Stewart Twynham's IT security diary - The tip of the iceberg

Posted by AccountingWEB PM | on Thu, 22/11/2007 - 18:01  5762  8 comments

Whenever I investigate a security problem within an organisation, the initial reaction is usually the same. If it's related to process and procedures, I will be told, "It's a one-off", or "It couldn't happen again, we were unlucky." If it's related to software, I hear something along the lines of, "Well, we'll just fix the bit that was wrong."

Not entirely dissimilar, in fact, to the reaction from the Prime Minister this week, and the suggestion that this whole sorry affair at HMRC was triggered by a junior member of staff not following well laid down procedures.

Continued...

» Register now

The full article is available to registered AccountingWEB members only. To read the rest of this article you’ll need to login or register.

Registration is FREE and allows you to view all content, ask questions, comment and much more.

Tags
Technology
More like this
Comments
shurst's picture

Excellent summary

shurst | Fri, 23/11/2007 - 10:52 | Permalink

What amazes me the most at the moment is that the 'it was only a junior official' bit is being defended as though it makes everything less worrying. For me it would be infinitely more reassuring if it had happened due to the actions of a senior official - at least that might mean there were some procedures in place to stop anyone getting at the data. The fact that a junior official could apparently do what they did has far greater implications for the data security procedures and culture throughout government.

One of the most important points Stewart (and others) have made is that if it could be done, how do we know it hasn't been done on a similar or smaller scale many times before? How do we know criminals are not currently cultivating links with staff at key government establishments now they know for sure how easily they might be able to get at very valuable data? Is anyone checking the contents of staff's MP3 players as they leave each evening....

Simon Hurst

davidwinch's picture

A chain of events

davidwinch | Fri, 23/11/2007 - 18:21 | Permalink

I absolutely agree that when things go badly wrong it is (almost) invariably not the result of one error, it is the coming together of a whole series of errors.

To argue the opposite is like saying England were eliminated from Euro 2008 because Croatia scored the winning goal in the last 20 minutes of the final game. The problem goes much deeper than that.

If you look at cases of accountants or solicitors convicted in relation to money laundering (as I do) or even at investigations into aircraft crashes, these things do not happen as a result of a single error. They happen after several opportunities to avoid disaster have been missed and a number of rules have been broken.

Have HMR&C been re-engineered too much over the past few years in the name of efficiency and have intangible and non-measurable assets, like the relevant knowledge, experience and common sense of their staff, been lost along the way?

As for the risk of future losses due to fraud, those of us in the 'fraud community' (perhaps I should say fraud prevention community) know that it is all too common for call centre staff to leak confidential information to criminals (either in return for payment, or accidentally, or in response to threats, or because they took the job for the purpose of obtaining and misusing the information). Why should HMR&C be immune from the risk of ID theft via its employees?

David

Not taken seriously

mikewhit | Thu, 29/11/2007 - 09:42 | Permalink

The police do not take data protection seriously either.

Some time ago some personal information was misused by an agency, I notified the police who were able to find the relevant identifying phone number via BT.

But they then refused to take matters further since they believed a prosecution was unlikely, and refused to let me chase it up by denying me access to the phone number for reasons of ... data protection.

The Data Protection office did not want to take it up due to lack of help from the police.

I think just a shot across the bows of the agency would have helped them put their house in order, as it is they remained unaware that abuse of information was occurring.

richard.murphy's picture

Catastrophic?

richard.murphy | Thu, 29/11/2007 - 11:05 | Permalink

I gave up with this story the moment it described the data loss as "catastrophic".

Serious, yes. Needing action, definitely.

Catastrophic. Never, and to say so is to live in a world of fantasy.

No one has died. No one has lost a penny. No one even knows that anything has been lost.

Please, to use the vernacular, "get real" and deal with the issue, but drop the hyperbole.

Richard Murphy

Serious, though ?

mikewhit | Thu, 29/11/2007 - 17:51 | Permalink

@Richard:
Ovum principal analyst Graham Titterington : "If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations."

So, not exactly a catastrophe, just a potential one ...

richard.murphy's picture

Please don't exaggerate

richard.murphy | Fri, 30/11/2007 - 12:57 | Permalink

95% of the lost data is publicly available

Try the census, for starters

Richard

Sensitive housing benefit data lost

barnstones | Mon, 03/12/2007 - 16:22 | Permalink

Headlines in today's edition of the Huddersfield Daily Examiner advise 45,000 Kirklees claimants' details- on two CDs! - are missing in transit to DWP by TNT. The CDs were sent in August as part of the normal information which every council is obliged to send to DWP each month and includes names, addresses,dates of birth, NI numbers etc. A review by Kirklees of its communications with government departments following the revelation of the missing Child Benefit data elicited the information from DWP that these discs were still missing. Kirklees council has now ordered a freeze on data transfers to all government departments until they are satisfied that information sent is secure and confidentially received. Quite how they intend to achieve this is unclear.

This does support Mr Twynham's point regarding the vast amount of confidential data which is apparently moved regularly between different government departments with blatant disregard for a basic level of security. It does beg the question that exactly how much lost information is out there? And we are moving towards a national ID card? Perhaps the hackers, forgers and criminals will soon be able to provide us with a cheaper version than Mr Brown's.

Erica

richard.murphy's picture

There's an easy solution to this problem

richard.murphy | Mon, 03/12/2007 - 18:29 | Permalink

There's a common thread

Outsourced carriers

Stop using TNT

Richard Murphy

Related links
The accounts production landscape: A new alternative?
Rebecca Benneyworth & Intuit deliver RTI Implementation Gripes: free whitepaper
Drive growth and boost profitability with these 10 steps: Free whitepaper