Friday, 7 December 2007

UK Government InfoSec is Systemically Broken

I don't really like knocking my own government, but their approach to protecting our personal information is like a banana republic.

This week another government department, namely the Driver and Vehicle Licensing Agency (DVLA), posted over 100 questionnaires holding people's details including their dates of birth and "Motoring Offence History" to the wrong addresses. The DVLA said it was caused by human error, as if to say it makes this breach acceptable. So this is another government violation of the government's own Data Protection Act, however it pretty pointless fining these government departments isn't it, as it would be like fining yourself. There is just no "stick" to push information security in these organisations, it's not like the private sector where companies are heavily fined and breach publicity has a serious impact on a business brand, which is always important in competitive marketplaces. In my view there definitely needs to be a "big stick" from the top down to drive good security practice and culture within these organisations, otherwise no one will be bothered or has the time.

Meanwhile the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. I thought that's sounds a bit dodgy, as just who is deciding if an incident was significant or not, and how many minor incident are there. Again I think this underlines the need for disclosure laws in the UK (no they don't have to tell us about these data breaches), or even a disclosure policy for the government department would be a good start.

While on HMRC a reward of £20,000 is being offered for the return of two lost CDs containing the personal details of 25 million people. The Liberal Democrats valued the data on the CDs at £1.5 Billion the other day, so it's not much of a reward is it? I mean a good fraudster could pilfer £20,000 out of just one record, let alone 25 million records.

I think there needs to be major shakeup and "investment" on how the government secure our private information, I think there is a appetite for this at the moment, I just hope it doesn't wavier away as media move onto other stories. After speaking and advising many people about these incidents, it is clear these incidents have severally shakened any confidence most UK folk have in the government and the civil service, even I have changed by view point on national ID cards. Meanwhile on the politics front, the opposition parties are having field day with the government of day, but I'm not so sure these incidents wouldn't happen under their governmentships anyway.

1 comment:

Anonymous said...

This is a very good article, shockingly its just the tip of the ice berg. Thousands of NI numbers were stolen and used by internal theft which has been a big cover up and three years later the public have been kept in the dark.
It's also so easy to obtain COMPLETE family/couple details :NI,FULL NAMES /ADDRESSES /TEL/MOB/WORK HISTORY/BANK DETAILS /CHILDREN/EX PARTNERS / DOB'S and more-It only takes one corrupt postal worker/s-Fact many customer statements go missing-huge amount in fact.