Loose lips (still) sink ships

Frozen Solid Security Monkey by Monkey River Town

I suspect many of our readers will already have seen something about this, but just in case it hasn’t gotten a lot of U.S. press, Chancellor Alistair Darling (a very high ranking member of the British government) announced today in the House of Commons that 2 discs (CDs or DVDs – I’m not sure) were lost that contained highly confidential information for 25 Million Individuals. This data included names, dates of birth, insurance numbers, and (in some cases) bank account details — essentially all the toys you’d need to execute identity theft and fraud on a massive scale. The kind of stuff that an organized crime outfit would probably pay mucho top dollar for.

And the data was unencrypted.

Yup.

Unencrypted.

Makes you want to cry.

(In fairness, the discs were “password protected”, but no one seems clear on what that actually means. Given that most password systems for discs and files are child’s play to get through, without solid encryption on the other end “password protected” doesn’t offer much comfort.)

Unfortunately, as several of the talking heads pointed out, this is at some level inevitable as governments, corporations, and educational institutions move to larger and more centralized databases. Consider, for example, last year’s leak of the search histories of half a million AOL users.

The U of M at least tries to take these things seriously, but they don’t always get the stick by the right end. There’s a lot of noise, for example, about whether faculty like myself should be able to hold confidential student data (including things like homework grades) on our office computers or (far worse) on laptops or home computers. This is partly a security concern (stolen laptops are always a risk, who knows how well I’ve configured and updated my computers), and partly a data protection concern (how often do I actually backup my data). If they seriously go down this road, however, then one consequence is that all this grade data for the entire University is in one place. At the moment, if my computer gets lost or destroyed or stolen, there’s not much exposure. It would be painful and unpleasant for me and several dozen students, but the ripples would stop pretty quickly. If all that data is centralized, however, then the risk is arguably much greater, especially if it’s not managed well.

In reality, I’m not their real problem. I just don’t have access (and rightly so) to enough data to mess up very many people’s lives. There are admin and support staff, however, that have access to enormous amounts of sensitive information. Are they able to burn a couple of DVDs full of the stuff? Probably (but hopefully not easily). Are they trained on why that would be a really dumb idea? I think so.

But then I would have thought that staff at Revenue and Customs over here would have had that sort of training.

And apparently I would have been wrong.

Thanks to the fine folks at MonkeyRiverTown for the great photo.

This entry was posted in Computing, Education, Politics and tagged , , , , , . Bookmark the permalink.

2 Responses to Loose lips (still) sink ships

  1. CoryQ says:

    As a staff member at a University myself, I think about this on a pretty regular basis. My guess is that you are familiar with FERPA, but a lot of parents aren’t.

    And I am exactly the kind of guy who can gain access to all sorts of important data like birthdays, etc. UST finally made the move about two months ago to stop using SSN as an open identifier, which I think was very smart.

    Yeah, the cyber world is a very, very creepy place sometimes.

  2. Phi says:

    Indeed the U pushes FERPA pretty heavily, and our Registrar at UMM has been really good at keeping FERPA clearly in everyone’s mind. As you say, though, most parents probably don’t know much about FERPA, or the risks involved.

    Boy, I’m glad to hear that UST has stopped using SSN like that. The University of Texas used SSNs as the primary ID when I was a grad student there, which I didn’t really think about at the time. In retrospect, however, that was an amazingly ungood idea.

    One side effect of this recent loss is that plans for a national ID card in the UK are going to lose a lot of support, and they didn’t have much to begin with. It will be interesting to see how that plays out.

Comments are closed.