In November last year, the Department of Work and Pensions disclosed that they had lost computer media containing the details of millions of people who were entitled to child benefit whilst it was in the process of being sent to the National Audit Office. Worse still, those details included personal bank identifiers on claimants. Despite investigations, at the time of writing this material had not been recovered and nobody knew where it was, or who has access to it. Worse, it was reported that the data was not encrypted. Well, mishaps occur, but in terms of information security, questions arise on precedent and procedure. As this was discussed in answer to a parliamentary question, the matter quickly became public knowledge, became the focus of media attention and left many families with cause for concern regarding the vulnerability of their financial assets. But is this the first time this has happened? Just by looking back six months to April 2007, in reported worldwide incidents we can see that data loss and disclosure from government departments and large organisations is not something new. Look at these:

April 2007

• USA - Bank of America – social security number of employees lost through theft of a laptop.
• New Zealand – Inland Revenue – an audit discovered loss of 106 laptops containing customer data.
• USA – Dept. of Agriculture – loss of data of 38,000 individuals receiving farm subsidies.
• UK – Dept. of Health – data loss of details of hundreds of junior doctors.
• USA – New York Special Funds Committee – laptop lost with details of 540,000 individuals.

.

May 2007

• USA – Louisiana State University – laptop lost with details of 750 students.
• USA – Maryland Dept. of Natural resources – thumb drive lost with details of 1,400 Police and Rangers.
• UK – Royal Cornwall Hospital – computer loss with details of 5,000 staff.
• USA – Virginia Dept. of the Ageing – hard drive loss with details of 40,000 people.
• UK – Marks & Spencer – laptop loss with details of 26,000 staff on pension plans.

.

June 2007

• UK – Bank of Scotland – computer disc loss with details of 62,000 customers.
• USA – Texas Police – laptop stolen with details of 97,000 employees.
• UK – Accountancy firm Moorepay – laptop stolen with details on Prince Charles & his estate.
• USA – Bowling Green University – loss of flash drive with details of 18,000 students.

.

July 2007

• USA – Transport Security Administration – loss of hard drive with details of 100,000employees.

.

October 2007

• UK - HM Revenue & Customs – laptop stolen with financial details of 400 people.

.

November 2007

• UK – HM Revenue & Customs – loss of CD with details of 15,000 pension policy holders.

.

Following the child benefit loss, in January 2008 the Ministry of Defence admitted the theft of a laptop containing details of military personnel. It just never seems to stop…

We do not need to postulate on Descartean Rationalism to understand that despite all the technical advances in information security, it is the basic and fundamental security measures that are being disregarded. Is it a lack of information security policies? Hardly. CESG (The National Technical Authority for Information Assurance) provides guidelines, policies and implements standards across all UK government departments and must be wondering where things are going wrong.

Like so many things it is not the knowing, but the doing, that matters in the end.

John Austen