[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Security expert's data alert went unheeded
From: InfoSec News <alerts () infosecnews ! org>
Date: 2007-11-26 7:08:11
Message-ID: Pine.LNX.4.61.0711260108010.9708 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms625.xml
By Andrew Alderson
Chief Reporter
25/11/2007
The Government failed to heed warnings that would have averted last
week's fiasco involving HM Revenue and Customs (HMRC), it can be
disclosed.
The concerns were raised two years ago by Dr Mark Walport, who
ironically was asked by Gordon Brown last month to head a six-month
review on the use of personal information.
The security expert co-authored a report for the Council for Science and
Technology, an independent government advisory body, which warned that
departments needed to "streamline data protection protocols" and improve
security.
The 37-page report, published in November 2005, was commissioned by the
Government for Tony Blair. It correctly predicted that the unauthorised
use of personal data would "damage [the] government's reputation with
political ramifications".
Last week, the warnings came back to haunt the Government as it was
revealed that HMRC had lost two CDs containing sensitive personal
details of 25 million people. In an interview with this newspaper, Dr
Walport described last week's disclosure as "a disaster".
The report, called Better use of personal information: opportunities and
risks, said:
* Sensitive data should be encrypted to make it more secure;
* New systems, or filters, should be introduced to enable data to be
released selectively;
* An independent watchdog should monitor security procedures;
* Stiff penalties should be meted out to those who failed to comply with
legal safeguards.
The data on the two missing discs sent from the HMRC office in
Washington, Tyne and Wear, was not encrypted: it was simply protected by
a password that experts say could easily be worked out by a computer
hacker.
The lack of "filters" on the data also meant the HMRC sent out sensitive
information including parents' addresses and bank accounts even though
they were not requested by the National Audit Office, the body to which
the discs were sent but failed to arrive.
Richard Thomas, the Information Commissioner, complained last week that
his body did not have enough powers, including the ability to carry out
spot checks on government departments. He also called for reckless
security breaches to be a criminal offence echoing Dr Walport's earlier
urgings.
Dr Walport, who is now director of the Wellcome Trust, a charity funding
health research, said: "This has been a disaster, frankly. The
responsibility of holding this [sensitive] data means there need to be
extraordinarily careful processes to make sure that disasters like this
don't occur."
Dr Walport, 54, who along with Mr Thomas will deliver the new report
next year, said "common sense" suggested that it was wrong for a junior
official to be able to gain access to so much sensitive information so
easily. "When things like this happen, it is rarely down to a single
individual. It is much more down to processes," he said.
"We need to design systems which minimise the risk of human failure
because there isn't one of us who isn't fallible. We can all make
mistakes. It is about having the right processes in place to minimise
the risk of human error."
Dr Walport said there were great benefits from data sharing, but that
computerisation, with its ability to store large amounts of data in a
compact fashion, increased the risk of data loss.
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic