Chris-Linfoot.net

1. The real targets are terrorists and child molesters who, faced with the choice of handing over encryption keys and thus incriminating themselves and facing many years locked up or refusing to do so and facing a considerably shorter sentence, may well choose the latter course.
   
   
2. Claiming to have forgotten the password used when encrypting material is an acceptable defence under RIPA anyway.

What we learned: Our lords and masters don't want us to use encryption.

HMRC and the missing child benefit records

Meanwhile another government department, Her Majesty's Revenue and Customs, has managed to lose two discs (it is unclear what type of discs) containing the details of over 7 million households in receipt of child benefit * - names, addresses, national insurance numbers, dates of birth and bank account details of up to 25 million people - a cockup of quite staggering proportions.

The discs were said to have been sent in the internal mail from HMRC to the National Audit Office, though why this was necessary is unclear.

In my mind this begs two questions:

1. Discs? What's the Government Secure Intranet for?
   
   
2. Did it never occur to anyone that this sort of data should be encrypted? If its good enough for animal rights, its good enough for my bank account number, surely?

What we learned: Our lords and masters are leading by example in eschewing effective security practices.

* Including mine

Category: Infosec
Technorati: Child+Benefit Encryption HMRC RIPA Sneakernet

1. Conrad Longmore21/11/2007 09:45:00
Homepage: http://www.dynamoo.com/

There are various reports of the discs being "password protected" and also then being two CDs.

So, password protection does imply some sort of encryption but NOT necessarily STRONG encryption. Most desktop applications only have pretty weak encryption, usually breakable quickly with tools you can download off the interweb.

Assuming that it is two CDs (rather than DVDs or some other media) then a guesstimate is that you're looking at 1GB of data or so. That's actually quite a lot, that's enough to max out a 2mbps WAN connection for a couple of hours.. so it's not completely unreasonable in "normal circumstances" that you might choose the sneakernet approach. After all, the effective bandwidth of putting something in the post can be really quite impressive.

So, it's not hard to see how it happened. Yes, it was a stupid thing to do.. but probably everyone working in IT has moved commercially sensitive data around in this manner before. Backup tapes? Laptop drives?

2. Chris Linfoot21/11/2007 12:06:53

It was more than a stupid thing to do - it demonstrates a fundamental hole in data protection policies at HMRC. This may well end up being a criminal matter. Richard Thomas (Information Commissioner) was on the Today Programme talking about this just this morning.

You can excuse or explain it away from a technical perspective if you want.

- There was a lot of data (only 100 bytes of data each for about 25 million people would still be 2.3GB of data), so perhaps that excuses the use of sneakernet - although the GSI has a lot more than 2mbps.

- There may have been some rudimentary security used (I very seriously doubt it actually) but, if there was, then the password was written down on a post-it note shipped in the same jiffy bag.

- We've all done that? - Well I haven't ever actually allowed entire databases containing personal information to be moved around outside of my complete control. Yes, individual bits of sensitive data do get carried around on laptops and BlackBerries but these are of very little use in isolation. OTOH a list of names, addresses, dates of birth, NI numbers and bank account numbers is sufficient to enable identity theft on an unprecedented scale.

The question which must be answered here is simply this - what failure of governance or security led to an intern or similar junior employee physically being able to pull off this bone headed stunt in the first place?

Heads must roll (at least one already has) and, if this is as safe as personal data gets in government hands, then we have just been handed the single most compelling argument against ID cards. Ever.

3. Conrad Longmore23/11/2007 09:05:33
Homepage: http://www.dynamoo.com/

Oh yes, I've definitely never put 25 million bits of personal information in the post! But every organisation has data which is just as important to that organisation, no matter how large or small.

Remember though that this fuss is about discs (either CDs or DVDs I guess) which the press can understand.. but there have been a lot of cases where backup tapes have gone missing. Getting backup tapes to an offsite location poses the same problems.. do you send it by courier? (It could get lost!) Do you take it yourself? (Your car could get broken in to) Do you send round an armoured van? (Who's going to pay for it?) Do you decide not to take the tapes off site? (Remember Buncefield?). Sure, you can encrypt the data on the tapes.. but just how secure is it? And data encryption and data longevity are often mutually incompatible.

There is, perhaps, a window of opportunity for IT professionals to review the physical handling of sensitive data while budget holders are receptive. If you boss is moaning about the letter he gets from HMRC and starts to complain about how stupid they were.. you could always remind him that their laptop is also vulnerable and perhaps it's time to spend some money?

Unable to post a comment? Please read this for a possible explanation...