The Glass Box for Tuesday
is the place to comment on the content of tonight's programme.
Jump to more content from this blog
About this blog
PM The evening news and current affairs programme presented by Eddie Mair.
iPM The programme that starts with its listeners. Join the discussions online and contribute ideas for a weekly programme presented by Eddie Mair and Jennifer Tracey.
The PM Privacy Commission
Read the final report of the PM Privacy Commission.
- Full Audio and Transcripts
- Hugh Tomlinson QC
- Zac Goldsmith MP
- Max Mosley
- Stephen Abell
- Hugh Grant
- Sir Charles Gray
- Alan Rusbridger
- Helen Wood
- Max Clifford
- Marcus Partington
- John Kampfner
- Christopher Graham
- Louise Mensch
- Andy Trotter
- John Mullin
- Avril Sanders Royle
- Jimmy Wales
Meet the commissioners, view the terms of reference and hear the Commission Chair Sir Michael Lyons explain his approach.
RSS feed
Email us
Listen to PM
Listening to the HMRC fallout. Not good is it?
COCKUP IN A HENHOUSE
How fortunate our politicians have been rushing abroad to guide the simple foreigners BEFORE it became apparent that they cannot run a cockup in a henhouse! Any minute now, the foreigners might stop listening to us, and then where will our worthies find credibility?
Gobsmacked doesn't cover it.
So......another personal data security triumph.
A big well done to everyone involved in this one.
It reinforces my faith in the golden IT future that we're all constantly told about.
I, for one, can't wait....
Is it me or did Alistair Darrling make a complete mess of transport and now he's running the countries fianances??? I am not surprised the Northern Rock and now the HMRC debacle have happened on his watch - any one else out there agree??
Ask the policeman from ACPO if cannabis is more dangerous than alcohol. It isn't, which is why it was reclassified.
Then ask him to give a rational reason why cannabis should now be made more illegal. Why should people be threatened with prison for doing something relatively safe?
Absolutely astonishing and lost for words.
Wow! What a stonker of a programme (for unfortunate reasons, often, admittedly).
I'm as disgusted as other correspondents by the HMRC fiasco.
And glad I decided against internet banking. Nothing is safe. Is it?
{Hides, gibbering, under table}
A nail in the coffin for the ID card scheme, I would have thought. It's not exactly a ringing endorsement for the private courier either, is it?
I think Big Brother's dropped the ball.
ops its not really Alistair Darling just got his details in the post
Ah
It is and I am
If you get my drift!
I distinctly heard Mr Darling say that the disks were password protected, and yet I haven’t heard any of the news reports or news summaries make reference to this fact. Surely it makes all the difference?
Absolutely massive incompetance has been the trademark of new labour. Their insistance that IT projects will bring major benefits and that confidential records are absolutely secure have now been laid to rest as complete bollocks.
ID cards can no longer be considered and every time Gordon, Alistair or any other of these jerks says how systems are going to be improved, we all ought to be taking them out of their safe Westminster environment and taking them to the front line in Basra for a bonding session.
Dr Hackenbush @ 11, i'm afraid that the difference is that instead of taking thirty seconds to access the material, it will probably take a whole minute, if the person doing it is a competent crook. If s/he is incompetent, possibly a little longer, on the phone finding a mate with the right know-how.
Heavens, it took the CIA only about a day to crack the Al Qaida computer-stuff wide open, and that was because they had to wait till their little brothers had finished school for the day and could come over and sort it.
HMRC aren't the only ones losing data. Back in February, a contractor working for Worcestershire County Council managed to lose a laptop containing payroll details for all County staff, and I'm sure other councils have mislaid USB Flash Drives containing similar data. In the Worcestershire case the details were held in a password protected file. Having seen what many school staff use as passwords, that's no guarantee of safety ("password" and dates of birth are common). As for encryption, as others have stated in the HMRC thread, it would be helpful to know which encryption allgorithms are commonly used - the US DES has been shown to be pathetic, whereas RC5-64 is significantly harder to crack (just ask participants in the RSA code-cracking challenge at distributed.net).
-oOo-
Meanwhile, I always thought "Andrex" was a yellow labrador puppy, in the same way that "Dulux" was an old english sheepdog...
But a 3 week old piglet in Ilkeston?
Anyway, I suppose it makes a change for Tesco to get some good PR...
-oOo-
And is it my imagination or is the blog working this evening?
Chris - you may well be right, but that doesn’t change the way the media have reported this, namely without the info I mention.
Can today’s news start a trend? ‘Minor’ staff members in important organisations making sizeable mistakes in the hope that the big boss has to take the fall?
Am I the only one who thought the HMRC lost dics article far too long, ill focussed and overdramatised. My bank account details are on every cheque I send out. My NI no. has nothing to do with it, nor my child's info. - so not sure how my bank account is any less safe than ever. While screeching over this, round in circles, there is a world of issues being missed out there - including the vast amounts of our money paid to private companies (IT/couriers, in this case) who seem to be allowed to screw up without penalty. Eddie, Know when enough said is enough -and wait to say more when there is something to say. Do you ever wonder, when sidetracked to act like a terrier with a story, if it is THEM that want you to waste more time than needed, as they are covering something else up?
Mittfh (14) It's your imagination, but keep it up!
mittfh, we don't even know what format the files were sent in. My guess, probably Excel spreadsheet.
Excel 2007 uses AES encryption, which is fairly strong so might take a while to break. I think Excel 2005 and earlier use RC4 which is rather easier to break. Of course this all depends on how much computing power you can throw at it - if it fell into organised crime hands (eg. Russian mafia), they could exploit a botnet of potentially thousands of computers.
Regardless, this is incredibly sloppy. They sent the discs through a courier, without it being recorded delivery? I recently had to collect a CD of customer information - a) it was a small sample and b) I made damn sure it was on my person at all times until I got back to the office and put it under lock and key. I would certainly not have entrusted it to a third party.
My questions:
1) What information (and how much information) did the NAO request?
2) If the NAO wanted all of the records, why? Has this been done in the past, and if so, how was the data transfer done?
3) If the NAO only wanted a sample, why were all the records extracted?
4) Who in HMRC obtained this information? Was it obtained through a secure report, or through a custom job run by the IT dept?
5) Would "junior officials" typically have access to all this data?
6) I assume that both HMRC and the NAO are part of the government secure intranet. How easy is it to transfer large amounts of data between departments - e.g. are the procedures to set up a secure FTP server so complicated that someone said "oh, that's too much bother, just send a CD over"? It is entirely possible that if security procedures are too complicated, people will just find ways around them.
7) Who else has been doing this? Someone on the SpyBlog website turned up this little nugget: . (Note that the Audit Commission is not the same as the National Audit Office. The Audit Commission is responsible for local government, the NAO for central gov.)
For anyone interested, look what can happen on a day when the markets are "up".
hint: Look at the volume figures.
lalalalalala
ed
Lucy: Dance, dance, dance. That is all you ever do. Can't you be serious for once?
Snoopy: She is right! I think I had better think of the more important things in life!
(pause)
Tomorrow!!
Barbara Lloyd @ 16 - I'm afraid I completely disagree with you. I think a story of this magnitude warranted the coverage it was given. And I think it was well balanced, factual and informative. The potential ramifications from this loss of data are huge and the public should be informed on the steps they should take.
However, I am curious to know what kind of disks these were, 25 million records is a lot of data! I tried to back up my PC and copy a couple of hundred photos on to a dvd but the folder was too big for one disk.
Hi Ed I - I love Peanuts too!!! :-) xx
So, it takes a disaster like this to get the professionals in -- to investigate what went wrong. I can tell 'em what went wrong - and I bet I'm a lot cheaper than Price Waterhouse.
And if I get another letter from HMRC telling me I owe VAT which I've already paid................ ooooooh! it makes my blood BOIL
Maybe the 502 monsters are at bay for the time being: I tried to answer a couple of things here yesterday but couldn't get through.
Dr. H @ 16, I think that it was generally made clear that the discs were password protected, and the point was that they were not encrypted? the latter might have made them more secure, the former was probably not going to be much use at all, and I know that some people were making that suggestion.
Barbara Lloyd @ 17, I think the story was important enough to merit the discussion of it, and today's further discussion as well. This is a massive collection of errors in a number of ways, and the people whose identities might get stolen do want to know about the possible effects and what (if anything) they can do in the way of damage limitation. The danger is not to the individual's bank account, necessarily, but to the other identity-theft possibilities; it is true that we risk identity theft every time we use our identification at all, but we generally take precautions, and in this case somebody else has ignored those precautions on our behalves, which is a considerable risk to us through no fault of our own.
Peripheral questions about the cost of transfering data from one place to another are not as important as questions about what the devil anybody thought they were doing transfering it in this format at all, and why the rules intended to protect the public from this sort of risk were apparently ignored completely.
Meanwhile, what is the news that is being buried, more important than something that may maleffect 25,000,000 people? Just under half of the population? Frankly, I think it would need to be a coup d'etat or the assassination of the Pope.