UK's Privacy Chernobyl

I didn't write about this story at first because we've seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that's the end of it.

But the UK's loss of 25 million child benefit records -- including dates of birth, addresses, bank account information, and national insurance numbers -- is turning into a privacy disaster, threatening to derail plans for a national ID card.

Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There's already a larger debate on the issue of a database on kids that this feeds into. And it's a demonstration of government incompetence (think Hurricane Katrina).

In any case, this issue isn't going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.

And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.

Posted on November 26, 2007 at 1:15 PM • 70 Comments

Comments

Proper IncentiveNovember 26, 2007 1:35 PM

It's certainly amazing that bureaucrats at a government agency didn't have the proper incentive to do something cheap, easy, and effective.

I think the best answer is more government regulation: a new agency to monitor the R & C office.

Nigel SedgwickNovember 26, 2007 1:38 PM

As well as the lack of encryption of the transmission medium, there is the fact that most of the private data sent was not actually required by the recipient.

There is also the question of a copy of all this private data being handed on to a contractor by the recipient, again with their having no need for much of the data.

Underlying all this, there seems to be to be a total lack of appreciation within the responsible government departments that large-scale aggregated data is often worthy of a significantly higher security or other protective classification than that applied to individual data records (or fields).

Best regards

dobNovember 26, 2007 1:48 PM

"It's certainly amazing that bureaucrats at a government agency didn't have the proper incentive to do something cheap, easy, and effective."

The phrase "bureaucrats at a government agency" can be replaced by the word "people" with no loss in accuracy.

"I think the best answer is more government regulation: a new agency to monitor the R & C office."

The best answer is indeed more government regulation, but in the form of legislation, namely requiring strong penalties for those whose negligence leads to data exposure.

UNTERNovember 26, 2007 2:07 PM

PI: "It's certainly amazing that bureaucrats at a government agency didn't have the proper incentive to do something cheap, easy, and effective.

I think the best answer is more government regulation: a new agency to monitor the R & C office."

Because this hasn't happened in the private sector over and over again with little to no self-correction. Liberterian cynicism may sound smart - sound being the key term.

"The market will automagically correct itself." Hit's self with hammer one more time - the world is primarily filled with morons.

markNovember 26, 2007 2:28 PM

Sadly I think "this issue isn't going away anytime soon" is just misplaced optimisim. I have been shocked by how little this seems to bother people . Either there is little understanding of the implications of this or people are just plain stupid. Either way there has been very little in the way of outrage and it seems they will get away with it. In fact I have heard a number of government ministers on the radio using this to claim that - "this shows why we need a national ID database,to protect us from id theft" and "with the national ID database and biometrics we would be safer from this kind of loss". I have heard little or no intelligent dissent - except, it turns out, from my local MP who I wrote to and who sent me a very intelligent letter back .

Despite being on the database myself - I find myself hoping that it does "fall into the wrong hands" because if this actually was hurting people they might think about it a little more.

Sadly this governments attempt to turn the populous into a unthinking bovine herd, happy to be led into a world without civil rights is turning out to be working rather well.

So what other countries are good to live in then?

Proper IncentiveNovember 26, 2007 2:34 PM

@ dob and UNTER

"The phrase "bureaucrats at a government agency" can be replaced by the word "people" with no loss in accuracy."

Well, no, not actually. People at private companies have different (better in this case?) incentives than bureaucrats.

"Because this hasn't happened in the private sector over and over again with little to no self-correction."

First, it happens less frequently in the private sector, because business owners have different incentives than government employees, incentives which put their rear-ends on the line more frequently and more effectively. (Here's a test: try firing your doctor. Now try to fire your postal worker. Notice any difference? That's why so many people like government jobs.)

Second, when this 'happens in the private sector', an entrepreneur can see what the private company did wrong, and go into competition against that company, offering better service. With a properly written contract (forfeiture of profits in an event of breach), the customer can expect better performance.

When this happens in the public sector, the focus is on blame (as in this case), and we look for a resignation. But the resignation doesn't solve the problem, because the root problem wasn't with the head of the R & C. The root problem continues to be the structure of performance incentives in the enterprise.

simNovember 26, 2007 2:35 PM

The news reports have talked about "two CDs"; information on 12.5M persons on each CD comes to about 56 bytes of data for each person. If that includes all the mentioned data - dates of birth, addresses, bank account information, and national insurance numbers - the info's pretty decently compressed.

Aside from all the idiocy already involved in the case, who goes through the trouble of compressing that data and yet not encrypt it?

wkwillisNovember 26, 2007 2:45 PM

I'd be more worried if it was on two DVDs. Those disks hold much more data than audio CDs.
I wonder what compression they are using? Storing names as two bytes on average is pretty easy, but the rest is random numbers and can't be compressed.

John DaviesNovember 26, 2007 3:05 PM

As somebody whose details are very likely on this list I really would like to see somebody prosecuted for this. We have reasonably tough data protection laws in the UK so let's see them applied for once.

Unfortunately while our politicians are in "cover your ass" mode there's no chance. Expect the issue to be swept under the carpet any day now.

GomezNovember 26, 2007 3:05 PM

I don't understand why the top man resigns in these situations...
...without firing EVERYBODY in the command line from him down to the individual numbnuts that actually handled the disks.

Failing to tell your boss to do something properly is a sackable offence in my book

dobNovember 26, 2007 3:16 PM

"Second, when this 'happens in the private sector', an entrepreneur can see what the private company did wrong, and go into competition against that company, offering better service. With a properly written contract (forfeiture of profits in an event of breach), the customer can expect better performance."

Of course, the private company, just like your maligned government workers, would have every incentive to ensure the data breach is never publicized... more incentive, actually, since their profitability is on the line.

"(Here's a test: try firing your doctor. Now try to fire your postal worker. Notice any difference? That's why so many people like government jobs.)"

Funny, I tried firing my doctor, but he was there the next time I went back to the clinic. Oh, did you mean I should change clinics? That's odd, when I went to a different postal station, the clerks were different too.

(You want to argue from a glibertarian point of view? That's fine, but please keep the condescension down to a mild smugness.)

BritNovember 26, 2007 3:17 PM

@Bruce

"And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective."

I'm sure you are correct but IMHO, another good thing would be a smaller state that didn't collect so much information in the first place.

Perhaps the best thing to some out of this is how starkly it illustrates the dangers of big government databases full of personal data - especially regarding the UK national ID card and UK border traveller information collection.

Lastly, I am appealing to all UK citizens *NOT* to use Bruce's blog to vent your spleen about grievances against the current UK government; it's all been said before and this is primarily an American blog. What we should be thinking about are the correct data processing requirements, technical security measures and the 'softer' matter of changing the priorities of Government in general.

AnonymousNovember 26, 2007 3:25 PM

Surely the government should have solutions in place that prevents 'SELECT * FROM all' on major (all) databases?

What about Guardium for example? Or did that cost more than the additional cost of only selecting a subset of the database?

(thought that was the point of database, must be wrong though....)

Petréa MitchellNovember 26, 2007 3:30 PM

It's even worse than that; HMRC has apparently lost at least 3 other CDs. The Register has a complete roundup of its coverage here:

http://www.theregister.co.uk/2007/11/22/...

It should also be noted that the Prime Minister recently moved to that job from being Chancellor of the Exchequer-- in other words, the head of the department which includes the agency now being roasted.

Andy KNovember 26, 2007 3:44 PM

Re: "Disk and file encryption software is cheap, easy to use, and effective."

Absolutely. Of course, the simple thing is to write the encryption key on the disk with a marker. Sadly, the problem is not the strength or speed of the encryption technology, but key management. Pardon my ignorance, but are there adequately automated and workable solutions out there to manage the keys? Besides "Password Safe", that is :)

Having worked extensively in private industry, I know protections will not be put in place until it is easier to protect than to fail to protect. (Or until the penalties of failure to protect include the "perp walk" for executives and ministers.)

(@dob - "glibertarian" - I like that.)

David Dyer-BennetNovember 26, 2007 3:55 PM

I keep looking at encryption to protect the entire disks of my computers. I keep deciding against it -- because a glitch in key management has such awful consequences for me.

If I were dealing with important commercial (or government) data, I'd be even *more* worried about losing it all to a key management glitch.

Nomen PublicusNovember 26, 2007 4:04 PM

It appears that the base cause for the loss of the disks in the "post" was cost. The data processing is outsourced to EDS and they charge for nonstandard data extraction jobs (the requirement was for a few hundred random records that could be audited.) So instead of a few hundred records, the entire database was sent. It's unclear as yet, but entirely possible that there was already a snapshot of the database available.

From the various reports that have become public I would be confident in thinking that various government departments have their private copies of the database which is used rather than going to EDS and generating billable jobs.

In other words, the database contents were open for abuse, possibly for years.

People should be worried about ID cards. No matter what security policies are in place, the data will leak.


Proper IncentiveNovember 26, 2007 4:11 PM

@dob

"Of course, the private company, just like your maligned government workers, would have every incentive to ensure the data breach is never publicized... more incentive, actually, since their profitability is on the line."

Well, between the incentive to cover one's behind, and the incentive to prevent problems in the first place, I would guess the latter is the more important incentive from the customer's point of view. Would the customer rather:

1. Have his data breached, and be less vulnerable to a coverup of that breach? Or,

2. Have his data secure, and be more vulnerable to a coverup of a breach?

At any rate, I think that's a false choice. Auditors (private auditors, and yes that's an added expense) exist to service that very need, the need for exposure of coverups and coverups in the making.

So the customer's need for data security is met by a private company which has a strong(er) incentive to prevent problems than a not-for-profit entity does, and the customer's need to prevent breach coverups is met by the services of the private auditor(s).

Of course we could now ask, what if the auditor makes a mistake? Doesn't he have a bigger incentive to cover up his own mistake? But asking, 'Quis custodiet (etc.)' for each stage misses the more important point, I believe: that when choosing either a private or public entity to perform data security services, the awareness that one could quickly lose (through poor planning and poor execution) the income stream from this customer's patronage is a more effective incentive in achieving the goal of security breach prevention, than is the awareness that (due to poor planning and poor execution) one's boss may or may not have to resign his post.

NixNovember 26, 2007 4:16 PM

What I find most amazing about this whole saga isn't that the disks were sent at all, although that's amazing: it isn't that they were sent unencrypted, although that's astounding: it isn't that they contained bank account details and names and NI numbers all cross-referenceable, although that's appalling: it's that the HMRC did this in March and the disks were *sent back* by the NAO with the statement that they required redacted data, not the full set they were provided...

... and a few months pass and the HMRC sends *exactly the same data again*, even though they'd been warned *by their own respondent and official auditor* not to do this.

And *that* is criminal stupidity.

Pat CahalanNovember 26, 2007 4:24 PM

@ Bruce

> "And this is an easy security problem to solve!"

Going to have to call you out on this one, my good sir. This is decidedly not an easy security problem to solve.

> "Disk and file encryption software is cheap, easy to use, and effective."

Not entirely applicable in the case of CDs, but in general, when is the disk encrypted? The entire disk? How about laptops? What happens when the user forgets their password on the road? If they're the type of user who forgets passwords, what's preventing them from putting their password on the bottom of their machine? Now we have a worse situation: a laptop or CD gets lost or stolen, the breach isn't published "because the data was encrypted, and therefore it is safe."

From the article:

> He said the information "should never, ever have left the building in which it was stored".

THIS is the part that is telling.

In order to have a meaningful data security policy, you first have to decide what needs to be seen and by whom. You can't just rub encryption on your data and expect it to solve your data security problems, you need to have a sensible policy to start. If someone doesn't need access to the data, don't put it on removable media! Don't allow people to take large databases on the road on their laptops!

Fred PNovember 26, 2007 4:36 PM

@Pat Calahan-

Even with your caveats, it's still an easy problem to solve - heck, I've solved far worse problems; perhaps you misunderstand the definition of something which is difficult to solve in the computer security field?

But if you won't trust someone with Bruce's ( http://www.schneier.com/papers.html ) level of credibility on this topic, I sure wouldn't trust me.

Ironic DudeNovember 26, 2007 4:43 PM

This happening in a country where they can force people with the penalty of imprisonment to give up personal encrypted data because they suspect that it might hide incriminating evidence against that person. They have not understood the first bit about privacy of their citizens and why it needs to be protected. This event is further proof this fact.

Henning SchulzrinneNovember 26, 2007 4:45 PM

There are two parts to this data loss: data that "merely" exposes private details, such as the number of children, and data that can be used for criminal purposes. In this case, the exposure of these private details to some random "lucky" finder of the disks is annoying, but I suspect most people would consider it no more than that, given that knowing that some random Joe Smith the finder has never heard of has three kids isn't all that interesting to the finder, and you presumably already know the number of kids your neighbor has. I'm not trying to downplay the severity, just that if this incident had only involved the number of kids in the UK that the reaction probably would have been different.

The worry seems to be primarily about the bank details, but that's mainly because of the design stupidity that knowing a bank account number confers any privileges whatsoever. Such a number should only allow somebody to deposit funds for the benefit of the owner, which would make its accidental loss relatively harmless. Thus, since it's impossible to prevent data leakage with 100% certainty, the next best thing is to restrict the usability of the data, so that knowing such numbers has no real value to the attacker or finder.

Pat CahalanNovember 26, 2007 4:48 PM

@ Fred P

> Even with your caveats, it's still an easy problem to solve.

I disagree. If it were easy to solve, you wouldn't have data breaches. The technology is easy. The politics, the enforcement, the human side of security, that's hard.

> Perhaps you misunderstand the definition of something which is difficult to solve
> in the computer security field?

I'd say that we're operating on different definitions of "problem".

Security is a human problem, not a computer problem. You can implement all the technological walls you want, if you don't have a holistic security policy that takes into account your users, your data, your resources, your attackers, your acceptable risks, etc., you don't have a real security policy.

"You must use encrypted storage media" != "Your data is reasonably secure". From a mathematical standpoint, yes. From a process standpoint, a human political standpoint, no.

jdegeNovember 26, 2007 4:52 PM

Everyone seems to be assuming that the data on the disks was not encrypted, but from the TimesOnline story linked in the original post:

"October 18 Junior official sends two password-protected disks with all child benefit payment records to NAO using the courier firm TNT, again ignoring security rules. They fail to arrive"

Now what technical reality underlies the reporter's vague "password-protected disks" is anyone's guess, but one likely possibility is that the data was stored on the disk in a password-protected format - like in encrypted zip files.

ZethNovember 26, 2007 4:58 PM

@ Bruce

> And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.

The problem with this, as I have explained at length on my own blog (link below) is that the British government are fighting a cold war on encryption in general, and want us all to keep everything in plain text. I seriously doubt the government will ever recommend encryption to be used by the masses, I'm afraid. The security of the citizens (the governments' first duty) is sacrificed for more control over the citizens.

http://commandline.org.uk/ethics/...

Brian SNovember 26, 2007 5:20 PM

@Proper Incentive

"First, it happens less frequently in the private sector, because business owners have different incentives than government employees, incentives which put their rear-ends on the line more frequently and more effectively. "

I last saw the breakdown in late Jul07, from http://www.privacyrights.org/ar/... and http://attrition.org/dataloss/dataloss.csv however in that breakdown:

Somewhere around 221 million records of data were lost.

35% of the incidents were business, 31% education, and 25% government, 10% medical

76% of the records lost were from business losses, with government at 19%.

So even with the added 1 incident of 25.5 million, government is still vastly less on incidents and, at worst, achieving parity with business for lost data.

GergNovember 26, 2007 5:27 PM

I find it surprising that you say encryption software is "easy to use" when experience here on your blog shows time and time again that while it may appear easy to use, it's devilishly hard to use properly.

The really interesting lesson here is that the agency the data was being sent to hadn't even requested all the details that it was sent. Had the person sending the data treated it with half the importance it had they would never have sent anonymized data in the first place.

Rather than look for technological solutions to problems the first rule should be to check whether there is any reason to open up a vulnerability in the first place.

pjNovember 26, 2007 5:53 PM

Someone I know is working for a private company on a related government project, and heard they have so far used WinCrypt for all their email attachments, with appallingly bad passwords (think "five-letter dictionary word plus number".) After the event, they have been instructed to move to PGP. Why is it so hard to have a proper government guidelines for these things?

Proper IncentiveNovember 26, 2007 5:54 PM

@Brian S

Brian,

Where are the percentage figures you cite listed on the sites you posted?

Or did you calculate those percentages?

ShortWomanNovember 26, 2007 6:19 PM

He said the information "should never, ever have left the building in which it was stored"

Beyond encryption, how about we stop storing information like this on portable, easily stolen disks in the first place? Every time I see one of these "laptop with personal information on x,000 people" stories, I wonder why the heck it was there in the first place. Why exactly would one need sensitive personal information on thousands of people from remote locations? All at the same time? Convenience is not a good enough answer.

Physical security of data must come before other forms of security.

Proper IncentiveNovember 26, 2007 6:42 PM

@Brian S

Well, a couple of things.

First, your numeric conclusions from the data from the URLs you posted could use some work. For example, entities in the second list you posted are entered multiple times, and you've calculated your percentages as if each had only one entry.

So, since Bank of America is listed eight times, and the Georgia Dept. of Community Health is listed only once, then you can conclude that businesses are responsible for 87.5% of data breaches, while government entities are responsible for only 12.5%! (Even though the GDCH breach alone exposed 2.9 million records, while the combined total of exposed records in the BOA breaches was 1.9 million.)

Second, why are you failing to include all those state universities in your calculation of 'government losses'? Do you think a bureaucrat is not a bureaucrat simply because they work at a state university? Why the exemption?

Once your recalculate, you'll find the percentages favor private management of data security.

Keep in mind that all of these breaches are ones that reached a certain level of public exposure. What of the breaches that were covered up, or worse, the ones that weren't discovered at all? Preventing breaches should be the primary goal, and properly assigning blame for breaches which do occur should be a secondary concern.

A strong profit incentive to prevent data breaches is the best way to come as close as possible to achieving that type of data security.

jayNovember 26, 2007 8:06 PM

Utterly stupid..and we assume goverment institutions follow strict security procedures to safe guard our personal data.

Lawrence D'OliveiroNovember 26, 2007 9:05 PM

Encryption may be easy for you and me to comprehend, but not, it seems for the average person. Google "Why Johnny Can't Encrypt" for a study done into this several years ago, with quite dismaying results.

KashmarekNovember 26, 2007 9:35 PM

Is anybody surprised by this? I am inclined to think that lack of encryption is purposeful so the information can be easily stolen (if that is the right word) and used by legitimate and illegitimate business, for making money!

And, maybe encryption doesn't help. Stop collecting the data. Use different methods rather than consolidating all this sensitive data together where it is most useful for crooks.

kgrahamNovember 26, 2007 9:44 PM

@Bruce: "Encryption is the simple and obvious solution, and that's the end of it."

Is this the same Bruce from the into to Practical Cryptography? This is an architectural problem and encryption is only part of the solution. That the "IT worker" was even able to follow through on this mistake suggests at least 3 major problems:

1) Junior-level employee had full access to all the "naughty bits" of the data as a part of their normal access.
2) Direct access to the full dataset was available.
3) There was no standard protocol for interchange of sensitive data.

...encryption may (and probably should) be a major part of the overall solution, but to suggest that disk encryption is a fix ignores the real problem.

Reading between the lines a bit, it seems likely that there would be no control at all to prevent a nefarious (or simply sloppy) user from repeating this.

This very similar to the US Veterans Affairs debacle -- that the data was readily available in a complete, aggregate (and yes, unencrypted) form to any one user is the fundamental flaw, everything that follows is inevitable.

AndrewNovember 26, 2007 9:59 PM

What a great way to protect personal privacy for all Britishers! If you compromise that much of the population's personal data, everyone has to be suspect for the foreseeable future.

UK friendNovember 26, 2007 10:22 PM

I feel sorry for the victims here, the people whose personal data has been compromised. This is another proof that the government will not and can not protect your information. They're just dying to collect it in any way but will not take the steps to prevent others from losing it. One version of this story even states that the files were password protected but the password was included with the discs! Please, I hope that story is wrong!

TreeNovember 26, 2007 10:41 PM

@Proper Incentive

First of all, working for a private company doesn't exempt someone from being a bureaucrat. Most businesses are bureaucracies.

Also I don't see the financial incentive for businesses to have good data practices. The actual consequences are some bad publicity (which hardly matters when everyone is leaking information) and maybe some bureaucrats losing their jobs. This causes the bureaucracy to put some better policies in place, which work until people get lazy and there is another leak.

Government regulation could add an actual financial incentive for businesses to keep their data secure, but I have a feeling you wouldn't like that.

CJNovember 27, 2007 12:40 AM

@Brit: "... this is primarily an American blog...."

Oh really? I always thought it was about security issues, whereever they might arise.

SecureNovember 27, 2007 1:46 AM

When such data collections are lost, then anyone notices it. But how often were and are they simply copied, without anyone taking notice?

There is only one way to avoid the misuse of large data collections: Don't collect the data.

Dom De VittoNovember 27, 2007 1:57 AM

To me, being on the disk, the data loss is much less of a worry than the fact that some "junior" can do some
"select * from whole-database into outfile..."
and get the output into a CD/DVD (or anything else removable.

*THAT'S* the issue - how does HMG protect my data (which every criminal in the UK now know is very valuable) from internal threats?

cassielNovember 27, 2007 3:18 AM

At the risk of going slightly off-topic: the popular press is suggesting that such a massive data breach is one, if not the final, nail in the coffin of the National ID Register scheme. While I'd welcome this outcome, it suggests that a national biometric database would be perfectly acceptable if it were secure, robust and reliable (and, of course, affordable). Surely such invasive measures should be opposed on principle, not just because they can't be made to work properly.

OlafNovember 27, 2007 3:31 AM

The disks contained password protected zip files allegedly. The contents were CSV text files.

azeNovember 27, 2007 3:32 AM

@all you telling bruce encryption is difficult.

It is true that writing encryption software is difficult. It is definitely true that writing user interfaces to encryption software is very difficult.

However; this is already done and commercially available. PGP and hushmail both exist. They key distribution problem is difficult, but public key servers do largely solve it. In a commercial environment this can be trivial. The interface to PGP is too difficult to learn in 90minutes without help, but is fine after one day with training.

On the scale of the cost and education of a UK civil servant, one day of training and the cost of PGP is very cheap and easy. There are certainly some limitations and risks which you would have thought that the government which invented public key cryptography (prior to RSA) and ran Bletchley park could improve upon; however PGP encrypted files would definitely have been better than their current systems.

JohnNovember 27, 2007 3:51 AM

In this instance I think that the use of encryption was easy - because it wasn't the sole repository of the data. If you lose the key then you don't lose the data. Also, while the general public may not understand encryption they do understand passwords so it is relatively easy to send someone a zip file and then phone them or email and tell them the password to unlock it.

But the strange thing is, it sounds like this is what was done - in that reports suggest this was a password protected zip file and yet they still report that encryption wasn't used. I expect it is possible to configure the archive tool to password protect without encryption (for backward compatability with very old systms) but I'd be surprised if this was the default operation so why would they intentionally weaken the security?

Of course the question might be moot - becasue they probably used an easily guessed password (or wrote it on the disc ;)

23 year old juniorNovember 27, 2007 4:47 AM

"If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography."

.....

Cryptography isn't the solution. Cryptography solves the problem of plaintext in transit. But, there is a far larger problem here - a 23 year old should not have had access to 25million records! Such a data dump should be restricted to a minimal set. Furthermore, the system should not have allowed the 23 year old to dump the data to CD - restrictions should have been in place. I could go on...

SteveJNovember 27, 2007 5:03 AM

@Proper Incentive: "(Here's a test: try firing your doctor. Now try to fire your postal worker. Notice any difference?"

Yeah, I can change doctors much more easily than I can change postal workers. Good point.

Except, I live in the UK, where doctors are employed by the NHS (they're public-sector workers), whereas postal workers are paid by the Royal Mail (which, despite the name, is a private company, although admittedly the government is still the major shareholder).

So what does this mean? That in the UK private jobs are more secure than government jobs?

No, it means that you go to your doctor, whereas your postal worker comes to you. That's why you can change one but not the other. It's nothing to do with private vs. public.

gregNovember 27, 2007 5:46 AM

@23 year old junior

If the 23 year old has the security clearance I see no reason to bring age into the picture. After all I don't any better decision making by the much older politicians.

I was given high clearance at the age of 19. I have a friend that was in the RAF and was arming nukes during the cold war at 20. I have some friends whom i don't trust with a car at the age of 40.

Age is not really relevant in the bigger scheme of things.

Ian EiloartNovember 27, 2007 6:07 AM

Encryption isn't the easy and simple answer.

On top of providing encryption software, it has to be easy to use, and the user has to want (or be forced) to use it.

There's a huge cultural and political issue to be resolved here. Particularly given that the intended recipient of the data is the very organisation that's supposed to ensure that public money is used effectively and efficiently!

DaveNovember 27, 2007 7:10 AM

@ 23 year old junior:

That's correct except for one thing: Age has nothing to do with authority. We have a 54 year old janitor here who should not have access to any sensitive data and we have had a 21 year old sysadmin who had access due to the nature of his work.
He received training on how to appropriately handle sensitive data and who sensitive data could be given to (i.e. a list of other people who had the same training.)

The guy in question in this case either didn't have the training or ignored it but a major part of the actual problem is the procedure that requires sensitive data to have copies made of it. It takes more effort but it is possible to restrict access to data so that there is only one copy.

Seniority shouldn't affect whether you can access data either but unfortunately it often does. If your boss says "I want a list of all of our customers' email addresses", you give it to him, even if it violates the company security policy (and even if he's only 23) because he's the boss.

MHNovember 27, 2007 7:14 AM

The reason the data was not desensitised was that it would have involved a large payment to EDS. All departments are facing a great deal of purse-tightening which would, I can imagine, have led them to trying to find alternative methods of meeting the request for information from the NAO. One of the many problems with the Government outsourcing their IT functions to commercial companies is that they can't always afford to buy the services they need if they weren't part of the original contract. Extras over and above the original contractual arrangements tend to be prohibitively expensive!!

Area42November 27, 2007 8:37 AM

@John

“But the strange thing is, it sounds like this is what was done - in that reports suggest this was a password protected zip file and yet they still report that encryption wasn't used.��?

To me, that sounds like an older version of Pkzip or Winzip was used. The latest versions of Pkzip (SecureZip) and WinZip use AES – older versions used the Zip 2.0 scheme which offers far less protection due to known vulnerabilities.

I’m starting to feel a bit sorry for the 23 year old junior. Let’s face it – he’s never going to want to see another CD again for the rest of his life. I hope he prefers downloading his music... then again, if the UK government was more into ‘downloading’ than chucking CDs all over the shop, said 23 year old junior might not be having to face the music right now.

23 year old juniorNovember 27, 2007 8:37 AM

@greg/Dave,

I accept that age is irrelevant here. I should have written a 23 year old _junior_. This position being of importance, not his age.

Anonymous Cow HerdNovember 27, 2007 8:46 AM

I can tell you that I've personally seen data insecurity of the worst kind go on for years in private companies. Whole databases of social security numbers (this being in the U.S., I'm sure there's a UK equivalent) and bank account information in the hands of every employee, regardless of whether they needed all of it or not. At one workplace, it was only cleaned up because some of the employees threatened to take it public if the company didn't do something about it.

DaveNovember 27, 2007 9:53 AM

@Anonymous Cow Herd:

In the UK we have a National Insurance Number (NIN) which I believe is the equivalent. As a relatively new arrival in the UK, I had a "temporary" NIN for over a year before I finally managed to get a real one. The temporary one is made up of my gender, birthdate and my initials. Hardly unique but it does have a high probability of being unique. It's also very easy to predict... and anyone new to the country will have a predictable one.

Brian SNovember 27, 2007 11:20 AM

@Proper Incentive

To your first question I calculated from the dataloss.csv file with supporting details supplied from the Privacy Rights Clearhouse Data.

Fair enough I might've made errors due to duplication (or possibly other errors, I'm not a stats guy) but I'd say also fair to count each incident and separate record loss as a new entry. That is why I calculated a "per incident" and a "per record" view of the data.

As you point out in your example, the per incident would favor GDCH, while the per record would favor BOA; however in the data taken as a whole both views pointed to business reporting losses more (that was a fair distinction I should've made).

They reported more data lost by 10% and 57% more records lost.

So while I *could* combine entries into a single one I think it would misrepresent the data by either removing view on the number of occurances or the view on the numbers of records lost (even if the same record were lost 2 times by the same org). In my view each loss is a loss and an opportunity for fraud, therefore counted as a separate item.

Even if I adjusted the data for a 1 incident, 25.5 million record loss and combined duplicates, the likelihood of moving to parity is low, let alone changing the government to the biggest source. However since I haven't recalculated this, please take this as speculation and my opinion. :)

Amiram OfirNovember 27, 2007 11:31 AM

Dear Mr. Schneier,

I'm afraid that this time your solution is not a good one and will not work.
As you said before (http://www.schneier.com/crypto-gram-0005.html) "Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products."

You say "encryption software is cheap, easy to use, and effective.". This is correct, but I think that you have to modify it to something like:
"encryption software" is a product. It "is cheap, easy to use," but as it is not a part of the process it is not "effective".

Unfortunately, the solution is more complex. The CD production should be a part of a process, The process that handles all that data. It should be one system with clear and simple rules. No exceptions should be allowed. Only then, security could prevent disasters.

The main reason for all that is the human factor. Encryption software, as simple simple to use as it may be, if not part of the process, someone, someday will make a mistake and forget it!

Pat CahalanNovember 27, 2007 11:55 AM

@ aze

> On the scale of the cost and education of a UK civil servant, one day of training and
> the cost of PGP is very cheap and easy.

Yep, and it won't solve your problem.

Look, if I have one paranoid user with important data and encryption, I can probably have a secure solution. If I have 20 really responsible empowered users and important data and encryption, I can probably have a secure solution.

If I have 50 users and important data and encryption, it's almost a certainty that some of those users don't regard the data as important as getting their job done. Throw the encryption out the window; I'm insecure now.

My point is that if you don't have a data security policy (where only those people who ought to have access to data are granted access to the data, there are *established* policies for access, aggregation, or transfer of the data, and those policies have management support and enforcement), thinking you can rub encryption on your data and give you a secure solution is fantasy. Bruce wrote about this in Practical Cryptography, he knows this already.

I read this blog often, and I disagree with Bruce pretty rarely; he got lazy here and I'm calling him on it :)

People will grab all the data they're allowed to grab, instead of the data they're supposed to grab. People will skip encryption because it's Christmas and they want to get out of the office *right now* and the data really isn't that important anyway. Someone will put a post-it note on a CD, or a sticker on a laptop, or clip their RSA token to their bag so that they won't lose it.

If your data security policy doesn't include outside audit responses, it's broken. If someone has the authority to walk into a junior sysadmin's office and demand that he dump a bunch of sensitive data onto a CD and the sysadmin isn't empowered to say, "What, are you daft?", your data security policy is broken. If the sysadmin does it because he doesn't realize how sensitive the data is, your data policy is broken.

If your data policy is broken, encrypting the data isn't going to help you much.

mwengeNovember 27, 2007 5:07 PM

wait a sec.. wasn't the disk widely reported as 'password-protected'? OK, it's not much but it may have been a very long password and surely that counts as encryption. ;)

iainNovember 28, 2007 9:54 AM

@Brit

"this is primarily an American blog"

actually it is "A blog covering security and security technology" - at least that is what it says at the top of the page.

I work in IS in a Government agency and I am surprised at the lack of awareness of data protection & security issues which this whole sorry episode reveals.

We don't hold personal information other than employee data but take more care of it than HMRC have done (and I am one of the 25million).

I think there should be prosecutions and I don't see how the CIO can stay in post.

There is not enough clarity on how the information got on CD to draw too many conclusions on how insecure their systems are. My guess is that these were csv files supplied by the outsourced contractor rather than a junior official running 'select *', and it was easier / cheaper just to send the whole lot than request a new extract.

I agree with those who think the 'just encrypt it' solution is too simplistic. It is about education and effective policies, unfortunately HMRC couldn't follow their own published privacy policy http://www.hmrc.gov.uk/about/privacy.htm


UnidentifiedNovember 29, 2007 8:47 AM

When I read these type of stories, I cannot figure out why data is on a CD or laptop in the first place. Top government officials leaving laptops in taxis carrying data that should never be portable. No one ever needs to walk around with information like this, ever.

In this case, isn't there a secure network that can handle two CDs worth of data? Why would this information be handed to a courier? At least it should be an internal person doing the transportation.

FutilityDecember 1, 2007 1:38 AM

@Pat Cahalan:

QUOTE
"Disk and file encryption software is cheap, easy to use, and effective."

Not entirely applicable in the case of CDs, but in general, when is the disk encrypted? The entire disk? How about laptops? What happens when the user forgets their password on the road? If they're the type of user who forgets passwords, what's preventing them from putting their password on the bottom of their machine? Now we have a worse situation: a laptop or CD gets lost or stolen, the breach isn't published "because the data was encrypted, and therefore it is safe."
/QUOTE

Seagate released full-disk encryption hard disks not long ago. They appear to handle the key management quite well and are quite easy to set up (including Administrator keys to unlock the disk when the user forgot the pw). I know the project leader in Seagate Research in Pittsburgh who came up with this product. He's a real security freak (I talked to him about backdoors and the like and he assured me there are none. Alright, this is an Appeal to Authority fallacy, but it convinced me at least, knowing him personally) The product is mainly targeted at laptops to protect exactly against data theft of data (physically) in transition. So, a technical solution for this problem seems to be available that is fairly easy to use.
However, you are right, that this alone will not solve the problem. In this incidence there were apparently no good security protocols in place to prevent the copying of the data in the first place. One would expect that people who deal with this kind of sensitive data are better trained in determining what constitutes good security practices and what not. And having a technical solution would, as you pointed out, make things even worse, since everybody would tacitly assume that the data is safe even if stolen.

azeDecember 1, 2007 5:00 AM

@several people;

Back to defending my thought about encryption. I think you imply that I am making a mistake of innocence (I belive encryption would be a magic bullet for HMRC); when I think about this more, I realise that your innocence is greater. In analysing this you must realise that HMRC, especially senior people there are the _enemy_; the junior officer there is an innocent bystander and the NAO are the people working more or less on our side. You can never expect your enemies policies to be designed to help you. Calling for HMRC to have good data protection policies is like calling on Ghengis Khan to ensure human rights in Russia.

NAO's policies already call for sending minimal data without "personally identifying information" they had actually already returned the full data set and insisted on filtering. What more could they have done to improve privacy? My only answer is that if they had insisted on getting data encrypted and given a simple, cheap, standard procedure for doing that the junior officer would probably have followed it without need for senior approval. This should be done even when handling data which should be non-personally identifying since a number of recent reports have shown that it is often possible to extract more than expected from a data set. I'm even willing to admit that this would only have about a 50% chance of success. This optimistic number comes because the same procedure had been followed previously, so they would have had multiple opportunities to educate HMRC before the breach (as they were already trying to do about data filtering).

@Futility
>when is the disk encrypted?
before delivery to the user
> The entire disk?
of course; especially swap space; however excluding a small sector required for booting - we are protecting against permanently stolen machines
> How about laptops?
especially laptops.
> What happens when the user forgets their password on the road?
there is a password reset procedure which requires them to use strong authentication. With Pointsec (that I have actually seen work) you can implement this. So can various free linux encryption systems. Typically you have to require the user to go to some kind of IT support organisation.
> what's preventing them from putting their password on the bottom of their machine?
When their laptop is serviced they will be told not to by IT people who will escalate it. If they do it repeatedly then your discipline policy comes into play.
>the breach isn't published "because the data was encrypted, and therefore it is safe."
That is a "simple" matter of the law. If the law states that all losses have to be reported but encryption can be taken into account and compensation only comes in when there is a reasonable chance of damage, companies will still benefit from better policies. Companies can already lie with the hope of getting away with it. I don't see how encryption (and other access control in general) makes the situation any worse than the current situation. The majority of data breaches are probably done by just copying the data without anybody noticing which means they are never reported in any case.

Steve DaviesDecember 1, 2007 9:47 AM

Two aspects of this:-
1) the 'cover story' attempted was that this happened because of a low level bod 'failing to follow procedure'. This as not picked up in the media in the UK but it seems obvious that the data management (and that includes security) is woeful and 'free form'. If a low level bod can bypass it all with a CD/DVD burner then its is plain rubbish IMV.
the hanmd off to alow level bod is per usual in the UK as senior bods are not accountable for any failure at all in every practical sense.
2) the UK Governement collects vasts amounts of data and shares it widely between departments and organisations.

Put the two together and the lassiez-faire attitude and methods will result in more and more of these events. Heck the Home Office can't even vet contract staff working in its own premises properly.
This is not a one off but an indication of systemic and endemic problem that pervades HMG systems.

ID cards ? yeah right, they can't even keep the Driver licencing records even close to clean - something like a 25 percent error rate..

"Useless" sums it up. Add more systems and more data and it is going in one direction only.

FutilityDecember 2, 2007 1:44 AM

@aze
QUOTE
>when is the disk encrypted?
before delivery to the user
/QUOTE

???

The disk is not encrypted before delivery to the user. It encrypts and decrypts the data on the disk transparently (in hardware) when written or read, respectively. The pw to unlock the encryption key must be set before the disk is usable.

The full disk encryption is targeted at disks in transit (e.g. laptops) and protects the data when the disk is stolen (of course, it is pointless when the pw is attached to the laptop with a post-it).
But it is better than not encrypting the data at all (I changed my initial position on this matter somewhat.) Even if, say, in some cases the pw is attached to the laptop on a post-it, in most cases the data is not accessible to a thief which is the objective. An entirely different matter is when such a disk gets damaged and the data needs to be recovered which might be impossible to do (thus, it should really only be used on copies of important data that needs to be transported on a laptop). But all of this is irrelevant in the case discussed here since the data should not have been copied on a different media in the first place.

Pat CahalanDecember 2, 2007 1:06 PM

@ aze

> Calling for HMRC to have good data protection policies is like calling on
> Ghengis Khan to ensure human rights in Russia.

Then you have an impossible problem, that requires correction at the institutional level; again, this is a problem requiring holistic action. Simply requiring encryption isn't going to fix your problem. (Note -> I haven't been entirely clear here, using encryption obviously will *help*. Losing a pair of encrypted CDs (or a hardware-encrypted laptop) is better than losing a pair of plaintext CDs, as it decreases the likelihood that the data will be misused.)

PC> What happens when the user forgets their password on the road?

A> There is a password reset procedure which requires them to use
A> strong authentication.

Now you're already *way* past "this is an easy solution, just encrypt the disk!", and you're starting to illustrate some of the additional problems I'm talking about.

Now you need strong auth for everyone with a laptop. You need to manage that solution. You have to train people in the proper use of their auth tokens. You need to have the ability to properly revoke those tokens. You need to collect them when people are let go. If you have regional offices, they need to use the same technology or Joe from Office Alpha can't get help when he's at Office Beta, since the support staff don't know how his gear works. You have to have management buy-in to support disciplinary action against people who violate policy. You need HR approval for possible terminations of employment for repeat offenders. You need the Sales Department to agree that if Betty loses her token again, she gets fired, in spite of the fact that Betty generates 60% of the sales for the company and therefore 60% of the monthly bonus for the head of the Sales Dept. Identity management is NOT cheap, this all costs money, money, money, and time.

And, still, what happens when the CEO (or whatever the Chief Muckity-Muck analog is in your organization) forgets his palm pilot (which he uses to store his suitably complex password) and loses his RSA token while on the road? I'll tell you right now; if you can't enable this person to get access to his/her laptop before the Big Presentation and your organization loses the grant/contract/whathaveyou, not only are your security policies going to go out into the garbage when the Muckity-Muck gets home, so is your employment. Your crisis response plans need to be much more complex, and need to take into account many more failure modes.

Not to mention the fact that said CEO would ignore the helpdesk person reprimanding them for having their password on the bottom of their laptop.

This is an organizational politics problem, an economic problem, a legal problem, a security problem, and a technical problem all rolled into one big giant ugly package.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..