(((This situation is pretty rich. You can't give low-level clerks documentation on how to "share information safely," because this immediately informs them on how to steal information effectively. So, you know, you just tell them to get the data over there somehow, so naturally they rip mix and burn a couple CD's and pop them into the post.)))
(((I really don't see a path out of this SNAFU, unless you want only ministers cleared for high-security briefings to act as their own secretaries, in which case nobody will ever tell anybody anything. I'm thinking maybe this clerk is an unsung hero for insisting on actually getting the public's work done.)))
–Data Security Procedures Not Shared with Junior HMRC Staff
(December 15 & 17, 2007)
In an ironic twist in the HM Revenue & Customs data loss case, information about how to share information safely was kept from junior staff because it was believed that the manual contained too much sensitive information to be widely distributed. Following the presentation of an interim report on the HMRC data loss, Chancellor of the Exchequer Alistair Darling said that the department needs to establish "clearer lines of responsibility for data."
http://politics.guardian.co.uk/homeaffairs/story/0,,2227999,00.html?gusrc=rss&feed=networkfront
[Guest Editor's Note (Stephen Hall): These two stories under homeland security were compounded yesterday by a third data loss by the UK.
Details here : http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm
It is being downplayed as "not as serious" as the HMRC report. However the information contained on the disk drive is perfect for fishing further information.]
(((Don't think you're any better off, Ireland:)))
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
–Lost CDs Hold Northern Ireland DVLA Data
(December 11, 2007)
Two CDs lost in the mail contain personally identifiable information of approximately 6,000 Northern Ireland residents. The unencrypted data include names and addresses of the people as well as the registration numbers, chassis numbers and makes and color of their cars. The CDs were being sent from the Northern Ireland Driver and Vehicle Agency to the UK's main Driver and Vehicle Licensing Agency (DVLA). The agency has sent letters to those affected by the data loss. The data were sent in response to a safety recall for certain automobiles.
http://www.theregister.co.uk/2007/12/11/driver_data_discs_disaster/print.html http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7138408.stm
[Editor's Note (Honan): It is staggering that within a month of the UK
Revenue & Customs Service losing two CDs in the post containing data on
25 million people that the Northern Ireland DVLA repeat the same mistakes. Learning from security incidents, whether the incidents are in your own organisation or in others', is valuable in helping improve your information security. ]
(((I'd be guessing the low-level clerks all learned from their bosses' "mistakes" that the only way to communicate with computers is to mail plastic disks. I wonder how much money a bent postal clerk could make these days just opening public mail, copying disks and sending them right along.)))
