back to article Loss of unencrypted back-up disk costs UK prisons ministry £180K

The UK's Ministry of Justice has been fined £180,000 following the latest in a series of failures involving how prisons handle private information. The penalty (PDF) follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire back in May 2013. The *unencrypted* hard drive contained sensitive and confidential …

  1. Lionel Baden

    probably was noticed

    Bet some poor IT bod has wondered,

    why isnt encryption turned on ? that would be much better

    better leave it though as it will end up screwing everything up and loose my job. because nobody bothers to tell me anything

    1. Nym

      Re: probably was noticed

      No, he went to his superiors and they told him they'd decided to turn it off because if anyone forgot the password they'd permanently lose access to the data. And it would be far too insecure to write it down. So best use none and realize that anyone would assume the drive was encrypted...and that the government wouldn't, if it were lost, be quick to trumpet that it was unencrypted...

  2. Chris Miller

    $180,000 is 0.002% of the MoJ budget - that'll larn 'em. Does this involve changing the 6th significant figure in two adjacent columns on some financial controllers spreadsheet?

    No doubt 'lessons have been learnt' - the main lesson being that Data Protection breaches, no matter how egregious, have no significant consequences for anyone.

  3. Anonymous Coward
    Stop

    Misleading title....

    "Loss of unencrypted back-up disk costs UK prisons ministry £180K"

    Let me fix

    "Loss of unencrypted back-up disk costs tax payers £180K, in bureaucratic money laundering scheme."

    1. Anonymous Coward
      Anonymous Coward

      Re: Misleading title....

      It hasn't cost tax payers anything, except a few thousand pounds in pointless civil servant effort. The money was in the government coffers. It is still in the government coffers.

  4. Dominion

    Pointless fine

    The only way to get staff in government departments to be accountable is to fire them for gross misconduct. The inter-government money laundering (with thanks to 'Lost all faith') is simply pointless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pointless fine

      The beauty of these governent schemes is that no-one is accountable - even the few civil servants that care are not accountable. Everything is comittees subcomittes and always approved from above. I would not be surprised if there are techies out there wearing their "i told you so" tee shirts but activating encryption was simply not "in scope" for just delivering machines as cheap as possible...

    2. Lusty

      Re: Pointless fine

      You can fire them if you like but they'd only get another job straight away because they'd have experience in government and there is no way to confirm they were fired these days.

      1. LucreLout

        Re: Pointless fine

        @Lusty

        Which is why public servants should be fined, fired, and banned from any role at any level of public service including any consultancy or body shop. I can choose not to buy from Amazon, but my local council have me over a barrell, so the penalty must reflect that.

        If nobody can be identified as being responsible for the failure, then it is the civil servant in charge of the department or service. They'll soon delegate the authority in a verifiable manner.

        The fines, to be levied against the individual, should start at one days pay per record exposed for minor breaches such as welfare records or order history, rising to one weeks pay per record for stuff like criminal records, and onto one months pay per record lost/leaked for anything confidential like financial or medical records.

        The fines would be transferrable back to the one up delegator of the authority if it could be shown in writing that issues were escalated due to lack of authority and not addressed.

        Implement that, and the data held by the public sector will magically become secure. Don't implement it, and nothing will change.

  5. Anonymous Coward
    Meh

    Doncha just love it

    when one government department fines another. Provides work for civil servants in both departments. Sir Humphrey would be delighted.

    The Monetary Penalty Notice pdf says "The data controller has sufficient financial resources to pay a monetary penalty up to the maximum without it causing undue financial hardship".

    What is "financial hardship" for a government ministry? Not enough in the tin for rich tea biscuits with the coffee at meetings?

  6. Ross K Silver badge
    Mushroom

    Cocking Up

    Cocking up - it's what public servants do best.

    Another meaningless fine from the ICO, with the taxpayer footing the bill... Why bother?

    1. Anonymous Coward
      Anonymous Coward

      Re: Cocking Up

      @Ross K

      You sure a public servant did that? In many government organisations (can't speak for this one - anyone else know?), the policy is in-house, the implementation is private sector contractors.

      It would seem strange for an organisation to buy kit that expressly catered for past misdemeanours if the policy wasn't there to turn it on. Still, easy target eh?

      1. Ross K Silver badge
        Devil

        Re: Cocking Up

        You sure a public servant did that? In many government organisations (can't speak for this one - anyone else know?), the policy is in-house, the implementation is private sector contractors.

        Spoken like a true public servant - you put the blame on somebody else and the problem goes away...

        If you search past articles on this site you'll see a fine array of government entities losing "customer" data which should have been under tight control (my personal favourite was the council employee data dumped in a rubbish bin in a Tesco car park). It's obvious that fines are no deterrent.

        I wonder would security be improved if the persons responsible for protecting data were given custodial sentences every time their department messed up.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cocking Up

          read it again - I didn't put the blame on anyone, merely made a comment about your public servant statement and asked whether you knew who in fact didn't implement the security. I did some consulting work for them a good few years ago when they were part of the Home Office but can't remember how their IT services were run.

          But I'm sure you're right, it's only ever public servants who cock things up isn't it?

          Personally, I'd like to see jail time for the persons responsible for this sort of thing regardless of whether they are gov or private contractor - you don't give up your responsibility because you work for someone else and you're not absolved from responsibility because you employ someone to do this stuff for you.

        2. Mudslinger

          Re: Cocking Up

          The reason public bodies are fined for losing data is because they report those losses. I bet Tesco/Boots/Natwest wouldn't admit they'd lost anything.

  7. Andrew Jones 2

    I still don't understand why disks, CDs / DVDs are shipped through the post full of private information?!

    Haven't these people ever heard of VPN - if the data needs to go somewhere - it should be transferred securely through a dedicated VPN setup specifically for that purpose!

    1. MyffyW Silver badge

      Andrew Jones, you have a point in this day and age but:

      "Never underestimate the bandwidth of a van full of tapes"

      On the other hand only a total eejit would leave the van door unlocked.

      As per previous posters I pity the poor IT soul who has doubtless got blamed for what was a poorly managed implementation.

      1. SolidSquid

        Agreed that that could often be true, but in this case we're talking about database records that could be backed up incrementally pretty easily, so it shouldn't require the level of bandwidth a van full of tapes provides

    2. Anonymous Coward
      Anonymous Coward

      I suspect they have heard of a VPN.

      But I suspect that would require new hardware, and therefore a tender process, many months or work, a ridiculous set of requirements and so on. It'll eventually go to some group like Crapita, for millions.

      When a local IT firm would quite competently have done this for a small amount of money.

      ...but that's just not how Public Sector works.

      I recently had experience of this - customer has connectivity with us, is public sector. Has bandwidth limited account. Reaches limit (first time ever). Calls up, is told they can either pay £X for top-ups of said bandwidth on a one off basis, or it would be cheaper to switch to a better tariff on a new contract term. £Y would be the cost over 2 years, which is less than £X is.

      The latter scenario couldn't be done as it would require paperwork, contracts etc, but the former was absolutely fine as it can be expensed back through the system. That it costs more is irrelevant, it's actually the procedures that prevent the value for money. The very same ones that are supposed to improve value for money.

      I see this every month...

  8. chrisf1

    ooh the irony

    Ok so fining the Ministry of Justice has a nice ring to it but how does fining a tax funded organisation help exactly?

    Is the relevant Select Committee going to ask pointed questions?

    1. SolidSquid

      Re: ooh the irony

      Reduces their operating budget I'm guessing? A bit like arguments over who's budget various costs come out of in a company, it's still the same company's money but none of the departments want to be the one to shell out

      1. Captain DaFt

        Re: ooh the irony

        "Reduces their operating budget I'm guessing?"

        Has anyone considered the leaks might happen for just that purpose?

        Any budget surplus left over after the fiscal year is 'lost', and may lead to a budget cut the following year.

        So... "We're having trouble getting this years budget spent!"

        "Here, leave this laptop in your car and park it in front the Sleazy Pub with the windows down. There's enough sensitive data on it that the fines should cover the surplus!"

        "Genius! No wonder you're the boss!"

  9. Anonymous Coward
    Anonymous Coward

    Re: Cocking up

    They have to do something to show they care. Short of actually punishing anyone, or making the MoJ compensate the victims, which they don't have the powers to do.

    Maybe they should be able to block any honours for MoJ senior civil servants for the next couple of years. Much more effective.

  10. Sureo
    FAIL

    "the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly" - FAIL

    Too bad no one's accountable - the fine moves taxpayer money* from one account to another.

    * Taxpayer money = nobody's money

    1. RW
      Megaphone

      Off with their heads!

      It wan't "the prison service" that lacked the necessary attentiveness. It was some one or few individuals within that service who didn't, yet were responsible for just such matters.

      It might very well be that some upper level management wonk had cancelled the position(s) supposed to handle those responsibilities. But always there is individual failure to do the job correctly that lies behind organizational failures.

  11. Pete 39
    Stop

    Info Please

    If the hard drive was lost how do they know that encryption wasn't turned on? You obviously can't rely on the users as it appears that they haven't got a clue.

    Widening this out why wait till something is lost before a fine is issued. If someone breaks the speed limit they can be fined without ever having caused an accident. I'd suggest random checks of similar facilities and if they are found to be using processes that could trivially lead to the loss of data through the loss of a physical asset then they should be fined, without waiting for that loss.

    And yes fines are pointless within the Government, the service owner (a person) should be the one to bear the cost with the chance that ultimately they could loose their job. At the very least they should be named so there is no chance I'd have to work with them.

  12. Anomalous Cowshed

    Ministry of prisons...

    "Ministry of Prisons"

    "Ministry of Justice"

    The very wording is oppressive.

    What's next? Ministry of Propaganda? Ministry of Truth? Ministry of Repression? Ministry of Crime and Punishment? Ministry of Thought Control? Ministry of Facebook?

  13. Pen-y-gors

    Fine should be much smaller

    perhaps £5K or so - but it should have to be paid personally by the CEO (or equivalent - in this case the Minister) - then they might actually start paying attention.

    1. Aitor 1

      Re: Fine should be much smaller

      It shoud be 5-10K per person.

    2. theblackhand

      Re: Fine should be much smaller

      It's a little unfair on the minister for the affected department to foot the bill - particularly with many senior departmental civil servants making more than the ministers these days.

      As there is a general lack of responsibility, I would propose a Gladiator-style battle between the responsible committee with the members battling it out to pay nothing (lose first round, pay £8k, 2nd round £4k, semi's £2k, losing finalist £1k). Create a TV show with whatever commentators/presenters are available with all profit going to improve security practices in said department.

      I don't believe this will address the underlying security culture in many of these environments, but it would make better TV than "Britains Got Dancing on Ice" or what ever the tripe is called...

      1. P. Lee
        Stop

        Re: Fine should be much smaller

        > I would propose a Gladiator-style battle

        No way should Cowell be allowed to make money off the public for this!

        Fining the Minister is fine - he sets the policy, he is supposed to be accountable. He should have a security officer who reports to him (not Operations) and without personal interest in the subject, he won't drive any change.

        The reason is, its cheaper to pay the fine when caught than to audit and enforce policy. Paying the fine doesn't hurt anyone except the prisoners, since the MoJ has less money to spend on them.

        "I'm sorry we lost your data, I'm going to have to fine you for it." is creepy - like paying for your own execution bullets.

  14. SolidSquid

    Do the prisoners have any recourse regarding the loss of their personal data? I would have assumed that they would have a reasonable expectation of privacy with regards to this data, and should receive at least some form of compensation from the government for their incompitence

  15. Vince

    So once again the real cost is met by the taxpayer. And if the fines they all get are too great, more taxes for us.

    If instead it became "loss of jobs" and "criminal charges", I bet these problems would disappear.

    Until then, it'll just keep costing us all money, and losing data.

  16. Peter 39

    bollocks

    Fining these jokers is just fining the taxpayers.

    The only way to solve this problem is to put some of the stupidos inside.

    1. NeilMc

      Re: bollocks

      I think you are onto something here Peter 39,

      So MOJ and HMP staffers got to prison for the data loss which was completely avoidable; and lets see how the lags treat them for losing their data.....

      Then in the same context the Police and Council in Rotherham should be doused in petrol and repeatedly assaulted and abused.

      Currently there is a culture of "no accountability and no consequences" so nothing will change.

      Perhaps its time for some "eye for an eye"

  17. paulc

    numpties...

    If we get caught using unencrypted USB drives where we work, we would lose our List X rating and no longer be able to bid for government work...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like