The theft of data from a secure area

  Forum Editor 08:35 27 Sep 2008
Locked

on an RAF base click here

must surely make government Ministers realise that a pattern is emerging - losses of confidential data from government departments mean that current data protection measures are woefully inadequate. I'm sure I'm not the only one who is tired of hearing a spokesperson say "We are taking the incident extremely seriously."

It's pretty obvious to me that some Ministers are not taking these incidents seriously at all if a thief can walk out of a supposedly 'high security' area on a military base with a portable hard drive containing the personal records of thousands of serving and former RAF personnel.

I've said it before, but I'll say it again - modern technology has enabled pretty well anyone to store huge amounts of data in a very small device; I have a portable hard drive that can carry 320 Gigabytes of data, and it slips easily into my shirt pocket. I was recently told of a case in the Far East involving an employee trying to smuggle a USB data stick from a secure data centre by slipping it into her mouth and walking past the security guards. She was caught, but only because a guard doing random checks asked her her name, and thought there was something odd about her voice when she replied.

There have been too many recent losses of data for the problem to be swept under the carpet, and the solution involves a fundamental re-examination of the whole process of storing and moving sensitive government information. It isn't sufficient for Ministers to say that they take these matters very seriously, they must do something, and do it quickly. We need a properly formulated data protection policy, one that will operate throughout all government departments, and one that will work.

It's a very tall order, but I'm sure it can be done - similar policies are certainly in place in many commercial organisations. Relying on individuals to observe a set of rules isn't good enough, what's needed is a system that contains checks and balances - one that makes it impossible for data to be exposed to theft or negligent loss without at least two people being involved, one of them at a senior level. There are all kinds of ways to design systems that fail safe without making them so cumbersome that they hold up work flows. Accountability is one of the key factors - people must be made to understand that if they fail in their duty of care towards the data in their control they will lose their job. This isn't a subject that can be pussy-footed around, it's of paramount importance, and I look forward to hearing that our government is going to insist on a radical and far-reaching reform of its data-control systems.

I shall not he holding my breath, however

  €dstowe 09:04 27 Sep 2008

"Lessons will be learned."

- - -but they never are.

Slightly different, in another thread the other day I remarked that I asked a neighbour of mine, a high ranking civil servant, why the Internet wasn't used for transfer of data from place to place in Government and the civil service. His reply was that the Internet was not sufficiently secure. Well, considering the current and almost constant fiascoes taking place involving confidential data that comment would be funny, if it wasn't so potentially serious.

  Forum Editor 11:06 27 Sep 2008

You were right to ask. With the proper knowledge and technologies the internet is probably the safest possible way to rapidly move data from one server to another. It's being done right now, all over the world by companies using SSH2 servers and other technologies.

There would be occasions when this wouldn't be a viable solution; when security-cleared staff need to take data off-site for instance. In these cases other technologies are available to secure the data in the event of theft or loss. I've recently been talking to some people about a way to wipe data from a laptop hard drive remotely if it's stolen or lost, the first time it's turned on.

However hard to try to stop data loss or theft it will occur, there isn't a 100% foolproof method of securing it. What you can do is develop a strategy for preventing loss in the first place, and of coping with it when it occurs. There's a good deal of complacency out there, and that works against anyone trying to institute security systems. I've experienced it myself, when clients have told me that they think my proposals are a tad extreme. It's the age-old "yes, but it isn't going to happen to us, and we don't have a budget for it" mentality.

What such people definitely don't have is a budget to cope with the catastrophic implications of losing their highly confidential commercial data to a competitor. The same attitude seems to prevail in government circles. Data security is a dry old subject, and isn't what you might call a vote catcher.

  spuds 11:08 27 Sep 2008

That what as already been stated in respect of any enquiry " We are taking this incident extremely seriously". But it never appears so, and that statement is becoming an hollow sound.

If positive action was taken against senior representatives for failures, then these ever increasing problems or incidents 'might' be truly addressed.

At the beginning of the year, I brought to our local council and councillors, certain discrepancies of certain 'public confidentiality' procedures. I was duly thanked and assured that action would be taken. Last month I asked if anything had been implemented. That question appears to have brought a blank expression and negative response.Apparently it now seems that the original person involved as left the council, and their replacement didn't follow or forgot to activate the recommended procedures through to finalisation. To me, that speaks volumes about people holding responsible positions. I often wonder if its in the training manual!.

  robgf 11:35 27 Sep 2008

We could do away with computers for file storage. It's much harder to steal, or lose information contained in a filing cabinet, rather than a pen drive.
I have never been very impressed with computers, when used for customers records. Too often, if there is a problem, no one seems able to correct it. A problem that rarely occurred before computers.

As an example, I recently swapped my (NTL) Virgin media account from dialup, to broadband. Everything went smoothly, until I tried to alter files on my web site. No matter what I tried, it reported "error 550" permission denied.
After much Googling and emailing to customer services and some very loooonnnngggg phone calls, going around in circles, I finally got someone who seemed to understand about FTP etc.
But after trying a few things, he admitted that the support staff are unable to alter permissions on the database and suggested I use a different web host!
Only five years worth of updating a site, down the pan then. :(

When supposedly computer savvy companies cant run their databases correctly, is it wise to trust any data to companies for whom computers are simply a peripheral interest.

  peter99co 11:41 27 Sep 2008

Modern data recording media has become too small scale and so easily lost or stolen. It can hide under paperwork on an untidy desk and is readable on any system because the people who use the media do not understand how to protect it.

Being able to fit Millions of Records into a tiny space has created something like Needles in Haystacks. Lose one and it' gone forever.

Personal files containing our records of Bank/Tax/address and health information need to be kept in a media form that does not fit in your pocket or briefcase. Will not load into a Laptop to be lost or stolen. We should think again.

It is proving to be the form the media is stored that is the problem. The loss is a result of the ease with which it transported. POP IT IN THE POST? Leave it on a seat in a train. Lose it in an office down a settee back?

  Woolwell 11:52 27 Sep 2008

There is something odd about this. Theft from a high security area should not be possible otherwise it isn't high security. I think that Air Vice Marshal Tony Mason's comments are valid and it may have been carried out by someone on the inside. How was access obtained?

  Woolwell 11:58 27 Sep 2008

FE - "Relying on individuals to observe a set of rules isn't good enough, what's needed is a system that contains checks and balances - one that makes it impossible for data to be exposed to theft or negligent loss without at least two people being involved, one of them at a senior level."
When I was involved with MOD highly secure data this was precisely the system that was in place. 2 people had to be involved and there were constant checks on whether the material was present. I don't understand why this hasn't permeated down to lower classified but sensitive personal data.

  wiz-king 14:46 27 Sep 2008

It was a high security area. That security should mean nobody could take anything out as well as break in and steal. Security is a two edged sword.

  ronalddonald 19:44 27 Sep 2008

have been an inside job, i cant see anyone else from outside doing this. Recently Whittington Hospital lost some discs but i have now leanre the discs have been located within the hospital.

  laurie53 20:02 27 Sep 2008

I think it is fairly obvious that this is not just another case of careless data handling but a serious and deliberate targeted breach of security.

Having, like Woolwell, handled highly classified MoD data I know that you have to know the system very well to be able to circumvent it, and, as the Russians taught us, a good method is to compromise someone on the inside, not that I'm suggesting for a moment that that is what has happened here.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

Illustrator Sylvain Tegroeg created thousands of intricate line drawings for the mobile game…

Best iPad buying guide 2017

Comment télécharger une application indisponible en France ?