AOH :: ISNQ4859.HTM

Security expert's data alert went unheeded




Security expert's data alert went unheeded
Security expert's data alert went unheeded



http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms625.xml 

By Andrew Alderson
Chief Reporter
25/11/2007

The Government failed to heed warnings that would have averted last 
week's fiasco involving HM Revenue and Customs (HMRC), it can be 
disclosed.

The concerns were raised two years ago by Dr Mark Walport, who 
ironically was asked by Gordon Brown last month to head a six-month 
review on the use of personal information.

The security expert co-authored a report for the Council for Science and 
Technology, an independent government advisory body, which warned that 
departments needed to "streamline data protection protocols" and improve 
security.

The 37-page report, published in November 2005, was commissioned by the 
Government for Tony Blair. It correctly predicted that the unauthorised 
use of personal data would "damage [the] government's reputation with 
political ramifications".

Last week, the warnings came back to haunt the Government as it was 
revealed that HMRC had lost two CDs containing sensitive personal 
details of 25 million people. In an interview with this newspaper, Dr 
Walport described last week's disclosure as "a disaster".

The report, called Better use of personal information: opportunities and 
risks, said:

* Sensitive data should be encrypted to make it more secure;

* New systems, or filters, should be introduced to enable data to be 
  released selectively;

* An independent watchdog should monitor security procedures;

* Stiff penalties should be meted out to those who failed to comply with 
  legal safeguards.

The data on the two missing discs sent from the HMRC office in 
Washington, Tyne and Wear, was not encrypted: it was simply protected by 
a password that experts say could easily be worked out by a computer 
hacker.

The lack of "filters" on the data also meant the HMRC sent out sensitive 
information including parents' addresses and bank accounts even though 
they were not requested by the National Audit Office, the body to which 
the discs were sent but failed to arrive.

Richard Thomas, the Information Commissioner, complained last week that 
his body did not have enough powers, including the ability to carry out 
spot checks on government departments. He also called for reckless 
security breaches to be a criminal offence echoing Dr Walport's earlier 
urgings.

Dr Walport, who is now director of the Wellcome Trust, a charity funding 
health research, said: "This has been a disaster, frankly. The 
responsibility of holding this [sensitive] data means there need to be 
extraordinarily careful processes to make sure that disasters like this 
don't occur."

Dr Walport, 54, who along with Mr Thomas will deliver the new report 
next year, said "common sense" suggested that it was wrong for a junior 
official to be able to gain access to so much sensitive information so 
easily. "When things like this happen, it is rarely down to a single 
individual. It is much more down to processes," he said.

"We need to design systems which minimise the risk of human failure 
because there isn't one of us who isn't fallible. We can all make 
mistakes. It is about having the right processes in place to minimise 
the risk of human error."

Dr Walport said there were great benefits from data sharing, but that 
computerisation, with its ability to store large amounts of data in a 
compact fashion, increased the risk of data loss.


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/ 

Site design & layout copyright © 1986-2014 CodeGods