Missing CDs in GB with personal details of 25 million people

probe

Names, addresses, dates of birth, bank account details, ID numbers. A potential bonanza for bank card thieves, card fraud, mortgage fraud, etc etc. Conveniently available on CD.

“Just a few questions to verify your identity Miss Smith – what is your postcode please? And your year of birth? Which branch is your bank account at?” Thank you Miss Smith. Now what can we do for you today?.....

At least the British government was honest enough to publicise the issue. Laptops and media containing large amounts of sensitive personal confidential information go missing in the rest of Europe, and the issue is generally swept under the carpet – with the victims of identity theft left with an uphill battle to regain their credit rating, savings, good name, etc.

Is it not time that the time-wasting bureaucrats in Brussels issued a directive obliging companies and government agencies that know or suspect that personal data may have got into the wild to make an immediate and full disclosure in writing of the known facts to the victims? As is the case in California? And make entities who allow employees or others to download datasets of personal information regarding individuals or companies to their laptops (or other media) liable for all costs and damage incurred by the victims of data theft with minimal requirements as to proof etc? With similar regulations applying to companies who permit the same type of data to be accessible via the internet or any other form of online connection without adequate and effective safeguards (ie a total brick wall) to prevent theft of information?


.probe


Point-by-point: Darling statement
Chancellor Alistair Darling has been making a statement to MPs about the loss of confidential details of 15m child benefit recipients.
• Mr Darling said earlier this year a junior official within HMRC provided a full copy of the details to the National Audit Office - which he said did not follow strict security rules and rules about its transit
• He said the information should not have been handed over by HMRC as it was. But the NAO had returned all the information in March.
• He said it now appears that at a junior level, in October, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of the child benefit was sent to the NAO in October.
• He said the package was not recorded, and it appeared it had not arrived at the NAO.
• A further package was then sent, by recorded post, which did arrive, but Mr Darling said that should not have happened.
• He said he was informed on Saturday 10th November and asked for an immediate investigation and for steps to be taken to stop it happening again.
• He said by Wednesday 14 November it was clear the HMRC searches had failed to find the missing package, and he called in the police to find the missing package.
• Mr Darling said inquiries were continuing, staff have been interviewed, but the information had not been found.
• He said there was no evidence it had been used for fraudulent activity.
• The missing information contains details of 25m individuals, 7.25m families - including children's names, addresses, dates of birth, NI numbers and where relevant bank and building society account details.
• He said it was important to make sure the appropriate safeguards were in place before publicising the information and said the banks had been adamant they had sufficient time before a statement was made.
• He said he sought advice from the FSA, serious organised crime agency and others.
• He said bank associations had been informed, individual institutions were monitoring accounts to look out for unusual activity, and they were tracking back transactions on affected accounts and had as yet found "no evidence of unusual activity".
• If someone was an innocent victim of fraud, he said they would have protection under the banking code and would not suffer any financial loss.
• He said the missing data in itself was not enough for people to access people's bank accounts as passwords and other information would be needed, but admitted there was an "increased risk" and said people should keep an eye on their accounts and not give out personal details requested unexpectedly by phone.
• He said the police investigation continues, but there was likely to be an Independent Police Complaints Commission inquiry as it has responsibility for HMRC.
• It was "highly likely" there have been breaches of the Data Protection Act, he said.
• The National Audit Office was also reviewing the way it requests information.
• "No one will suffer any loss if they are innocent victims of fraud," he said.
• For the Conservatives, George Osborne said half the country would be anxious about the safety of their family and their bank accounts.
• He asked what contingency plans had been drawn up with police if it becomes clear details have fallen into the wrong hands.
• He asked what steps had been taken to prepare for any "potential financial instability" owing to people being worried about their bank accounts.
• He asked where liability rests, if money was taken.
• "This is now the third and most serious breach by HMRC this year," he said, and asked when the chancellor knew security protocols in his department were "absolutely worthless".
• He asked for confirmation that the police were investigating the individual responsible for sending the disc, and his or her superiors.
• He asked whether it was a "final blow" to the ID card scheme, saying the government "simply cannot be trusted with people's information".
• He said it had compromised the security and safety of "every family in the land" and told Mr Darling to "get a grip and deliver a basic level of competence".
• Mr Darling agreed the way it had been handled was "inexcusable" and said there was no excuse for breaching laid down procedures.
• Mr Darling said the banks had put in place all the precautions they reasonably could and said the police would not want him to speculate on what they would do if a crime were to take place but police were "addressing" the risks.
• He said he had been told there was "every chance" the discs might be recovered during searches - but when it became clear that would not happen he called in the police.
• He said the banks asked him to give them time to put in place the necessary protections before making a statement.
• On ID cards he said the key thing was that information was protected by biometric information, while at the moment information was "much more vulnerable" than it should be.
• He said it was a "deeply regrettable" incident which should never have happened and he was doing everything possible to put it right.
• Liberal Democrat acting leader Vincent Cable asked how many unencrypted CDs were being sent around government at the moment.
• He asked why information was being transmitted through CDs, not electronically and was it because of the "ancient IT systems" used by HMRC.
• And he asked if half of the problem wasn't due to the 25,000 job losses in HMRC. "Clearly if officials are being asked to do more and more with fewer staff then mistakes will be made".
• He said Mr Gray had resigned "as a matter of honour" - and said Treasury officials were reluctant to do so - adding: "Where does the buck stop in this government?"
• Mr Darling agreed the information should not have been downloaded and sent in the way that it was.
• He said the key problem was HMRC had clear instructions and rules in relation to downloading and transmitting information, but in this case the individuals' concerned had ignored them.
• "That shouldn't have happened, and that's what we need to put right," he said.
• The Conservative chairman of the public accounts committee Edward Leigh, said the auditor general had asked for bank account numbers and personal details to be removed before the information was sent to the National Audit Office.
• He said there was "no doubt" the information never arrived, and the NAO should not be blamed adding: "This is criminally irresponsible behaviour on the part of a department (HMRC) which once had an unimpeachable reputation."
• But Labour MP Sion Simon said it was a "random act" that could have happened under any government and the real test was how the government responded to it.
• Labour MP John McDonnell said it was clear Mr Darling had taken action as soon as he had been aware of the mistake, but asked Mr Darling to meet with the PCS trade unions to discuss concerns about the job cuts at the HMRC.
• The Conservative former minister Peter Lilley described it as "calamitous breach of privacy".
• Labour MP Anne Snelgrove said a "good balance" had been struck, in the time given to allow banks to prepare, and that to inform the House of Commons.
• But Conservative MP Michael Fallon, a member of the Treasury select committee asked, if the chancellor knew on 10 November, when did he inform the banks and why did he "dither" for 4 days before alerting the police.
• Mr Darling replied that he had immediately asked for a thorough search by trained Customs officials, who are experienced in that type of search. On Monday 12 November people were "optimistic" the package would be found, but by Wednesday it was clear that wouldn't happen, so police were called in.
• He also said the banks has asked for time to put in place "proper defences" before it was made public and he had discussed his decision with the Information Commissioner. He said he believed he had struck the right balance between informing the House of Commons and protecting the public.
• Labour MP Mike Hall asked whether the NAO's original request had been compliant with the Data Protection Act.
• Mr Darling said it had yet to be established who was involved at what level, what was asked for and how it was responded to. He said Sir John Bourn, the current NAO auditor general, said he would review what sort of information was being requested by the NAO.

http://news.bbc.co.uk/1/hi/uk_politics/7104115.stm

Capt'n Midnight

How were the disks password protected ?

was it the IDE password on the drive which means the data is recoverable with the right equipment like a clean room

or was the data encrypted on the drive ?
and if so what sort of encryption was used ?

probe

Capt'n Midnight wrote: »

How were the disks password protected ?

was it the IDE password on the drive which means the data is recoverable with the right equipment like a clean room

or was the data encrypted on the drive ?
and if so what sort of encryption was used ?

The big question! A Scottish newspaper article implies that they were just Zipped with a password.

http://www.sundayherald.com/news/heraldnews/display.var.1857709.0.countdown_to_a_catastrophe.php

Lots of unzippers around: http://www.downloadjunction.com/product/software/91874/index.html


.probe

Capt'n Midnight

Even if it wasn't something trivial like zip you could rent a botnet. 100,000 computers are faster than 1

The other thing to remember is the time value of information. Stock market quotes are freely available after 15 minutes. Details that don't change like these should be protected for life. Even if it took 50 years to break the encryption some of the information contained could still be useful. And in 50 years time computers will be far more powerful than today. Even if there if we reach a physical limit on the speed and number of processors I'd predict that the real cost will continue to drop. But for the next decade or so we'll see processing power go up by a factor of 100.

voodoo

they were definitely not encrypted anyway... one serious question needs to be asked, well two -

Why wasnt it encrypted
Why did this junior person have access to this data

the_syco

A classroom equipped with XP, 3Ghz processors, and 1GB of RAM would tear such a password down in less than a year.

And I'm being generous with the year.

mick.fr

the_syco wrote: »

A classroom equipped with XP, 3Ghz processors, and 1GB of RAM would tear such a password down in less than a year.

And I'm being generous with the year.

A good ZIP password cracker does it in less than 30mn, even with a 20 digits password.

Martyr

it depends on what encryption was used..
more recent versions of winzip use PBKDF (1000 rounds of HMAC-SHA1) with 128 / 256-bit AES.

probe

Anyone who has been able to get their hands on a copy of the missing CDs (presumably they mean DVDs in the context of data on 25 million people) and the stolen card data reported in the murdoch times article, will be able to do serious damage to the payment system in that country.

'Neil Munroe, the director of the credit reference agency Equifax and an expert on internet fraud, said that the depth of information obtained by The Times was greater than he had ever seen. “The detail you have got is very disturbing,” he said. “Normally we only see credit card numbers coming up but you have got e-mails, addresses, security and PINs. Everything. It is very scary.”'

more.... http://www.timesonline.co.uk/tol/news/uk/article2988471.ece

.probe

Martyr

@probe

i'd be more interested in how the judge and director lost all those details..or gave them away.

numbnuts

Average Joe wrote: »

@probe

i'd be more interested in how the judge and director lost all those details..or gave them away.

Well, maybe they had an escort for the night showing them the sights round town.:D

Handed the card over for a big Mac and than got screwed..

in more ways than one ..:)

The bank details of Robert Seabrook, QC, a deputy judge and former chairman of the Bar Council, were also freely available. He, too, described the breach as terrifying. “I am profoundly concerned,” he said. “One reads about the anxieties of data in the public domain but it is disconcerting to hear something so personal being available. If you can get this sort of thing for free who knows what is below the water line?”

Titanic springs to Mind ..


numbnuts..;)