Another serious case of data loss in Britain

by Michael Smith (Veshengro)

Home Office loses USB memory stick with data of about 100,000 criminals

The continuing data security breaches and loss of data and laptops containing secret information must, by now, become an embarrassment to the British government, or so at least it should. It is rather time that heads rolled but, alas, that is hardly going to happen.

How, pray, does anyone put data such as that which has just been lost – due to the fact the USB memory stick has been lost – onto a small little USB memory stick unencrypted.

Apparently the private sector contractor working for the British Home Office – the the British Ministry of the Interior – took the data which was, so we are told, encrypted originally, decrypted it and then simply stuck it onto an unsecured memory stick. This is not just being stupid or incompetent, though both attributes certainly also apply, but this is criminal negligence.

As Keith Vaz, Labour MP and chairman of the home affairs select committee, said: “f you hand out memory sticks almost like confetti to companies and ask them to do research for you, then you have to be absolutely certain that the company concerned has put in practice procedures which will be just as robust as the procedures that I hope the government has followed.”

But it is not just private sector contractors to the government that have such a lackadaisical attitude to data security; the government's own departments are, normally, directly, the culprits.

If one does need and want to use portable devices, such as USB memory sticks, then they should at least be hardware encrypted – please note: I said hardware encrypted – and this with very strong credentials. There is no excuse not to use such devices. They are also no longer costing the earth and it certainly should not have anything to do with cost.

If the information can be believed that was given to me then the reason, for instance, that the data from the HMRC office that was sent by courier to London a while back now which was unencrypted on CDs and which were subsequently lost, then it was because the two departments do not have the same encryption program. While we were being told that a junior clerk had simply copied the data onto the disks and send them out, apparently, the reasons are different.

Already, the data should have been encrypted, period, when it was downloaded onto the CDs in that instance. Why is open data held in the first place on computers? The data that is held on the computers systems of whichever government department should already be encrypted and would, hence, when copied to CD or whatever, still be in code. But, apparently, this is not the case.

A spokeswoman for the Home Office said in a public statement that the reason as to why the data was in the hands of a private contractor and why it was downloaded onto a USB memory stick was that the outside company was to conduct a study as to how to provide an improved prosecution of offenders. Further information as to how it happened that this stick was lost, however, was not given.

It might be better if the British government began conducting a proper study as to how to avoid loss of data from government departments, for presently there seems to be a sieve here in operation and no safeguards in place whatsoever. This is not only scandalous; it is criminal.

Shadow Home Secretary Dominic Grieve said that there had been a "massive failure of duty" and I do not think that one can add any more to that. With the exception, perhaps, that it is time that the minister responsible for the Home Office tendered his or her resignation. I say here his or her as I cannot remember whether presently it is a man or a woman that is in charge there. People come and go there too often, in general, and that culture too, probably, has a lot to do with things going missing.

© M Smith (Veshengro), August 2008