Sensitive Government Gateway information on lost flash drive
Technorati Tag: Security Breach
Date Reported:
11/02/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Department of Work and Pensions
Government Gateway
Atos Origin
Location:
London, United Kingdom
Victims:
Registered users of the Government Gateway
Number Affected:
12 million
Types of Data:
"confidential passcodes" and "personal details, which can include names, addresses, wages, National Insurance numbers and credit card details"
Breach Description:
"Government Gateway websites were closed after a memory stick containing confidential pass codes to the system was found in a pub car park."
Reference URL:
Daily Mail
Reuters
BBC News
Telegraph
Report Credit:
Daniel Boffey, The Daily Mail
Response:
From the online sources cited above:
Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.
The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.
[Evan] Was the flash drive just lying on the ground in the car park?
The memory stick was lost by Daniel Harrington, 29, an IT analyst at computer management firm Atos Origin.
[Evan] It would really stink to be called out by name as the person responsible for this incident. Even if not a single bit of data were actually compromised, just being tied to this blunder is enough to scare the *&#( out of most people. Why did Mr. Harrington feel as though he needed to store this confidential information on a flash drive? Do other co-workers of Mr. Harrington practice the same irresponsible behavior?
The multinational company, which boasts an annual turnover of £4billion, won the five-year £46.7million contract to manage the Government Gateway in 2006.
Yesterday, Mr Harrington was in emergency meetings all day at Atos Origin's offices in Cannock.
His mother Sylvia said: 'It was lost. He is such a lovely lad. He went into work today, I don't know whether he was dragged in, but he went in. It is just so upsetting. I keep telling him, mistakes happen.'
[Evan] Even lovely lads make mistakes.
An urgent investigation is now under way
The Department for Work and Pensions insisted that the system's security has not been breached, but a computer expert told The Mail on Sunday that in the wrong hands the data on the memory stick could enable hackers to access personal details of the 12million people who have registered on the system, including their passwords.
Users trying to log on to the site yesterday were met by the message: 'The Government Gateway is temporarily offline. We apologise for any inconvenience. Normal service will be resumed as soon as possible.'
The Government also closed down access to self-assessment tax applications via the Revenue and Customs website.
For the past six years, the £18million Gateway system has enabled members of the public and businesses to gain access to hundreds of services from 50 Whitehall departments, including self-assessment tax returns, VAT returns, pension entitlements and child benefit.
This year alone, 1.8million people have submitted their tax returns on the system.
Members of the public registering for the service have to provide their personal details, which can include names, addresses, wages, National Insurance numbers and credit card details.
[Evan] Obviously a system that collects and stores all of the sensitive information requires very stringent security controls. Do people access the site with a simple username and password?
The lost memory stick was found two weeks ago outside a Brewers Fayre chain pub in Cannock, Staffordshire, but the Department of Work and Pensions, which owns the Government Gateway, was made aware of its loss only last week when the 2in device was passed to this newspaper.
[Evan] The person who found the flash drive turned it over to the newspaper instead of the authorities. Why do you suppose he/she decided upon this route of disclosure?
An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'.
[Evan] Uh Oh! Source code?! Source code in the wrong hands can be devastating to the integrity of a program or system.
The memory stick is now in the hands of the police.
Ministers have repeatedly assured taxpayers that the system was secure.
When The Mail on Sunday told the Department of Work and Pensions that the memory stick had been left outside The Orbital pub in Cannock, a spokesman said they were taking the matter 'very seriously'.
He added: 'We have launched an immediate and urgent investigation into this. We are going to assess what needs to be done and senior people are involved. The implications are obvious.'
Yesterday, after the service had been shut down, the department added: 'We have moved immediately to make sure there is no conceivable risk to users of the Government Gateway
[Evan] I don't know if the spokesman mis-spoke, doesn’t understand risk, or is trying to mislead, but there is no such thing as "no conceivable risk". There is ALWAYS some amount or risk, and it is impossible to eliminate it.
'We are convinced the integrity of the Government Gateway has not been compromised and there is no risk to users.'
[Evan] Again, it is impossible to have "no risk".
Computer security expert Jacques Erasmus, from internet protection firm Prevx, said that the passwords and security software saved on the memory stick would provide access into a series of databases or payment systems.
he added that the greatest concern was the source code.
[Evan] I agree.
Mr Erasmus, who has previously worked with Government agencies, said that the blueprint to the Government Gateway was 'invaluable' for those who would want to harvest personal details or defraud the Government.
'Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.
A spokesman for the Department for Work and Pensions insisted that the security software and passwords on the memory stick had been protected so that a stranger would not be able to access the Government Gateway easily.
[Evan] OK, this statement is a little more accurate and seems to contradict the "no risk" statement earlier. A stranger with access to the flash may not be able to access the Government Gateway "easily", but the reward would certainly be great if a stranger did. If a stranger knew what he/she had in his/her posession, it would be well worth the effort, wouldn't it?
She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'
[Evan] I assume that the industry standard technique is likely a one-way hash (with salt?). Not impossible to crack.
She added that the source code was old, that the step-by-step guide to the system provided in a text file was a 'low risk', and that other items on the memory stick provided only a 'rudimentary guide' to the system.
[Evan] Notice "low risk" not "no risk".
She also said that it would be 'impossible to intercept details of transactions' and divert money to another account.
"On the basis of an initial examination of the contents of the memory stick, it is our experts' opinion that the contents would not allow anyone to breach the very strong security safeguards protecting the website."
[Evan] I have to wonder who their "expert" is. Do you suppose that their "expert" is independent?
However, Mr Erasmus said the source code was only a few months old and that the password encryption would be 'relatively easy' to crack, given the information on the device.
[Evan] I would guess it is unlikely that wholesale changes were made to the source code in the past few months, so the source code on the flash drive could still be very damaging. Cracking the password encryption can be easy depending upon the hash implementation and password strength. As a security professional, I have a general dislike for passwords.
He said: 'I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information.
'If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12million accounts and those details.
Lib Dem MP Norman Baker said the Government were asking for data from taxpayers that they could not protect.
'The Government cannot be trusted with all this information but they collect more and more,' he said.
'I would have thought the basic security step would be to ensure that memory sticks with all this information on simply don't exist.'
[Evan] In a perfect world, eh?
Yesterday morning, the finder of the memory stick was asked to deposit the device at his local police station. And seven pages of printouts were handed over to a civil servant seconded to collect the documents.
An Atos Origin spokesman said: 'Atos Origin can confirm that a single memory stick has been misplaced by one of its employees.
[Evan] Do you suppose Atos Origin inventories all flash drives?
'The company takes the loss of this device very seriously and we are currently carrying out a full investigation of both the circumstances surrounding its loss and the data content of the stick.
'It is clear that the employee removed the device from company premises in direct breach of our own operating procedure.
[Evan] I have never written a policy or procedure that has been followed 100% of the time by 100% of the people governed by them.
'Atos Origin is working very closely with the Government and the police. The company takes full responsibility for this loss and will discipline the individual involved.
[Evan] This doesn't bode well for the "lovely lad".
"As this may become a criminal matter for the individual concerned, it is inappropriate for us to comment further at this stage."
[Evan] Either does this.
Prime Minister Gordon Brown said the company would have "to explain itself".
Mr Brown said Cabinet Secretary Gus O'Donnell was sending out fresh instructions to ministers over how sensitive data must be handled.
Commentary:
Was Mr. Harrington aware of the Atos Origin procedure that prohibits the storage of sensitive information on flash drives? This is the first question that comes to mind.
Do other employees use flash drives too and he just happened to be the person to lose one? Procedures are useless if they aren't regularly communicated, enforced and reinforced.
Perhaps Mr. Harrington was just negligent.
What other administrative, technical, and/or physical controls does Atos Origin employ to prevent the use of flash drives?
Thankfully this flash drive was found and returned, hopefully without copies made or other disclosure. The actual risk to the Government Gateway users may be low, but this incident demonstrates very risky behavior on the part of the people responsible for securing it.
Past Breaches:
The United Kingdom of Great Britain and Northern Ireland (UK):
Numerous
Others:
Unknown
Date Reported:11/02/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Department of Work and Pensions
Government Gateway
Atos Origin
Location:
London, United Kingdom
Victims:
Registered users of the Government Gateway
Number Affected:
12 million
Types of Data:
"confidential passcodes" and "personal details, which can include names, addresses, wages, National Insurance numbers and credit card details"
Breach Description:
"Government Gateway websites were closed after a memory stick containing confidential pass codes to the system was found in a pub car park."
Reference URL:
Daily Mail
Reuters
BBC News
Telegraph
Report Credit:
Daniel Boffey, The Daily Mail
Response:
From the online sources cited above:
Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.
The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.
[Evan] Was the flash drive just lying on the ground in the car park?
The memory stick was lost by Daniel Harrington, 29, an IT analyst at computer management firm Atos Origin.
[Evan] It would really stink to be called out by name as the person responsible for this incident. Even if not a single bit of data were actually compromised, just being tied to this blunder is enough to scare the *&#( out of most people. Why did Mr. Harrington feel as though he needed to store this confidential information on a flash drive? Do other co-workers of Mr. Harrington practice the same irresponsible behavior?
The multinational company, which boasts an annual turnover of £4billion, won the five-year £46.7million contract to manage the Government Gateway in 2006.
Yesterday, Mr Harrington was in emergency meetings all day at Atos Origin's offices in Cannock.
His mother Sylvia said: 'It was lost. He is such a lovely lad. He went into work today, I don't know whether he was dragged in, but he went in. It is just so upsetting. I keep telling him, mistakes happen.'
[Evan] Even lovely lads make mistakes.
An urgent investigation is now under way
The Department for Work and Pensions insisted that the system's security has not been breached, but a computer expert told The Mail on Sunday that in the wrong hands the data on the memory stick could enable hackers to access personal details of the 12million people who have registered on the system, including their passwords.
Users trying to log on to the site yesterday were met by the message: 'The Government Gateway is temporarily offline. We apologise for any inconvenience. Normal service will be resumed as soon as possible.'
The Government also closed down access to self-assessment tax applications via the Revenue and Customs website.
For the past six years, the £18million Gateway system has enabled members of the public and businesses to gain access to hundreds of services from 50 Whitehall departments, including self-assessment tax returns, VAT returns, pension entitlements and child benefit.
This year alone, 1.8million people have submitted their tax returns on the system.
Members of the public registering for the service have to provide their personal details, which can include names, addresses, wages, National Insurance numbers and credit card details.
[Evan] Obviously a system that collects and stores all of the sensitive information requires very stringent security controls. Do people access the site with a simple username and password?
The lost memory stick was found two weeks ago outside a Brewers Fayre chain pub in Cannock, Staffordshire, but the Department of Work and Pensions, which owns the Government Gateway, was made aware of its loss only last week when the 2in device was passed to this newspaper.
[Evan] The person who found the flash drive turned it over to the newspaper instead of the authorities. Why do you suppose he/she decided upon this route of disclosure?
An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'.
[Evan] Uh Oh! Source code?! Source code in the wrong hands can be devastating to the integrity of a program or system.
The memory stick is now in the hands of the police.
Ministers have repeatedly assured taxpayers that the system was secure.
When The Mail on Sunday told the Department of Work and Pensions that the memory stick had been left outside The Orbital pub in Cannock, a spokesman said they were taking the matter 'very seriously'.
He added: 'We have launched an immediate and urgent investigation into this. We are going to assess what needs to be done and senior people are involved. The implications are obvious.'
Yesterday, after the service had been shut down, the department added: 'We have moved immediately to make sure there is no conceivable risk to users of the Government Gateway
[Evan] I don't know if the spokesman mis-spoke, doesn’t understand risk, or is trying to mislead, but there is no such thing as "no conceivable risk". There is ALWAYS some amount or risk, and it is impossible to eliminate it.
'We are convinced the integrity of the Government Gateway has not been compromised and there is no risk to users.'
[Evan] Again, it is impossible to have "no risk".
Computer security expert Jacques Erasmus, from internet protection firm Prevx, said that the passwords and security software saved on the memory stick would provide access into a series of databases or payment systems.
he added that the greatest concern was the source code.
[Evan] I agree.
Mr Erasmus, who has previously worked with Government agencies, said that the blueprint to the Government Gateway was 'invaluable' for those who would want to harvest personal details or defraud the Government.
'Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.
A spokesman for the Department for Work and Pensions insisted that the security software and passwords on the memory stick had been protected so that a stranger would not be able to access the Government Gateway easily.
[Evan] OK, this statement is a little more accurate and seems to contradict the "no risk" statement earlier. A stranger with access to the flash may not be able to access the Government Gateway "easily", but the reward would certainly be great if a stranger did. If a stranger knew what he/she had in his/her posession, it would be well worth the effort, wouldn't it?
She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'
[Evan] I assume that the industry standard technique is likely a one-way hash (with salt?). Not impossible to crack.
She added that the source code was old, that the step-by-step guide to the system provided in a text file was a 'low risk', and that other items on the memory stick provided only a 'rudimentary guide' to the system.
[Evan] Notice "low risk" not "no risk".
She also said that it would be 'impossible to intercept details of transactions' and divert money to another account.
"On the basis of an initial examination of the contents of the memory stick, it is our experts' opinion that the contents would not allow anyone to breach the very strong security safeguards protecting the website."
[Evan] I have to wonder who their "expert" is. Do you suppose that their "expert" is independent?
However, Mr Erasmus said the source code was only a few months old and that the password encryption would be 'relatively easy' to crack, given the information on the device.
[Evan] I would guess it is unlikely that wholesale changes were made to the source code in the past few months, so the source code on the flash drive could still be very damaging. Cracking the password encryption can be easy depending upon the hash implementation and password strength. As a security professional, I have a general dislike for passwords.
He said: 'I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information.
'If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12million accounts and those details.
Lib Dem MP Norman Baker said the Government were asking for data from taxpayers that they could not protect.
'The Government cannot be trusted with all this information but they collect more and more,' he said.
'I would have thought the basic security step would be to ensure that memory sticks with all this information on simply don't exist.'
[Evan] In a perfect world, eh?
Yesterday morning, the finder of the memory stick was asked to deposit the device at his local police station. And seven pages of printouts were handed over to a civil servant seconded to collect the documents.
An Atos Origin spokesman said: 'Atos Origin can confirm that a single memory stick has been misplaced by one of its employees.
[Evan] Do you suppose Atos Origin inventories all flash drives?
'The company takes the loss of this device very seriously and we are currently carrying out a full investigation of both the circumstances surrounding its loss and the data content of the stick.
'It is clear that the employee removed the device from company premises in direct breach of our own operating procedure.
[Evan] I have never written a policy or procedure that has been followed 100% of the time by 100% of the people governed by them.
'Atos Origin is working very closely with the Government and the police. The company takes full responsibility for this loss and will discipline the individual involved.
[Evan] This doesn't bode well for the "lovely lad".
"As this may become a criminal matter for the individual concerned, it is inappropriate for us to comment further at this stage."
[Evan] Either does this.
Prime Minister Gordon Brown said the company would have "to explain itself".
Mr Brown said Cabinet Secretary Gus O'Donnell was sending out fresh instructions to ministers over how sensitive data must be handled.
Commentary:
Was Mr. Harrington aware of the Atos Origin procedure that prohibits the storage of sensitive information on flash drives? This is the first question that comes to mind.
Do other employees use flash drives too and he just happened to be the person to lose one? Procedures are useless if they aren't regularly communicated, enforced and reinforced.
Perhaps Mr. Harrington was just negligent.
What other administrative, technical, and/or physical controls does Atos Origin employ to prevent the use of flash drives?
Thankfully this flash drive was found and returned, hopefully without copies made or other disclosure. The actual risk to the Government Gateway users may be low, but this incident demonstrates very risky behavior on the part of the people responsible for securing it.
Past Breaches:
The United Kingdom of Great Britain and Northern Ireland (UK):
Numerous
Others:
Unknown
Posted by Evan Francen at 11/3/2008 1:17 AM 
Categories: Government Gateway, Department of Work and Pensions (UK), Atos Origin, Lost Device
Categories: Government Gateway, Department of Work and Pensions (UK), Atos Origin, Lost Device
Posts Atom 1.0
Comments