Loose lips (still) sink ships

Frozen Solid Security Monkey by Monkey River Town

I suspect many of our readers will already have seen something about this, but just in case it hasn’t gotten a lot of U.S. press, Chancellor Alistair Darling (a very high ranking member of the British government) announced today in the House of Commons that 2 discs (CDs or DVDs – I’m not sure) were lost that contained highly confidential information for 25 Million Individuals. This data included names, dates of birth, insurance numbers, and (in some cases) bank account details — essentially all the toys you’d need to execute identity theft and fraud on a massive scale. The kind of stuff that an organized crime outfit would probably pay mucho top dollar for.

And the data was unencrypted.

Yup.

Unencrypted.

Makes you want to cry.

(In fairness, the discs were “password protected”, but no one seems clear on what that actually means. Given that most password systems for discs and files are child’s play to get through, without solid encryption on the other end “password protected” doesn’t offer much comfort.)

Unfortunately, as several of the talking heads pointed out, this is at some level inevitable as governments, corporations, and educational institutions move to larger and more centralized databases. Consider, for example, last year’s leak of the search histories of half a million AOL users.

The U of M at least tries to take these things seriously, but they don’t always get the stick by the right end. There’s a lot of noise, for example, about whether faculty like myself should be able to hold confidential student data (including things like homework grades) on our office computers or (far worse) on laptops or home computers. This is partly a security concern (stolen laptops are always a risk, who knows how well I’ve configured and updated my computers), and partly a data protection concern (how often do I actually backup my data). If they seriously go down this road, however, then one consequence is that all this grade data for the entire University is in one place. At the moment, if my computer gets lost or destroyed or stolen, there’s not much exposure. It would be painful and unpleasant for me and several dozen students, but the ripples would stop pretty quickly. If all that data is centralized, however, then the risk is arguably much greater, especially if it’s not managed well.

In reality, I’m not their real problem. I just don’t have access (and rightly so) to enough data to mess up very many people’s lives. There are admin and support staff, however, that have access to enormous amounts of sensitive information. Are they able to burn a couple of DVDs full of the stuff? Probably (but hopefully not easily). Are they trained on why that would be a really dumb idea? I think so.

But then I would have thought that staff at Revenue and Customs over here would have had that sort of training.

And apparently I would have been wrong.

Thanks to the fine folks at MonkeyRiverTown for the great photo.

Related posts