"Shambolic" security behind Home Office data breach

Security experts deliver their verdict...

Security experts deliver their verdict...

The loss of a USB stick containing unencrypted data on 84,000 prisoners by a management consultancy working for the Home Office has been slammed as a "shambolic" failure by the IT security industry.

Details of how unprotected sensitive data came to be on the USB stick owned by Home Office contractor PA Consulting - as well as how the stick itself was lost - remain unclear.

The loss of the stick follows a number of similar accidents at government departments, with a recent parliamentary question highlighting the perennial nature of hardware loss at the Home Office. Lord West of Spithead, parliamentary under-secretary for security and counter-terrorism at the Home Office, revealed 43 laptops and 94 mobile phones issued to Home Office and associated agency staff were lost, stolen or went missing between 2005 and 2007.

Security professionals are united in condemning how the latest breach saw PA Consulting able to copy the data to removable media without first encrypting it, and have stressed the need to defuse the threat posed by human error by automating encryption.

As Philip Wicks, security expert at IT services company Morse, said in a statement: "At the moment there seems to be a culture of letting anyone download anything onto a memory stick. This simply isn't sensible, there are things you can do to stop people being able to download anything from your IT systems."

Wicks added: "Policies and procedures should be put in place, as well as technology controls that either stop people being able to download sensitive information onto these devices or ensure the data is encrypted… If you start from this premise and then implement a policy of allowing people to download things to a memory stick or other removable media once they have demonstrated the data will be secured, data security will be vastly improved."

Security experts have also supported the introduction of a data breach law - as called for by silicon.com's Full Disclosure campaign.

Grant Campbell, partner at law firm Brodies, said such a change in the law is key to making organisations take the business of data protection seriously.

"The key to lasting cultural change must… lie in the role of the Information Commissioner and in particular, the effective roll out (expected by the end of this year) of his new power to fine for deliberate or reckless serious breaches of data protection legislation. He will also be acquiring the power to audit and inspect the data security arrangements of all data controllers, public and private," Campbell said in a statement.

Home Office data breach: What the security professionals say...

Nick Lowe, regional director, Northern Europe for Check Point:
"This latest loss means that sensitive data on over half the UK's population has been lost over the last 12 months… You've got to take human error out of the loop and encrypt data automatically on disks, or when it's copied onto memory sticks or CDs. This can be delivered for as little as £20 per computer.

"Despite this, less than half of UK public and private companies have any data encryption deployed. Our November 2007 of UK public and private companies showed that only 48 per cent had any data encryption software in use, and evidently things haven't changed much since that time."

Bill Beverley, security technology manager, F5 Networks:
"This is nothing less than shambolic. The government and its agencies should be a shining example in the treatment of sensitive and personal data for individuals. This loss of data, compounded by the fact that it was unencrypted, proves that security is not being taken seriously enough. How many more instances must we see before effective changes are made?

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

"This simple error could have been avoided if there was a security mandate in place to ensure best practices were in place and adhered to. Guidance measures such as the PCI directive - aimed at the credit industry - are successful because they a) provide effective and comprehensive methodology to protect data and b) they are enforced.

"Similar controls aimed at personal data held by public bodies should be introduced and enforced, especially if they were linked to immediate disclosure requirements like those originating in California in recent years. This would bring about a dramatic reduction in the incidence of data loss."

Greg Day, security analyst, McAfee:
"This latest data loss incident clearly highlights the challenge for businesses when sharing sensitive information with third parties, whether that data is being transferred electronically by email or carried around on storage devices such as USB sticks. Today, many organisations are still struggling to get a handle on their own data security practices, but as this example has again highlighted, they need to rise to the challenges relating to the sharing of information with third parties and understand their responsibilities resulting from such practices.

"It seems that a number of businesses are still catching up with their security procedures in order to bring themselves in-line with data protection legislation. Recent amendments to data loss law, stating that anyone who 'intentionally or recklessly discloses information' can face legal action, makes this even more pressing for UK businesses. This latest loss of information illustrates again that these issues need to be addressed sooner rather than later, in order to avoid any further embarrassments and to protect those people whose details may be at risk. Had the data on the memory stick been encrypted, its loss would have posed no risk. As a result of insufficient security procedures, this information could provide valuable information to those who may misuse it."

Andrew Clarke, senior VP, international, Lumension Security:
"Whilst human error or malicious intent is always a possibility, the only way to prevent data loss from removable devices is to take control of inbound and outbound data from all endpoints, and encrypt all data during transmission. It is about putting the eyes of the management team on people's PCs. After all, if people know they are being watched, they are more likely to think again.

"Where extremely sensitive data is at stake, the government needs to put in place procedures to ensure a comprehensive audit trail of all data is implemented, regardless of whether data is being moved by internal or external staff. It is imperative that device control policies are established that enforce assigned permissions to individuals and devices."

Gary Clark, VP EMEA, SafeNet:
"All too often, individual data security breaches are indicative of weaknesses in a security policy. Certainly the multiple breaches experienced by the government suggest that all is not right. A piecemeal response to data leaks, and dealing with problems on a case-by-case basis, is not going to cover all security threats."