By Nick Heath, 23 January 2008 15:39
NEWS
The government department responsible for ensuring standards in the UK's courts is investigating the loss of four CDs containing personal details.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
HM Inspectorate of Court Administration (HMICA) said chief inspector Eddie Bloomfield was looking into the loss but refused to confirm or deny that the missing data included the names and addresses of alleged victims and witnesses in criminal cases.
The discs went missing on 15 December last year after being mailed by recorded delivery from the Ministry of Justice to an unknown recipient.
The Information Commissioner's Office (ICO) has said it will scrutinise the department's security procedures and has asked for a copy of Bloomfield's investigation before deciding what action to take.
The data breach is the latest incident in an exhausting list of government security breaches, which includes the NHS losing hundreds of thousands of patients' records, the DVLA losing three million learner drivers' details and the HMRC losing 25 million child benefit details.
Last week saw other government blunders come to light, such as the loss of more than 4,000 patient details by primary care trusts in Stockport and Oldham.
A spokesman for the ICO said: "Recent security breaches have reinforced the need for all organisations to take the security and protection of personal information seriously.
"We will be looking for answers to searching questions about the security procedures which HMICA have in place to protect personal information and the safeguards that have been introduced to prevent a reoccurrence of this type of incident."
A spokesman for HMICA said in a statement: "An investigation is underway so it would be inappropriate to comment further at this stage."
A question mark hangs over which postal carrier handled the discs, as the Royal Mail cast doubt on its involvement saying: "We have not been given any indication by the Ministry of Justice that [the data loss] has anything to do with Royal Mail."
Royal Mail recorded delivery is treated as standard post, and is not tracked by the Royal Mail.
ZDNet UK's Tom Espiner contributed to this report
Comments
There are 12 comments. Join the discussion
1. Steve Lawson
Its about time that data was only moved around be courier ONLY.
Even 'Special Delivery' (which IS tracked) seems hardly adequate as a secure way to move data from one location to another.
This simply isn't good enough and the practice of sending by post, confidential data on this scale shoud be made illegal.
2. Chris
Forget couriers. It's about time they got their act together and banned any rendering of this kind of information on a physical transportable medium. Should only ever be moved by secure network links.
I cannot believe that the people responsible for handling this sort of data arae so naive and incompetent.
3. anonymous
Don't vote for stuck up non modern thinking/IT literate ministers, its about time things were run by people who actually know the score. plain stupidity
4. Karen Challinor
OH FFS! did the same person specify all these systems or something, or did the government do its usual trick and "shop around" for an expert who would tell them what they wanted to hear ?
the thing thats puzzling me is if something like this had happened in any government up to the John Major one, this would be a scandal, heads would be rolling, the government of the day would be booted out of office with a vote of no confidence and there would be a general election in fairly short order
somehow this lot have managed to not only keep their jobs, supress any scandal, avoid an election and far from a no confidence vote in the house the entire issue been spun into a state of mild embarrassment "hoho we've misplaced another bunch of personal details well no harm done eh, well no one important was in it were they?" and the more c*ck ups that are discovered the milder the embarrassment gets and the less is done to prevent future c*ck ups
WTF is going on in the corridors of power ?
5. misceng
Incompetence is rife. As a professional engineer in the Civil Service I had to deal with administrators who controlled the funding of my projects. Highly educated with honours degrees in History or the like they regarded us professionals as experts to be on tap not on top. Since they had no knowledge of technicalities they did not know even how to ask technical questions or understand the answers. It is therefore unlikely they would even ask about data transfer or encription but they do know how to write letters and post them into the internal mail system where their transmission is in the hands of underpaid clerical assistants.
6. Richard Marshall
They used Royal Mail to send sensitive data CDs ... are they mad???
Mail theft and tampering are now endemic in the UK, with CDs a common target. No doubt, some part-time postie thought they were music CDs and made away with them (James Brown, perhaps: Can I get a Witness?).
They'll probably turn up in landfill somewhere.
Incidentally, mail theft from the once reliable UK postal system seems to be approaching Latin American levels of awfulness. In my experience one in five packages gets interfered with in some way and one in ten fails to arrive at all, with CDs and DVDs most commonly targeted.
Is this country-wide or am I just geographically unlucky?
7. David Fletcher
Vote Karen for the next PM.
8. Cassandra
What's going on you ask? The private sector developers are not interested in making things secure or accountable - they are interested in iproit. Each ad-hoc data set created means they get paid extra - so why advise or design a secure responsive accountable scaleable system when there's money to be made in all the extra's that they forget to include?
In a market where a Civil servant is seen as an expensive running cost despite being a cheaper alternative to external contractors we are less able to keep or motivate front-line staff with current skills sets as they're poorly paid and leave and much development work has gone to external contractors.
We lose expertise. Why when failing systems are usually designed and run by expensive external contractor firms do we keep perceiving this as a public sector IT failing?
9. Karen Challinor
"Why when failing systems are usually designed and run by expensive external contractor firms do we keep perceiving this as a public sector IT failing?"
because the public sector specified and paid for the product they received, caveat emptor always applys, in short if you don't know what you are buying then you don't buy it
I'm not blaming the poor sods on the front line as you say they are actively demotivated from above and seen as a cost centres and not assets, I'm blaming the people who sign the cheques the ones who listened to the contractors and experts, didn't understand a word, and still paid for the product without clarifying what it was they were paying for, the ones who were promoted sideways or recieved a peerage or fat pension shortly afterwards because of this "success", the mandarins, the classics graduates the ones who can name every artist displayed in the louvre or know the life history of every member of the house of windsor but have no grasp of technology above the fountain pen
these people work for us, they have a duty to understand what they are purchasing on our behalf, simply blaming greedy contractors who bamboozle them with long words until the cheque gets signed is not a defence
if experts are regarded as disposable assets to be hired, fired and chosen because the answer they give reinforces the choosers paradigm then this needs to change and change now
10. Jeremy Wickins
Just one comment - what a pile of sh*t!!!!
11. Chris Goodman
It seems that a necessity exists for legislation to make public servants be personally and criminally responsible for data losses, whatever the circumstances. Any mitigation a matter for the Judiciary.
It must be mandatory for all losses to be reported to the police within 24 hours of the loss being discovered.
12. Jeremy Wickins
To follow up on Chris's comment above, the legislation is there - the definition of "data controller" in the Data Protection Act is quite clear. All that is required is to make it stick in these situations (NO exceptions). Regulations could be brought in almost immediately, without the need for a new statute, to make it a requirement that all data loss is reported within a given time (I like your 24 hours). However, this government uses regulations only to sneak things through that take things away from the public, not to give us anything.