Lambeth sleepwalks into danger
A tax demand is never welcome, but Lambeth Council has found a new way to sour the pill. Council tax payers who coughed up via the online payments system have been rewarded by a confirmatory email containing all their credit card details — in plain text. As anybody who's ever read an article about email security will tell you, that's the equivalent of writing your secrets on a postcard and giving it to the nearest small boy to post.
Lambeth and their contractor Capita show little sign that they realise the significance of their actions. It was only for a couple of days, says Lambeth, and it can't happen again. The implication is that mistakes happen, after all, so why worry?
Not good enough. Mistakes happen, but they should not become disasters. It's far from unknown for a software upgrade to go wrong — as apparently happened in this case — which is why a competent operator runs tests afterwards to ensure that things are alright.
In this case, either nobody ran a functional test after the upgrade or they did but didn't realise the significance of what they saw. Either way, what happened was not just a mistake but a mistake amplified by a procedural fault. The consequences could have been — could still be — enormous, for a large number of people. Why should we believe that it couldn't happen again?
The situation is more serious than Lambeth thinks in other ways too. According to the Web site of the Information Commissioner: "It is an offence to knowingly or recklessly obtain or disclose personal information without the consent of the data controller. This covers unauthorised access to and disclosure of personal information." A criminal offence could well have been committed, one with the potential to hurt thousands of people to the tune of thousands of pounds apiece — a thought that may focus minds in South London.
The government is keen to be seen to be acting against identity theft, using the theme to promote its ID card policy while creating expensive advertising campaigns. It is also sensitive to accusations that state IT projects are incompetently planned and badly managed.
Here is the perfect chance to show that it means business on both fronts, while simultaneously encouraging everyone who holds private data to take their responsibilities seriously. Lambeth and Capita should be hauled over the coals, and a principle established that such breaches of trust are to be punished swiftly and effectively. Dangerous perceptions sometimes need bitter medicine.