UK prison officer information on lost contractor hard drive
Technorati Tag: Security Breach
Date Reported:
9/6/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
The Home Office
Ministry of Justice
National Offender Management Service (NOMS)
EDS Corporation
Victims:
"employees of the National Offender Management Service in England and Wales, including prison staff "
Number Affected:
"up to 5,000"
Types of Data:
"data related to financial information", "names, dates of birth, National Insurance numbers and employee numbers"
Breach Description:
"Sept. 7 (Bloomberg) -- Electronic Data Systems Corp. lost a computer disk carrying data on as many as 5,000 U.K. prison staff, prompting Justice Secretary Jack Straw to order an inquiry."
Reference URL:
BBC News
Bloomberg
Contractor UK
Report Credit:
BBC News
Response:
From the online sources cited above:
LONDON (AFP) - An urgent inquiry was underway on Sunday after a disc containing the personal details of 5,000 justice staff went missing in yet another embarrassing data loss blunder.
[Evan] It seems like all UK residents have been affected by poor information security through the loss of personal information in the past 12 months. The people of the UK are losing patience. The Guardian reports that prison officers are threatening a strike over this breach.
Those affected are employees of the National Offender Management Service (NOMS), who may include many prison officers.
"We believe nearly all of this data related to financial information -- for example, invoices from Prison Service suppliers," said a Ministry of Justice spokeswoman.
"However, we believe there is also a limited amount of personal information on around 5,000 NOMS employees including their names, dates of birth, National Insurance numbers and employee numbers."
[Evan] How does this information qualify as "limited"?
According to a letter obtained by the News of the World newspaper, which it published on Sunday, private contractor EDS told the Prison Service in July that the hard drive had gone astray.
[Evan] There is no mention of encryption in any of the news stories I have read to date. I will assume that the lost hard drive was not encrypted, and if this holds true, then shame on EDS! EDS should know better and this practice puts their customer information at an increased and unecessary risk of disclosure. EDS offers "Enterprise Security" services too. Ugh.
The missing disc was last seen in July 2007.
[Evan] Am I understanding this correctly? EDS lost the hard drive in July 2007 and didn't notify the Ministry of Justice until July 2008? 12 months?! Is this acceptable to anyone?
So far, the only party EDS is understood to have alerted was the Prison Service, though reports suggest it failed to issue this alert until 12 months after the incident.
"I am extremely concerned about this missing data," Justice Secretary Jack Straw said in a statement, adding that he was only informed about it on Saturday.
[Evan] EDS loses the drive in July 2007 and notifies the Ministry of Justice 12 months later, then another two months pass before Mr. Straw is informed?
He said he had "ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved.
"I have also asked for a report as to why I was not informed as soon as my department became aware of this issue. My officials are also in touch with EDS as part of these processes. We take these matters extremely seriously."
Justice Minister David Hanson said he was "very angry" at the loss.
[Evan] I would be %$@# too!
"I await the enquiry to see the details of the information, but my assessment is that the confidentiality and the security of staff will, I hope, not be compromised," Mr Hanson told BBC Radio Five Live.
But he also said it was "a historical loss which I do not believe will ultimately compromise the safety and security of those who work for us"
[Evan] Let's hope that Mr. Hanson's beliefs hold true. We do know that the risk of compromise is greater than it should be.
Shadow justice secretary Nick Herbert said: "The records of prisoners have been lost already and now we discover that personal data about prison officers has gone too.
[Evan] Mr. Herbert is referring to the announcement in August that PA Consulting lost a flash drive containing information belonging to 84,000 prisoners in the UK. I did not write about this breach on The Breach Blog.
"When was this incompetent government planning to own up to another data disaster - this time one which has put the security of thousands of its own employees at risk - and if, as they claim, they didn't know about this until now, who on earth is actually running the department?"
The Prison Officers' Association said the loss, which it had not been informed about, could end up costing the taxpayer millions of pounds.
[Evan] In my opinion, EDS has some serious liability too.
National chairman Colin Moses said: "We are extremely concerned that not only has this data been lost, but that the Prison Service appear to have tried to conceal this serious breach in security.
"It is a breach that we believe could ultimately cost the taxpayer millions and millions of pounds, because, if the information lost is personal and sensitive, it may well mean staff having to move prisons, move homes and relocate their families."
A spokesman for EDS added that the company was working with the Ministry of Justice to provide its officials with a "detailed analysis of the situation."
He said EDS would be advising the department on the "remedies that should be undertaken," but declined to be drawn on whether the data were protected.
[Evan] EDS, the company largely responsible for the loss and flawed incident detection and/or response, will also be "advising" the department on what they should do now?!
Commentary:
Again, I am basing many of my comments above on the assumption that the hard drive was not encrypted. EDS is a pretty widely respected company. I would have expected more.
Past Breaches:
Electronic Data Systems:
January, 2008 - Wisconsin Dept. of Health and Family Services mails Social Security numbers
December, 2007 - TRICARE breach affects 4,700 households
August, 2007 - Former Electronic Data Systems Employee Charged with Identity Theft of 498
The United Kingdom of Great Britain and Northern Ireland (UK):
Many
Date Reported:9/6/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
The Home Office
Ministry of Justice
National Offender Management Service (NOMS)
EDS Corporation
Victims:
"employees of the National Offender Management Service in England and Wales, including prison staff "
Number Affected:
"up to 5,000"
Types of Data:
"data related to financial information", "names, dates of birth, National Insurance numbers and employee numbers"
Breach Description:
"Sept. 7 (Bloomberg) -- Electronic Data Systems Corp. lost a computer disk carrying data on as many as 5,000 U.K. prison staff, prompting Justice Secretary Jack Straw to order an inquiry."
Reference URL:
BBC News
Bloomberg
Contractor UK
Report Credit:
BBC News
Response:
From the online sources cited above:
LONDON (AFP) - An urgent inquiry was underway on Sunday after a disc containing the personal details of 5,000 justice staff went missing in yet another embarrassing data loss blunder.
[Evan] It seems like all UK residents have been affected by poor information security through the loss of personal information in the past 12 months. The people of the UK are losing patience. The Guardian reports that prison officers are threatening a strike over this breach.
Those affected are employees of the National Offender Management Service (NOMS), who may include many prison officers.
"We believe nearly all of this data related to financial information -- for example, invoices from Prison Service suppliers," said a Ministry of Justice spokeswoman.
"However, we believe there is also a limited amount of personal information on around 5,000 NOMS employees including their names, dates of birth, National Insurance numbers and employee numbers."
[Evan] How does this information qualify as "limited"?
According to a letter obtained by the News of the World newspaper, which it published on Sunday, private contractor EDS told the Prison Service in July that the hard drive had gone astray.
[Evan] There is no mention of encryption in any of the news stories I have read to date. I will assume that the lost hard drive was not encrypted, and if this holds true, then shame on EDS! EDS should know better and this practice puts their customer information at an increased and unecessary risk of disclosure. EDS offers "Enterprise Security" services too. Ugh.
The missing disc was last seen in July 2007.
[Evan] Am I understanding this correctly? EDS lost the hard drive in July 2007 and didn't notify the Ministry of Justice until July 2008? 12 months?! Is this acceptable to anyone?
So far, the only party EDS is understood to have alerted was the Prison Service, though reports suggest it failed to issue this alert until 12 months after the incident.
"I am extremely concerned about this missing data," Justice Secretary Jack Straw said in a statement, adding that he was only informed about it on Saturday.
[Evan] EDS loses the drive in July 2007 and notifies the Ministry of Justice 12 months later, then another two months pass before Mr. Straw is informed?
He said he had "ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved.
"I have also asked for a report as to why I was not informed as soon as my department became aware of this issue. My officials are also in touch with EDS as part of these processes. We take these matters extremely seriously."
Justice Minister David Hanson said he was "very angry" at the loss.
[Evan] I would be %$@# too!
"I await the enquiry to see the details of the information, but my assessment is that the confidentiality and the security of staff will, I hope, not be compromised," Mr Hanson told BBC Radio Five Live.
But he also said it was "a historical loss which I do not believe will ultimately compromise the safety and security of those who work for us"
[Evan] Let's hope that Mr. Hanson's beliefs hold true. We do know that the risk of compromise is greater than it should be.
Shadow justice secretary Nick Herbert said: "The records of prisoners have been lost already and now we discover that personal data about prison officers has gone too.
[Evan] Mr. Herbert is referring to the announcement in August that PA Consulting lost a flash drive containing information belonging to 84,000 prisoners in the UK. I did not write about this breach on The Breach Blog.
"When was this incompetent government planning to own up to another data disaster - this time one which has put the security of thousands of its own employees at risk - and if, as they claim, they didn't know about this until now, who on earth is actually running the department?"
The Prison Officers' Association said the loss, which it had not been informed about, could end up costing the taxpayer millions of pounds.
[Evan] In my opinion, EDS has some serious liability too.
National chairman Colin Moses said: "We are extremely concerned that not only has this data been lost, but that the Prison Service appear to have tried to conceal this serious breach in security.
"It is a breach that we believe could ultimately cost the taxpayer millions and millions of pounds, because, if the information lost is personal and sensitive, it may well mean staff having to move prisons, move homes and relocate their families."
A spokesman for EDS added that the company was working with the Ministry of Justice to provide its officials with a "detailed analysis of the situation."
He said EDS would be advising the department on the "remedies that should be undertaken," but declined to be drawn on whether the data were protected.
[Evan] EDS, the company largely responsible for the loss and flawed incident detection and/or response, will also be "advising" the department on what they should do now?!
Commentary:
Again, I am basing many of my comments above on the assumption that the hard drive was not encrypted. EDS is a pretty widely respected company. I would have expected more.
Past Breaches:
Electronic Data Systems:
January, 2008 - Wisconsin Dept. of Health and Family Services mails Social Security numbers
December, 2007 - TRICARE breach affects 4,700 households
August, 2007 - Former Electronic Data Systems Employee Charged with Identity Theft of 498
The United Kingdom of Great Britain and Northern Ireland (UK):
Many
Posted by Evan Francen at 9/7/2008 9:45 PM 
Categories: THE HOME OFFICE, Electronic Data Systems, Lost Device
Categories: THE HOME OFFICE, Electronic Data Systems, Lost Device
Posts Atom 1.0
Comments