In UK, 12M Taxpayers Lost With USB Stick 258
An anonymous reader tips a piece from the UK's Daily Mail that recounts another sad tale of the careless loss of massive amounts of private user data. "Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details. The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets. An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost."
How it came to be lost? (Score:5, Insightful)
I've got a better question. I'd like to know how this memory stick came to be in the first place!
Putting aside the question of whether such a database of private information has any reason to exist, what possible excuse is there for putting the information to access that database on a portable USB device? It was not a question of if such a device would be lost, but when.
Good security policy demands redundancy for just this reason. A verification system should require--at the very least--a combination of something you know (your personal pin), and something you have (for example, a SecurID or in this case, a USB key with the passcodes on it). That way, if the physical token is lost, security isn't immediately compromised.
This kind of careless attitude towards security wouldn't fly in the corporate world. It's only because it's the government doing it that security is so lax. After all, nobody's job is on the line over this. It's next to impossible to fire a government employee in most countries, epic incompetence--or even outright misconduct--notwithstanding. So expect to see more of this, because there's no incentive to change.
Forget how it was lost. (Score:4, Insightful)
Re:How it came to be lost? (Score:5, Insightful)
Bet (Score:5, Insightful)
I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
Not the first time it's happened by far, and it certainly won't be the last... would you trust a surveillance society that can't even keep track of its own inventory?
Lost data (Score:1, Insightful)
What, again?
At the same time, the government wants us to let them to store personal details of all citizens in the interest of national security.
The unknown (Score:4, Insightful)
Re:Bet (Score:5, Insightful)
I will bet $100 AUD (Or about 50 UK pounds) that there will be absolutely no jailtime served by anyone involved in the loss of this data, with the possible exception of the poor soul who found it.
After the number of high-profile security breaches, the number of well-meaning people who have been treated as suspects by the police and the willingness of the media to pay for such stories, it seems that the only sensible thing to do is very quietly hand it over to a journalist.
Re:bet carried (Score:1, Insightful)
Re:How it came to be lost? (Score:2, Insightful)
I'm not convinced about the credentials of their "security expert". Sounds like more of a "scare story expert". Quoting the article:
He said: 'We have to hope that there are not more of these out there. This is potentially the most serious data loss this country has seen in recent times... Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.
I hope none of you are using Linux, because I have the source code, and that means I can hack your system and steal all your money.
Does the Mail have a gallery of these "experts" on standby to give a comment as required for the scare of the day... "Experts say that nobody knows how many paedophiles are molesting your children at this very moment!" "Experts say you could be knifecrimed by a chav today!" "Experts say that Russell Brand might be prank-calling your grandfather RIGHT NOW."
Surveillance Society (Score:5, Insightful)
Re:Surveillance Society (Score:5, Insightful)
Silly citizen. The rules apply to you, not us.
Re:Bet (Score:5, Insightful)
There isn't supposed to be any trust in a surveillance society - that's the whole reason for the surveillance.
Re:Same old same old... (Score:4, Insightful)
To an extent it's just because that's what sells papers. There are always kids being stabbed and planes crashing and data being lost. It's just if kids being stabbed becomes a hot topic, you print more stories on stabbed kids.
I really don't think much has changed, but the Mail is keen to point out that the world is ending, and it's probably Johnny Foreigner's fault.
Re:How it came to be lost? (Score:5, Insightful)
This is the one of the few types of story on /. where people aren't clamoring to say that information needs to be free or that it wants to be. Alas, I must agree with you. That would have been much funnier.
Why was the stick needed? (Score:5, Insightful)
I have witnessed how strict, inflexible security rules force people to break the security in order to get their job done.
Re:How it came to be lost? (Score:5, Insightful)
The Industry standard is unencypted.
Re:How it came to be lost? (Score:1, Insightful)
"This kind of careless attitude towards security wouldn't fly in the corporate world."
That was so funny I accidentally snorted my coffee.
I'm a systems analyst, in "the corporate world". Business "professionals" lose stuff like this all the time. We're constantly chasing down corporate buffoons that save their passwords in their Google and Yahoo accounts, USB drives, or on my personal favorite security breach, the sticky note.
Re:How it came to be lost? (Score:3, Insightful)
Does the Mail have a gallery of these "experts" on standby to give a comment as required for the scare of the day...
From that comment, I'd assume you've never read the Daily Mail. But then you seem to have a list of their recent headlines.
Oh I see, you *think* you're being sarcastic!
Re:How it came to be lost? (Score:3, Insightful)
It's insecure because the default user response to this kind of 'security' is to affix said passwords to screen using a post-it note.
Admittedly, that isn't the system itself being insecure per se...
Re:How it came to be lost? (Score:3, Insightful)
The corporate world is just as bad. Hell it was a private company which screwed up on this one.
Get this through your head:
"corporate" does not equal "competent".
"Government" does not equal "incompetent"
They are both quite capable of both and both tend towards incompetent.
Re:How many angels can dance on the head of a pin? (Score:3, Insightful)
The way I read it, there was no information about taxpayers on the USB stick itself.
But there was authentication and access information about the citizen/taxpayer database, which is probably accessible over the Internet, with the correct VPN credentials, etc.
It was these VPN credentials and passwords that was on the USB stick.
Imagine the average user who writes their password on a post-it and sticks it to the bottom of their keyboard.
Now make that post-it into a giant animated billboard in Times Square, and you've kind of got the idea.
(No cars. Fsck. My analogy sucks!!)
Re:'Passcodes' not data (Score:3, Insightful)
I carry a memory stick attached to my key ring, which includes encrypted copies of SSH and PGP keys, the passphrase to decrypt them is memorised...
Anyone who stole it would be more interested in stealing the car for which the key is on the same ring, or breaking into the house using the keys and stealing stuff...
Or they could just take the unencrypted episodes of tv shows from the usb key.
Re:Same old same old... (Score:4, Insightful)
That's what reading a "newspaper" like the Daily Mail will do to you. If you read tomorrow's copy you'll find out it's all 100% due to immigrants, the EU and Gordon Brown (who "according to a source", was seen carrying out the stabbings himself).
In reality though, looking at the police stats, there's actually only been a single 14 year-old (and no one younger) who's been murdered this year in the UK. There was a clump of teen stabbings in London at the start of the year but this has reversed to actually being slightly below average over the year.
The murder rate in the UK currently stands at 1.4 per 100,000 which is only about 1/4 the US murder rate of 5.5 per 100,000 (which itself is extremely low by historical standards).
So clearly the actual statistics and reality aren't coming out in the media. My problem with this is that it's pretty hard for a rational and correct solution to be engineered when everyone's being told irrational scare stories everyday by newspapers with a clear finnancially vested interest in exaggerating facts.
Re:How it came to be lost? (Score:3, Insightful)
P.S.
Time to start demanding Account numbers *separate* from your social security number. That helps minimize the damage to a minor loss of personal info at megacorp.com, rather than a loss of national identity (someone else pretending to be you with your stolen SS number).