Sunday, August 24, 2008

25 Million Green Bottles Redux

Uhoh. More data has been lost. When it happened the first time (the first BIG time anyway) I suggested the following:200808241944.jpg

1. All of the processes around access to patient, customer, taxpayer, citizen etc data in every department, agency, non-departmental public body and local authority are going to go through a rapid review. New standards will be enforced: senior management sign-off, dual control (keys round the neck and everything), IT supplier held accountable for where data is put and so on. This will take time and still things will be missed and it will happen again - let's not hope that it's on this scale, but it will happen again.

* Lock down data exchange now. People come to the data, not the data to the people. Until better processes are in place, this should stop the problem from getting worse.

2. All staff should be taught the "green cross code" of using computers. The very basics need to be re-taught. For that matter, the code should be taught at schools, colleges and libraries.

3. The spooks should lead a review of deploying encryption technology to departments holding individual data so that all correspondence is encrypted automatically in transit using appropriate levels of protection for the job. This will be expensive. The alternative though is to make encryption optional - but because you can choose, sometimes people will choose not to (because it's too slow or something) and the problem will recur.

4. Systems being architected now and those to be architected in the future will look at what data they really need to hold and for how long and will, wherever possible, make transient use of data held elsewhere. The mother of all ID databases would be a good place to start.

They still seem like good suggestions, especially the one highlighted in bold. This isn't done yet. Not in the UK and not anywhere else. It may be that the UK is getting the news stories now, but that's because we rarely hear about those events in other countries.

This site,,Privacy Rights, chronicles more data losses than any other site I've yet seen, including those in the USA, the UK and somtimes other countries. It's not pretty - over 230,000,000 individual records, in the USA alone, lost, stolen, fraudulently obtained or otherwise maladministered since January 2005.

As if to reinforce the "It will happen again, to governments and companies alike" refrain, today's newspapers bring the story of Best Western Hotels and their IT systems being hacked - with the loss of 8 million guest records. If you've stayed in such a hotel in the last 12 months, you're vulnerable. The press are saying "The details, which included home addresses, phone numbers, place of employment and credit card details, were sold on through an underground network controlled by the Russian Mafia." Intriguingly, most of the press claim that the person at the heart of this heist was an Indian hacker, I can already hear those against off-shoring re-rehearsing their arguments.

Information Week has correspondence from Best Western refuting the more sensational claims in the press. I wouldn't take these protestations as a sign that you shouldn't worry

No comments:

Post a Comment