Open Letter to The British Government Regarding the Loss of Sensitive Personal Information on every household with a child under 16 years old.

Introduction

As reported by the BBC and Sky News two disks were lost that contained the details of every family with a child under 16 years old. There are some questions that are raised by this. Some of these are technical questions and some of these are of procedure. All cast worrying doubt on the way the government handles the public's personal information perhaps suggesting that government should not currently be trusted with such details.

• http://uk.news.yahoo.com/skynews/20071120/tuk-25-million-peoples-tax-details-missi-45dbed5.html

• http://news.bbc.co.uk/1/hi/uk_politics/7103566.stm

The author of this document is one Matthew Brown, Managing Director of the UK registered IT and Media company Adullam Limited although the opinions expressed herein may not reflect the opinions of Adullam Limited. Mr Brown is a trained analyst and by profession qualified to speak on matters of data security. Yet the issues to be addressed within this document are of a level that will be touched on starting with GCSE (level 2) ICT and completely covered by Early Academic Level 4 (undergraduate level).

The areas of concern are divided up into headings ending with a question(s) (clearly differentiated) to be answered by the parliamentary process. Any citizen of the United Kingdom of Great Britain may have a question asked of any member of parliament as a constitutional right. By citing this document, and requesting of ones MP that the question desired to be asked be presented, one can cause the chosen question to be posed, regardless of any political desire for things to be otherwise.

The questions within this document should be treated as separate and discrete by the Parliamentary Members and staff of whom they are asked. Wherever appropriate all questions should also be additionally be considered public requests under the Freedom of Information Act. For each question a self contained answer is required.

The Data Protection Act.

The data protection act requires that all data be up to date and accurate kept only for so long as it is needed. Some exceptions for record keeping exist however without information regarding the purpose of this data transfer there exists in potentiality an indicator of bad record keeping.

If this data were transferred for use on a different this creates duplication issues whereby it is difficult or impossible to maintain accurate data as updates must now be made on two separate systems. This is neither desirable nor efficient. Should one set of data become inaccurate then the government would have breached the Data Protection Act by such a method of operation. A more ideal system would allow authenticated access by auditors via a secured structured API to the required subset of data as it exists within the computer system.

However one must question what use personally identifiable information is to the NAO and how many members of staff therein would access it. This leads to another worrying thought – the scope and an number of individuals that could and might see any given persons data over the 16 years or more that it might be on record. Finally one has to ask if this totality of access is not a threat in itself.

It is all well and good to blame office juniors for errors but a good structured data and security system should not allow untrained or junior staff full access to sensitive information to start with. This breach requires that we enquire into the level of vetting and the number of personnel with unrestricted access to sensitive data. This access itself may well be a breach of the data protection act.

The author would question the necessity of junior officials having such unrestricted access and is curious as to how the public is protected against what is known as a “Man Inside Attack” whereby data thieves place or recruit a person to obtain copies of data. As HM Revenue and Customs have already told us that a junior official was able to make such a disk of data and did so without reprimand or detection, it seems, until after the data loss what possible reassurance can be given that other copies have not been taken in the past? Unless a full audit trail exists within the IT system there can be no surety at all.

In losing such data the government has breached the Data Protect Act anyway. Specifically the requirements of the Data Protection Act that require that all data be kept safe and secure. With this in mind the government must be ready to compensate the people on whom it holds the data. Furthermore, it is likely that the government is liable for the breach of law and may potentially be sued in class action

If an action is brought against the government it is unlikely the government will be able to defend such an action and will therefore be required to make considerable payments. These payments must be funded from some location and it is likely that the taxpayer will be the one to “foot the bill” in the form of necessary tax rises to cover a sudden increase in spending. This is not a good or healthy thing for a country to experience especially given the sensitive nature of the current economic climate.

Why was the NAO being offered personally identifiable information to start with?

What financial planning exists to cover these costs without additional burden on the tax payer?

Is the government willing to cover the full cost of losses due to fraud resulting from this breach?

How was accuracy across the duplicate data sets to be maintained in accordance with the data protection act?

How many personnel have full access to the data in question?

To what level are the staff that have full or part access to the base data vetted and how often?

What level of security is in place to prevent or trace staff access to the personal data of others?

Given the claim by the BBC that junior officials had full access to make disks of the entire data collection what process is in place to ensure that such data is not removed for criminal intent?

Can realistic and evidence backed assurances be made that no data has been extracted by so called “man inside attacks” within the last three years?

Basic Data Handling?

A huge amount of data was being transported from one location to another. It was not well encrypted nor made unreadable in any way. This data was then “lost”.

The government surely has access to expert IT staff and has in place computer networks comparable in quality to those used in modern business. It is not normal to transmit sensitive data “in the clear” nor is the movement of large blocks of data.

There are only two reasons that data should be copied from one location to another. Relocation of the data centre or storage of backups in a secure manor as a preventative measure against data loss or corruption. The need to audit data should not ever necessitate duplication of that data but should allow authorised and live access to the data in question.

The BBC themselves resenlty said that:

A University of Washington study released in March 2007 showed that 60% of data breaches were the result of bad practices inside organisations rather than hackers.

SOURCE: http://news.bbc.co.uk/1/hi/technology/7105212.stm

It is a standard methodology to encrypt sensitive files and compress data so that it is not easily read without the proper access “codes” commonly called Keys. These keys are many orders of magnitude more secure than passwords and with sufficient scale can take even a mainframe computer hundreds of years to force. Software for encryption to a grade that our best military intelligence centres might not be able to open exists freely available under non restrictive licenses. Such software allows data to be hidden invisibly within other data without leaving a clue as to it's existence.

• http://www.truecrypt.org/docs/?s=plausible-deniability

• http://www.jetico.com/index.htm#/bcve.htm

• http://www.download.com/SureCrypt/3000-2250_4-10549664.html

Given that Britain was the wartime expert on code use it might be reasonable to expect the country to have a good level of data security or at least an understanding of data protection. It is a well established fact that placing data on removable media is a physical danger to the secrecy of the data as it can be removed. This is inherent in, and indeed the purpose of, such media.

Personal accounts, half finished novels and other data of negligible worth are routinely stored in encrypted volumes by members of the public for peace of mind. Modern office suits like OpenOffice.org or Micro Soft Office enable users to password protect data rendering it hard or impossible to read without a password. Basic transactions like the viewing of personal statistics on a website of little or limited importance are carried out using the same secure connections used by banks and other institutions.

Banks, credit cards and savings accounts can be accessed via the public internet securely and safely and transactions that can involve millions of pounds are carried out over such connections every day. These same levels of security and better can be used to establish what are called Virtual Private Networks which allow two computers with Internet connectivity to communicate as if they were on a secure local connection.

Alternately there exists software to securely operate computers remotely with the same level of security. These technologies eliminate the need to maintain local copies of data. There are industry standards to which such software is written and much of this software is made available for free.

• http://openvpn.net/

• http://www.sshtools.com/showSslExplorer.do

• http://www.tightvnc.com/

For reasons that are not apparent the government seems to forego using such de facto standards in favour of methods of operation that were not common place even in the more trusting times. This begs further questions not asked here as to the quality of the spending and investment made by the government in it's own ICT infrastructure.

With a modern Internet connection or a “hard line” between buildings the need for physical transport seems highly unlikely. It is reasonable to assume that the government has access to both a fast internet connection and a computer network that spans departments and buildings. With even the biggest files and speed limiting and control systems (such as QoS, Transfer Throttling or Off Peak Transfer) even vast files can be safely and securely backed up from one location to another. This has the added physical security that no object imprinted with the data exists at any stage of the process.

Given the only security was a basic password this presents insufficient security for even basic data. 50% of passwords used can be guessed within 10 minuets of less using a standard personal computer and a method known as a dictionary attack. Worse still a dedicated attacker with access to criminal “botnets” (used by many kinds of “cyber criminal” for activities such as blackmail, spamming, Distributed Denial of Service attacks or “brute force” password attempts) or other large co-operative systems might be able to make the work of years in to the work of a few days. With access to a modern Mainframe computer this can be done many times quicker still.

Generic brute-force search techniques can be used to speed up the computation. But the real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. This amount of entropy is far less than what is generally considered safe for an encryption key. SOURCE: http://en.wikipedia.org/wiki/Password_cracking

After transportation of data via disk the single biggest security problem that exists is that the disk exists. Sometimes these disks are recycled with the data still on them other times they are discarded with the data still on them. While this is not a problem (so much) if the data is heavily encrypted it is still a worry and a common oversight leading to the biggest potential source of data leaks currently facing modern business. Ideally such disks should blanked and over written with random data or destroyed safely by reliable experts. Disk destruction presents and array of potential safety hazards and so should not be handled informally.

It seems reasonable to assume that if data by disk has happened this time then it has happened before perhaps many times before. Therefore it should be assumed that there has existed a significant flaw in data security and a full audit of all writeable media content should be taken as quickly and totally as is possible. Ideally this should be carried out by people who understand the ideas of data security.

How frequently has data been transferred between locations in this way?

Why is data not encrypted to a military standard or better as standard?

Why is a movable media ever used at all or even allowed within the offices where such data is accessed?

Why is a secured network connection not used for the transport of all data?

What was to become of the disks once the data had been moved and how was this to have been ensured?

In the past how were such disks treated after data transportation? Please provide evidence.

Has the NAO received data of such sensitivity or scope in this format before?

Responsibility

The final issue to be addressed is that of responsibility. Clearly these practices were established based on some form of advice, the research of best practice and professional experience. We call into question the quality of that source of expert skill and question the processes that established such weak logical and physical security.

It is not acceptable that so many security risks exists in one place. It is unforgivable that untrained (and presumably untested) personnel have unrestricted access to sensitive data. If the personnel that access and maintain such a database are insufficiently experienced this suggests a high tern over of staff. Under such conditions true security while such staff have unregulated access becomes impossible.

Furthermore the use a firm that has demonstrably lost items brings to question the selection and use of that firm to begin with. Outside agencies must be selected not just on the grounds of budget but also on the firm evidence of competent and efficient performance.

Please identify the consultant(s) whose formal recommendations were used in the establishment of such practices that enabled this breach to come about.

Please identify the best practices, formal reports and recommendations that identified full access by multiple users as a viable, secure, safe and/or efficient methodology or the letter of resignation of the manager that failed to seek this prior to using such a method.

Please provide a full break down of the process that was used to identify TNT as a secure and reliable agent.

Conclusion

With even the most basic of security in place such data leakage should not arise to start with. The author, therefore, holds the government jointly and entirely negligent with HM Revenue and Customs in its handling of sensitive data. Best practice should have long ago been established and implemented nationally so that the scale or nature of the error in question can not happen.

That this has not happened throws doubt on the viability and effectiveness of all current ICT partners especially those used by HM Revenue and Customs. It is time to review the process by which these systems are created and the way in which safeguards are created. It is perhaps time to require fresh companies be used in the provision of technology and those companies with a record of failures be black listed from government or local authority work for a period of not less than twenty five years.

The processes in place are clearly woefully inadequate and the staff lacking in training yet having excessive and escalated privileges within the system. This can only lead to abuse and mistakes that are costly and dangerous as has just been demonstrated. The only answer is a complete re-evaluation of the processes and security in place preferably by demonstrably expert data security advisers.

When thing that is very clear now is that this has demonstrated how deadly an national ID system would be with the level of actual protection the data really gets. When the most sensitive of data is processed in a liberal and insecure way that seems to fly in the face of best practice and even common sense the author no longer trusts the government or its agencies to hold any data safely.

It is a worrying thought that a government unable to keep safe even a few disks worth of data are also commissioned with keeping us safe from the threats of bombs, poison and explosions from aggressive groups with “an axe to grind”. How can they keep us safe from terrorists if they can not keep us safe from themselves?

It is time to stop pretending that the voices of so many IT experts are not shouting for reform. It is time to recognise that the government is a by-word for botched IT projects and budget over runs for systems that are hardly worth considering. For the same money the government could sponsor ten times as many Open Source projects to a hundred times the level of completion than they currently achieve, train all staff to use the systems and still have sufficient budget left over to improve the NHS, reduce tax or otherwise run the country with improved security and efficiency. Security by obscurity has failed now is the time for transparency and standards.

---

The content of this page is subject to the following disclaimer