2 more disks gone astray

  jakimo 12:41 11 Dec 2007
Locked

Over 6000 Driving licence details this time


click here

  georgemac © 13:01 11 Dec 2007

good news for the post office though - thousands more extra letters for them to deliver

I though encrypting data was easy, can't they ask MI5 or MI6 how to do it?

  Seth Haniel 13:19 11 Dec 2007

click here
The exact number of medical staff affected is not yet known
Thousands of staff have had their personal details leaked after a Merseyside health care trust "accidentally" sent them out.

The worlds gone mad lately

  €dstowe 13:45 11 Dec 2007

I find it difficult to believe that occurrences like this are a new phenomenon so, if five disks (it may be more) have gone astray within the last month, how many were lost in the previous months - with the loss being kept secret from us?

  Earthsea 15:43 11 Dec 2007

I think a record of lost discs was put onto a disc, but it was lost.

  johndrew 16:35 11 Dec 2007

A yes, but how would you know?

Given it would be somewhat embarrassing, I bet it would be encrypted!!!!!

  Forum Editor 18:33 11 Dec 2007

on these CDs, but that was probably just good luck.

These security breaches do seem to be happening more often, or perhaps it's just that we hear about them now, whereas in the past they may have been kept quiet. Either way, it's a concern, and must be stopped.

You don't need to be a genius to devise a data security policy which fails safe, and prevents any personal information from being at risk - it's a matter of thinking about the ways that data might leak from your databases and sealing them off, one by one. The key, or at least one of the most important keys, is to limit the number of people who are authorised to copy databases, or extracts from databases, and that's usually not too difficult. Next, you limit the number of people within an organisation who are authorised to request extracts from databases, so you plug the potential leak from both ends - the requester and the provider must both be senior people, or senior people must sign off requests from subordinate colleagues.

The important thing is to establish a method of creating audit trails, so at any given moment you can snapshot your data movement situation - you (and by 'you' I mean the person or people who manage the business) must be able to know when data moves - both within an organisation and outside it. If data disks are entrusted to third-party carriers and the information on the disks is sensitive in any way they must be moved on a 'hand to hand' basis - a courier must personally receive the disks, sign for them, and hand them personally to a named individual at the destination point. That individual signs to say the disk(s) arrived, and assumes total responsibility from that point.

It works, but it must be carefully set up in the beginning - and there must be no variation from the policy, ever, under any circumstances.

  Totally-braindead 19:32 11 Dec 2007

Like €dstowe I too find myself wondering what else has gone missing that we've not found out about.
I find it hard to believe that everything has been secure and nothing has got lost for years and all of a sudden things are going missing left right and centre.
Clearly they have either no real knowledge of security or have been bypassing the system that is there.
It doesn't take a security genius to work out that some things you should not do. They obviously have no one working there with some common sense.

  anskyber 19:33 11 Dec 2007

Exactly.

I was lucky enough to be at the top of my particular but little tree when working. IT was handled very carefully in terms of access, read/write/alter authorities and copy authorities. It is not rocket science but rather the application of simple risk evaluation.

And no, I did not have full authority for everything, I did not grant it to myself because I did not know or understand enough about the workings of all the systems.

Frankly, I'm both saddened and amazed at some of the basic lack of risk assessment in senior Government Dept's.

  johndrew 19:34 11 Dec 2007

Define `sensitive`.

The information would easily allow cloning of a vehicle with the knowledge that any such act could be tailored to the area in which the vehicle is normally used. Further, duplicate `genuine` documents may be obtained with these details re-registering the subject vehicle as if the owned had moved house.

I think that makes it `sensitive` enough. After all a vehicle may be quite valuable in monetary terms.

  jakimo 16:15 12 Dec 2007

Your data security policy setup is how it should be, but are you seriously suggesting that this government would understand a word of your proposed security policy?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Xiaomi Mi Mix 2 review

See mcbess's iconic style animated for Mercedes-Benz

iPhone X news: Release date, price, new features & specs

Black Friday 2017 : date, sites participants & bonnes affaires