Nicked unencrypted PC with 6,000 bank details lands council fat fine The Information Commissioner’s Office has fined Glasgow City Council £150,000 for losing two unencrypted laptops, one with the personal details of more than 20,000 people - just two years after a similar blunder. More than 6,000 bank account details were held on one of the stolen computers. “To find out that these poor …
It's a council, funded by and for local residents (tax payers).
So thats £150,000 less to spend on services. Or £150,000 more to take from tax payers.
I doubt it's likely to come out of the pocket of whom ever left it unlocked, or unencrypted, or someone in management who made the decisions.
The problem with these fines is that organisations pay up and there's no long term change in attitude, sure they'll do something in the short term as people try to cover their own backs but there's no fundamental shift in attitudes to IT and information security as the same managers, who usually have it as a very low priority remain in post.
The head of their IT department should be sacked for poor IT strategy and management, the manager of the offices where the laptops were stolen due to the poor physical security (regardless of encryption) should also find their job on the line. The role, of their IT security staff should also be checked to see if it's advisory (as many are) and whether those staff need extra backing from the senior management team - which is lacking in most organisations.
Until people know that their jobs are genuinely at risk for this sort of breach they'll never put the necessary importance on IT/info security.
Not so sure about assuming poor physical security at the office. The whole point of a laptop is the worker takes it home or into the field. I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. Car was broken into and the bag was stolen. At the time I think the user also thought his tax return forms were also stolen, which is pretty much your identity here in the US.
But on the encryption issue, yeah, there's a real problem there.
" I expect that's the point at which it was stolen. One case in my support history was a user who had the laptop stored in a bag so it wasn't clearly visible while the user stopped to visit an embassy. "
So 74 cars and houses broken into?
And they can't get encryption software working because?....
Any gov. department that says, 'you must do x' should first ensure there is a Govt. wide deal in place for procuring x at the best price with economies of scale. So, not just, 'you must use encryption' but 'you must use one of the encryption products available through the framework'.
Agreed although those frameworks have to be kept up to date, which many aren't otherwise you end up having to take an out of date product at an inflated price. Frameworks aren't the answer and certainly aren't an excuse especially when they could have used free products to encrypt these laptops.
The ICO does not mandate encryption. The ICO does not mandate anything.
The ICO simply states "you have a duty to keep of information from being disclosed to people who don't have a right to it".
Encryption is only a means to an end. Perhaps locking the laptops in a drawer is sufficient (clearly not if you put the key in the next drawer). Perhaps the data should never have been on a laptop in the first place.
Your point about procurement is an interesting one, since the govt has a very good deal with Microsoft, and Windows now includes encryption, so it's largely a free option (bit of back end PKI required). So there really is no excuse for any govt department to have laptops that don't have the most basic of protection (aside from many are still on XP).
@Frankee Llonnygog
re: "Yes, it's all very well saying 'comply' but it should be made easy to comply. ICO has form for mandating compliance..."
Why?!? It's not the ICO's responsibility to tell the councils how to do their job - the ICO is only there to state the requirement and ensure it's being met.
Councils should be designing processes to meet those requirements. Not just expecting someone else to come up with solutions for them. Why is that so different from how they meet their other obligations - or are they just spoon fed and never have to think for themselves?
"Perhaps the data should never have been on a laptop in the first place."
I'm an end user and have little knowledge of network costs &c.
My employers allow me to use an RDP session to log into my Windows desktop, from where I can access the rather minimal amount of data about students that I need to keep useful records of progress &c. We have to type passwords in each time we access the RDP desktop. I therefore use my own laptop, at home, in a room with walls and a door (and not in the middle of a Starbucks, for instance, and there has been staff training on data protection) to do bits of admin. If my laptop gets nicked, the neds would not be able to access the remote desktop session at all. The laptop has no personal information about students on it, just teaching materials that I write in my own time.
Is this a way forward? Laptops in 'offices known to be insecure' run a session back to a central server? As the server takes the load, money could be saved on hardware refreshes?
The tramp: I'm on a reduced income but pay full council tax and have to use Windows at work
keithpeter has hit the nail firmly and squarely on the head.
There is no reason for data to ever be on a workstation. Everyone else seems to live in a world where Citrix doesn't exist. Give the users a published desktop if the individual app doesn't play nicely as a published application. Then they can access it in the office or at home, and no need for expencive laptops or workstations - a Wyse device or similar thin client device is all that is needed at the user's end, and servers capable of hosting the sessions are getting cheaper all the time. To save on licences, server 2012's terminal server solution is nearly as good as Citrix's own offering.
And everyone else seems to think the Internet is literally everywhere. What if you need to meet a deadline but you're going to be "out of the loop" for a while? What if your Internet access is notoriously unreliable or hard to secure (you're using a WiFi setup that's not yours)? Then there's the matter of drive-by (hidden in a popular site) rootkit (hidden from detection) malware that can still nick the RDP details.
Bonus's all round at Glasgow City Council this year then?
Senior Managers and Executives will have targets to meet to be eligible for bonus. If they meet the targets, then award the bonus. Then directly reduce the bonus by the amount of any fines incurred in the Councils name since they have responsibility.
and the staff requested encryption and this was denied then whoever denied it should be fired and the ICO fine should be taken from the pension pot, only when the individuals who fail in this appalling manner are held to account will others take notice.
Until the fines are met by the people responsible and not the tax payer they will have no effect.
It smacks of a criminal level of negligence but stuff all will happen to the muppets responsible.
Article says pretty clearly it wasn't installed because it either didn't work or they couldn't figure out how to install it so it would work. While it is normally true that incompetence suffices and is preferable to malice, in this instance I think we need to deny them the incompetence option. They've become too competent at taking incompetence as the easy way out.
Crimeney! This sort of crap pisses me off and I'm not even a loyal subject of Her Majesty.
It cost the TAX PAYER £150,000.
Who was responsible? Did they follow procedure? No? Fire them.
Was there no procedure? Who should have written it? Fire them.
They were blocked from writing it? Who did that? Fire them.
They were blocked from implementation? Who did that? Fire them.
Repeat until you reach the top.
Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal. Of course, this is Glesga council with a vainglorious history of incompetence, corruption and utter disregard for the will of the Glaswegian people (which is pretty typical for Labour). I give you the previous (and planned) destruction of George Square as but one example.
More importantly....I wonder how I find out if I am affected?
>>More importantly....I wonder how I find out if I am affected?<<
I would say Much More Importantly.
I'm betting that if you submit an FOI request, you'll be told that they "cannot supply that information due to the Data Protection Law".
Or am I just being my usual cynical self?
You would use the Data Protection Act to find out specific information about yourself - it is called a subject access request.
The Freedom Of Information Act is for more general, non-personal requests unless it is of an environmental nature in which case it is much the same process as FOI but under the guidance of the Environmental Information Regulations
I agree with regards to sacking those responsible - the problem is that councils and the public sector never do.
However your point about the private sector is a little odd, we'd never have known about this loss if it was in the private sector, the chances of them self reporting to the ICO are incredibly small and of course you couldn't use an FOI to investigate it.
This probably was not due to incompetent IT staff. Council’s and public bodies have an obligation to follow the GSX code of connection for access to the Public Services Intranet. One of the stipulations is that they must encrypt all mobile devices and removable storage. However there is a mindset that goes “no one else (other Councils) pay any attention to this so we won’t either”. Until the ICO and Cabinet Office start to conduct unannounced ITC audits individual Councils are going to continue to disregard or interpret the rules and regulations as they see fit.
Everyone comments about how much it costs the tax payer, and they're right but its not going to make a difference that sort of culture seems endemic in councils.
I've worked in a few and it always seems to me that a large percentage of the wastage money wise with a council is because its not earned just given so no one is as accountable. If you went to your boss in a private company and had to explain how you were pissing money up the wall because of x,y,z and that you wasn't doing anything about it, how long do you reckon you'd last?
Yet I have worked for council departments who don't even bother finding out the x,y,z let alone try and fix it or have to explain it.
Working for the council really made me resent paying my council tax - not because I don't think we should contribute to society I do, but because if I do I don't want it being sodding wasted by idiots.*
*Apparently commenting this to your boss whilst working for the council shows a bad attitude.
“Unless we start sacking the idiots in the civil service, we will keep getting crap like this. In the private sector this would almost certainly be grounds for summary dismissal.”
I hear this kind of thing a lot, and yet I’m not convinced that the private sector is all that much more efficient or less error-prone than the public sector, based on my experience working with both. Companies certainly have an easier time concealing their fuckups than public-sector entities, and you could argue that they tend to fuck up in different ways; amazing feats of bureaucratic inertia and buck-passing are more common in the public sector, while ridiculous misadventures caused by dumbfounding levels of exec-grade arrogance and narcissism happen more often in the private.
Both sectors come out with these kinds of staggering ineptitude often enough that I can no longer take this whole ‘private sector lean and efficient; public sector bloated and incompetent’ mythos very seriously. And while some people in the corporate world may be more likely to face the consequences of their mistakes – lower-paid people, mostly – the upper echelons often seem bafflingly immune to the faintest hint of accountability. Just look at the leaders of so many of our glorious financial institutions, or the seemingly ineradicable Ballmer, or any number of serial failures who nevertheless sail blithely into a succession of heavily-remunerated leadership roles, leaving a trail of destruction behind them.
While that is true to some extent, at least some of the people in the lower echelons are accountable. You don't even get that in government. These days, to the extent you do, it is because they've contracted the job to someone so the contractor can be disposable. I'd also note that all of the examples you site have significant interfaces with the government in one way or another. Even Ballmer who owes his fortune to government backed copyright monopoly combined with government enforced "terms and conditions" contracts.
I'd also say that even in the private companies I've worked in that are tightly associated with government (living inside the abysmal swamp makes it nearly impossible not to do so), while the higher ups who frell it up might not get the public treatment, they do seem to eventually disappear. Not necessarily in a manner traceable to the injury, but they disappear none the less.
“at least some of the people in the lower echelons are accountable”
Often they’re just taking the fall for mistakes that are really the fault of someone higher up, though.
“I'd also note that all of the examples you site have significant interfaces with the government in one way or another.”
Up to a point. The misdeeds that led to the financial crisis really weren’t the government’s fault. The government could have done more to stop the madness, but it certainly wasn’t forcing banks to go on insane lending binges in various bubbly property markets or to make enormous gambles on highly-leveraged pools of credit derivatives.
It sometimes feels like once you’ve made it to C-level you’re almost guaranteed perpetual lucrative employment, no matter how much you screw up (short of actual imprisonment). It’s like football managers; there are so few that are known quantities (and so perceived as less of a gamble by risk-averse boards) that a month after steering Club X into relegation and bankruptcy you’ll be sitting at a press conference with your new employer talking about how you’re looking forward to working with players and staff to restore Club Y to the prominence its proud heritage deserves.
Let's hope the voters in Glasgow hold their councillors to account.
It is the councillors who hold their civil servants to account, unlimately being able to get rid of the CEO through a vote of no confidence if he/she hasn't satisfied them that suitable action has been taken.
If nothing happens, and the councillors are still seated this time next year, then blame the voter :)
Probably the IT is outsourced. The ITcompany gave a quote for encryption, which was sniffed at by the council as costing too much so declined. The council will argue that Central Givernment cuts meant they didn't have the resources to pay for betetr security. Blame will be passed around and diluted between the workers. Only the voters hold the true power to get something done about it.
Who was responsible? Did they follow procedure? No? Fire and fine them.
Was there no procedure? Who should have written it? Fire and fine them.
They were blocked from writing it? Who did that? Fire and fine them.
They were blocked from implementation? Who did that? Fire and fine them.
(And possibly imprison too.)
There, fixed that for you!
Well that was daft.
What the council should have done was train their employees properly. (If they still can't use encryption tools after that, then the council needs to fire their incompetent staff).
It's just encryption, it's not rocket science.
I doubt it was related to training etc. Full disk encryption is essentially transparent to the end user, the only differences a user see's is likely to be an extra icon in the notification area, and depending on the vendor of the software, sometimes additional log in prompt during initial boot.
I would suspect that it was probably more to do with a bad install image, or some clash between existing applications or something else in their SOE build. (Assuming they have a proper Standard Operating Environment of course!).
But saying that, irrespective of issues, they still shouldn't have sent out unencrypted laptops to anyone accessing sensitive data.
Install some desktop in a secure area, if you want to work on banks details, you need to come into the office and use the PCs in the secure room for the day, not your laptop.
Then once the issues are resolved, roll out full disk encryption. Also update your domain login process to make sure each device accessing the network has encryption enabled, if not, deny access and tell them to phone the help desk.
My guess would be they were using McAfee and were running into issues with the hidden partition on vendor equipment. At the very least it was the encryption software and the hidden partition. We ran into that problem once for a couple of weeks during a planned version upgrade. Some systems would install fine, encrypt fine, and upon reboot after the encryption was complete, they blue screened. During the problem period we used the old version of the software. Eventually we figured out you needed to blow away everything on the drive and put the bog standard image on it. But if you let the tech off the hook, he won't keep looking for a solution to the problem.
Exactly.
All sensible businesses keep sensitive data on secure servers. The more clued-up ones disable any workstation features that would allow data to be exported. The last place I worked had an instant-dismissal rule for taking data - including source code - off site. If you need to send something to another office, you have a WAN, or at least a VPN, to do it on. If you need to work on something at home you use remote access.
But the public sector seems to be stuck in the age of sneakernet. Massive files of sensitive data on laptops, CDs in the post, flash drives down the pub, and so on. Why?
+1
We have a secure room in our office specifically for this type of activity.
Want to work on this sensitive data? Then you'll have to use one of the secured, locked down (i.e no USB, no CD etc.) desktop PCs that's in the secure (pass card entry) room in the middle of the building. Thats the room without windows, where you have to leave your bags and your phone with security if it has a camera. etc.
Because external USB drives are a cheaper solution than a proper backup unit and they needed to make contract budget. Besides, the data has to be converted on that computer over there, which isn't permitted to touch the isolated network* on which the data is processed, and it's easier to transfer the data using the USB disk.
*Dweeb telling me this didn't think about the fact that I knew he had a way of remotely monitoring the jobs on the "isolated network" which tells you just how "isolated" it really was.
Honest. That was a real answer I got once. But I R only the held desk doobie and don't know anything real about computers.
For the same reason I once worked in a location where even larger volumes of PII was stored on unencrypted drives: someone told them because of their special relationship with the government, they didn't have to.
Despite the alleged security on the room it would have actually been fairly easy for someone to bust through the wall (frame and drywall) connect an external USB drive, and copy the data. Yes, it would have been bloody obvious the next day, but still you would have walked away with millions of medical records including social security numbers.
I understand they have improved security since then, but since I no longer work there I can't vouch for how safe the records actually are. Their biggest defense was, and I expect remains: most people have no idea exactly what information is in that particular room. And of those who do, their livelihood depends on most people not know that.
How the hell does fining a public body AGAIN prevent a re-occurrence of data loss?
Change the law. State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data.
This will force change as employees will refuse to have any data that isn't secure and will make damn sure they keep it safe.
"State that if an employee loses a device with unencrypted & sensitive data on it then they and their manager go to prison for a minimum of 3 months and are liable for any losses incurred by those whose details were part of the data."
Back to paper, locked filing cabinets and biros then. No-one would want to risk anything else.
Nostalgia, fond memories, and nice long lunch breaks, but forget any form of reporting or process check. It is also easy to 'loose' paper if you know what I mean, so forget accountability.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
