Worker suspended over loss of data on all English prisoners

David Meyer ZDNet.co.uk | August 22, 2008 6:49 AM PDT

Summary

An employee at Home Office contractor PA Consulting has been suspended after the loss of a memory stick holding the unencrypted details of every prisoner in England and Wales.

Topics

Data Loss, Data, Worker, Spokesperson, Government Department, Government, Memory, Flash Memory, Semiconductors, Hardware, Components, David Meyer ZDNet.co.uk, security, UK, memory stick, Home Office

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England and Wales, along with those of tens of thousands of offenders.

The data was being held, unencrypted, on a memory stick for processing purposes, the Home Office said in a Friday statement, saying that precisely how that stick was lost is now the subject of an internal investigation. A Home Office spokesperson told ZDNet.co.uk that PA Consulting had been "appointed by the Home Office in June 2007 to provide application support for tracking prolific and other priority offenders through the criminal justice system".

Following the discovery of the loss, the Home Office has suspended the transfer of data from the same assignment to PA Consulting. The government department is investigating PA Consulting's contractual obligations, the spokesperson said. In addition, a "member of [PA Consulting's] staff has been suspended", the Home Office spokesperson said.

A spokesperson for PA Consulting would say only that the London-based firm was "collaborating closely with the Home Office on this matter". The contractor also undertakes other work for the Home Office, including providing biometric systems. The firm also has a logistics research contract with the Ministry of Defence, and provides web design for the Foreign and Commonwealth Office.

According to the Home Office statement, the lost memory stick carried "data from the Police National Computer, containing personal information about 33,000 individuals with six or more recordable convictions in the last 12 months (names, addresses and dates of birth); data relating to [approximately 10,000] prolific and other priority offenders (names and dates of birth, but not addresses); data relating to all [84,000] prisoners in England and Wales (names, dates of birth and, in some cases, expected prison release date and date of Home Detention Curfew); and Drug Interventions Programme data, with offenders' initials but not full names".

The police and the Information Commissioner's Office (ICO) have been informed of the breach. Deputy information commissioner David Smith said in a statement that it is "deeply worrying that, after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost".

"The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly, and reinforces the need for data protection to be taken seriously at all levels," Smith said. "It is vital that sensitive information, such as prisoner records, is held securely at all times."

The ICO said it is awaiting a report following the Home Office's internal investigation, and will then decide on further action.

Security companies were quick to offer their thoughts on the data loss. Andrew Clarke, a senior vice president at Lumension Security, called on the government to institute "device-control policies… that enforce assigned permissions to individuals and devices".

"It is about putting the eyes of the management team on people's PCs. After all, if people know they are being watched, they are more likely to think again," Clarke added.

F5 Networks' security technology sales manager, Bill Beverley, said in a statement that public bodies should have similar security controls to those imposed on the financial sector. "Guidance measures, such as the [Payment Cards Industry] directive… are successful because they... provide effective and comprehensive methodology to protect data and... they are enforced," he said, adding that such controls would bring about a dramatic reduction in the incidence of data loss in the public sector.

The UK public sector has suffered numerous data breaches over the last year, the most notable being the loss of 25 million child-benefit claimant details by HM Revenue & Customs in November 2007. This month, the Foreign and Commonwealth Office reported five data breaches since 2007, and the Ministry of Justice reported nine incidents, affecting 45,000 people.

Talkback Most Recent of 15 Talkback(s)

Follow via:: RSS; Email Alert

Criminals protected?

Names, birthdays, and criminal histories of criminals in England are not public information??
wkulecz
22nd Aug 2008
- Reply to
- Flag
That's not the problem...

...the problem is:

a)It demonstrates the (in)competence of the Government to keep data safe, great when you see the amount of data (including biometrics) they'll want from us for our identity cards.

b) There may be useful information on the stick for the criminal element. The Government says not really. Do you believe them?
bargeemike
25th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

Good, just what we need: A society where everyone is required to 'think again' based on a sense of paranoia, instead of being taught to think. There is no 'thinking again' when you are expected to have only the one thought...

So why don't thumb drives for government use be required to have encryption enabled before any data is recorded? The most loseable bit of computer hardware yet, and we still treat it like some kind of irrefutable magik.
Shadetree Engineer
22nd Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

The government may require encryption, but whoever was carrying it is probably your average user, and can't be bothered to think about anything other than getting back to the office to play flash games.
Xanthus179
22nd Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

This is on top of losing CD's in the post, losing laptops and leaving confidential papers on trains.
And that's just UK.gov

They have lost millions of records of confidential information on the British public in the past year.
IT_Critic
22nd Aug 2008
- Reply to
- Flag
Criminal Karma!

What goes around, comes around.
Parassassin
24th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

Losing the device is a mistake, storing the data 'unencrypted' is negligent. This sounds like insufficient risk management policies to me.

If the staff member did not vialote any policies, he/she should not wear the punishment for this (although I suppose there was a "don't lose things" policy).

A few simple policies could have reduced/prevented the consequences and likelihood of this. E.g. encryption, data transport restriction and/or even a simple device-tethering policy (such as keeping it round your neck or attached to a lanyard...).

Chris Fry
http://www.chris-fry.com
ChrisFry
24th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

as if I am surprised? NOT!
never trusted a white collar in my life. you bet your butt if a blue collar man made a mistake he'd be fired johnny on the spot and probably sent to jail...
I have bets that this fool just got a slap on the wrist...wanna bet me?
varick
25th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

It could be worse ... maybe. http://notnews.today.com/?p=36
David Gerard
25th Aug 2008
- Reply to
- Flag
Over 37 million items of personal data lost

According to the reports I have read there have been more than 37M people whose personal data has been lost by government or their agents in the last year. Even allowing for some duplication this represents about half the population. This is the government which will force ID cards on the people so that over the years they can expose all of us to the danger of identity fraud. Do you want that?
misceng
25th Aug 2008
- Reply to
- Flag
Ultra Incompetence !

I call this of Ultra Incompetence (and UI complex).

"Congratulations" to those guys! o.O
Gradius2
25th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

It seems that the government(s) can't help but to lose or unwittingly share such valuable information. Here in Ohio, the state had a consultant combining all of their databases. Seems like the hired help left an unattended disk drive in an unlocked car. On the carseat none the less.
The offending worker was fired after a lot of irate taxpayers issued complaints , and the consulting agency continues to get work.
I guess security on those systems are as good as any diary where the workers might want to look up interesting facts on people. You might as well send unsealed envelopes to those people.
rMatey
25th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

Thats the uk for you....incompetence at it's very best..maybe we should have it as an oylmpic sport!!!!
rm001g8800@...
25th Aug 2008
- Reply to
- Flag
RE: UK Prisoner Data Loss

Two things bother me on this one:
1. Why was this data on a removable storage device to begin with? Important data like that should never be stored on a removable device.
2. I'm not sure how it works over there, but I know that here, personal data is stored using powerful encryption. Why would they not encrypt this data, I mean PGP is readily available and is rather hard to crack.
VAITGuy
26th Aug 2008
- Reply to
- Flag
RE: Worker suspended over loss of data on all English prisoners

There but for the grace of God go many - organisations (public, commercial and private) and individuals both!

Beware the glass greenhouse .....
aCSO
1st Sep 2008
- Reply to
- Flag