anyone has forgotten, HMRC's inglorious history of data misuse includes the horrendous occasion they managed to lose disks containing the data of 25 million child-benefit recipients.

This latest error once again highlights the dangers of databases and the slack approach to private data in our civil service. Changes need to be made, urgently.

By Dylan Sharpe

Yet more confidential medical records go missing

A removable memory stick containing confidential medical records has been found in a supermarket car park, according to the BBC website:

A member of staff has been suspended after medical records belonging to patients at a secure hospital near Falkirk were found in a car park.

A computer memory stick containing the sensitive information was found by a 12-year-old boy outside an Asda store.

It reportedly contained the criminal histories of some violent patients as well as details about staff at the Tryst Park unit at Bellsdyke Hospital. 

Only last week we reported that the NHS had experienced more serious data breaches than any other institution in the UK; and used it as an example as to why the NHS Connecting for Health IT scheme needed urgent review.

But this latest data breach is also very relevant to our recent report Broken Records. The Trust involved in this case is NHS Forth Valley for whom - according to our research - 769 non-medical personnel have access to patient records.

Only when access to medical data is restricted to a need-to-know basis will this sort of fiasco stop happening.

By Dylan Sharpe

MoD admits losing confidential data

Following yesterday's CRB blunder revelation - and coming not long after it was revealed that HMRC lost 3,500 passports in their 'secure post' - we now have more tales of bureaucratic incompetence.

As reported by Kable:

The Ministry of Defence has reported 347 losses of supposedly protected information last year.

The ministry recorded 71 incidents of lost confidential data in January and February 2010. According to a parliamentary written answer published on 8 April 2010, the figure for those two months almost equals the total number of losses for 2005.

Apparently, the reason the past 12 months look so bad is that (according to Defence Minister Bill Rammell) "there is an increased awareness of the need to report data loss across the department".

Which doesn't so much alleviate the problem of lost data, as suggest that this level of ineptitude is common but has previously gone uncounted.

Big Brother Watch will be doing a full analysis of the party manifestos later today, but it is clear that the next government needs to create fewer/reduce the number of state databases. The future security of our personal data is at stake on 6th May.

By Dylan Sharpe

Personal details of 9,000 schoolchildren lost in Barnet

Another disgraceful tale has been sent to us by a supporter which can drop straight into our 'Losing Data' category tag.

From the Barnet and Potters Bar Times:

Personal details of 9,000 school pupils has been stolen from the home of a Barnet Council worker, it has been revealed.

Twenty unauthorised and unencrypted CDs and memory sticks with details including names, date of birth, addresses, phone numbers and school attainment were taken from the house a fortnight ago.

An encrypted council laptop was also taken in the raid, which council officials say was not targeted but a random burglary. 

First question: what was this sensitive data doing sat on a council worker's kitchen table?

Second question: why were the CDs and memory sticks unencrypted?

If one reads the full article, it is hard not to praise Barnet for their speedy actions in trying to rectify the problem.

But the episode does add further weight to the points we made in our recent report into medical records: namely that the state does not treat our personal data with anything near the respect it deserves, and the more people with access - the more likely it is to get lost.

By Dylan Sharpe

HT: DM

Your data on 500,000 terminals across the EU

It emerged this weekend that large amounts of confidential personal information held about British citizens is currently being stored on a giant computer network spanning the European Union, and can be accessed through more than 500,000 terminals. Once again, the two things that aren’t being given proper consideration are privacy and security. 

As reported over at the Guardian:

The figure was revealed in a Council of the European Union document examining proposals to establish a new agency which would manage much of the 27 EU member states' shared data. The sheer number of access points to the Schengen Information System (SIS) - has triggered concerns about the security of the data.

Half a million access points – that’s more than the population of Luxembourg. It goes without saying that the SIS system has already been subject to serious breaches of security. Statewatch, a civil liberties outfit that follows security related issues across the EU, claim that personal information was extracted from the system by an official in Belgium - and was subsequently sold to an organised criminal gang.

As EU business report, the official line, sounds all too familiar:

“The second generation Schengen Information System (SIS II) will be a large-scale information system containing alerts on persons and objects.” “It is a communication infrastructure between the central system and the national systems providing an encrypted virtual network dedicated”.

In reference to the expansion of the SIS database, Tony Bunyan, director of Statewatch, endorses two principles with which we can all agree:   

"The greater the points of access, the greater the number of people who have access and the greater the chance that data will be misplaced, lost or illegally accessed." Furthermore, "the idea that mass databases can be totally secure and that privacy can be guaranteed is a fallacy."

Sound logic, Mr Bunyan.

By Edward Hockings

Wigan Council loses the data of 200 disabled residents

Well, the headline says it all, really - but here's the story. In sum:

Wigan Council believes a memory stick containing hundreds of confidential details fell out of an employee's pocket

To which I'd say, (1) This was back in January - shouldn't that be ex-employee? (2) Doesn't this say something to those who want more government databases?

You'll note that we have a "losing data" tag on the site. It's merited because it happens so often. 

By Alex Deane

Government quango admits rate of data loss is 'unacceptable'

The Information Commissioner's Office (ICO) - the government quango charged with responsibility for Data Protection and Freedom of Information among other things - has today announced that they would like to start introducing penalties for data loss given that 'the number of incidents of loss or theft of personal data has risen to an "unacceptable" level in the past year'.

There is not yet any discussion of previous years, but we'll take it as read that those were unacceptable too; although according to reports '434 organisations reported data security breaches in the past 12 months, up from 277 the year before.'

Polling conducted by Big Brother Watch last month showed that 86% of people think that the government can’t be trusted to keep our personal information safe. No wonder, when you see enormous losses like this.

The best way to ensure our privacy and secure our information is not to build these intrusive databases in the first place. Failing that, the second best way is to be competent about securing such databases. 

It is about time punishments were introduced for those authorities that fail to keep our data secure.

By Dylan Sharpe

- - UPDATE - - Head of Civil Service warns of further leaks

This story has just appeared on the BBC, which updates my post below and all in all paints a very sorry picture of the present state of data security in Whitehall.

Sensitive official information with potential implications for national security has leaked from Whitehall, the head of the civil service has warned.

Giving evidence to the Commons Public Administration Committee, Sir Gus said he was considering whether the breaches were serious enough to call in the police or the security services.

"There are other areas where there is still information going missing," he said.

"I am trying to work out precisely whether it is serious enough. Certainly it is not perfect at the minute.

"There are one or two [leaks] that I am worried about that have come from sensitive places that, in themselves, haven't been national security issues but they have come from areas that deal with national security issues."

What is going on? The day after Big Brother Watch releases polling showing that 86% of people don't trust the government on data security; 38 tapes go missing from the Rural Payments Authority and now it is revealed that information relating to national security has been lost.

If we can't trust the government with data relating to the defence of the realm, we certainly can't trust them to keep our DNA, fingerprints and other biometric data safe.

By Dylan Sharpe

This is why 86% of people don't trust the government on data security

Yesterday Big Brother Watch released details of polling we conducted asking people whether they trusted the government to keep their personal data safe.

The answer we received was that a resounding 86% of respondents did not - an increase from 58% when the very same question was asked 7 years ago. 

If you need a reason for this enormous rise, the answer has been delivered today in the shape of the Rural Payments Agency (RPA); who have lost 38 tapes, some potentially containing the coded personal data of British farmers.

The RPA, for those unaware, is responsible for providing subsidies to farmers and therefore holds records including names, addresses and bank details.

According to the BBC report, the Shadow Environment Minister, Nick Herbert, said that the Minister had been forced to make the announcement because trade magazine, Farmers Weekly, was planning to report the loss on Friday.

To tie this story in with another from earlier today, the RPA is one of the bodies that is to be given the power to search homes, seize cash, freeze bank accounts and confiscate property under the Home Secretary's extension of the Proceeds of Crime Act - now doesn't that fill you with confidence? 

It seems that every few months we are being told stories of government departments mislaying CDs and leaving laptops on trains. It is therefore no wonder that most people don’t feel comfortable handing over their data for schemes like the DNA database and ID card project.

By Dylan Sharpe