Today we woke up to learn of yet another UK government data leak. Apparently a memory stick was left in a pub car park. Of course as always, not is all quite as it seems; the person who actually left the memory stick where it was, actually worked for a private sector company doing contracting work for the government. So was this really a UK government data leak at all ?
Well yes, the data was government data and it does not matter who leaked it. From memory (i.e. I am too lazy to hunt down the links to check) this is not the first time that government data leaks have been caused by private contractors. Perhaps the government should stick to doing their own work when it comes to working with data that contains personal information; if there is anything more aggravating than being slated for your own stupidity it is being criticised for someone else’s stupidity.
Of course most people will be under the impression that data leaks pretty much only occur when the government is involved; somehow data leaks from private sector companies never seem to hit the headlines in quite the same way. For instance the headlines for this morning’s leaks were all about the government role in the data loss and no mention of the private sector firm involved :-
- “Government memory stick found in pub” – Independent on Sunday.
- “Government passwords left at pub” – Guardian; also “Fears for personal data after government passwords left in pub car park”.
- “Brown says government cannot ensure data safety” – Times.
I have left out a few … I could not find the story on a few websites belonging to the gutter press, and lost interest after one too many pages with lurid colours and half-naked women popping out at me. But it’s all “the government” in those headlines; although they do in the end point out that it was a private contractor who lost the data.
Anyone reading (and trusting!) the media would be under the impression that the Government cannot be trusted with our personal information whereas private sector companies can because they rarely end up as front-page stories for losing data. Well I am not totally convinced that the Government has a monopoly on stupidity; there seems more than enough to go around.
Hunting down stories about private sector data leaks is kind of tedious because there does not appear to be that much out there, but a few stories did show up (not linking to anything before 2007) :-
- Orange and Littlewoods breach Data Protection Act
- Norwich Union fined £1.26m after ID theft
- Halifax apologises for mortgage data leak
- Financial data leaks put 16 million at risk
The last story is particularly interesting – 56 reported data leaks from financial firms in 2008 (who are not required to report data leaks). In a report by Verizon, it is estimated that of all private sector data leaks, only 14% of leaks are from financial firms; doing a little arithmetic indicates that there have been at least 400 data leaks this year.
So is the private sector any better or worse than the public sector ? They are probably just the same – woefully irresponsible. People rarely care about information security of others in their daily lives; in fact they are often also completely naive about their own information security.
So why does the government come in for so much criticism in comparison to the private sector ? Partially it is simply that we do not get a choice in the matter of whether to do business with the government or not. And partially it probably makes for a better media story. Or perhaps the media just wants to attack the government.
Perhaps some journalist can take a proper look at the private sector leaks, do the job properly and just for once the private sector can get some justified criticism. They might also want to take a closer look at the media’s preference for attacking the government on this matter.
Onto another matter; encryption. The government response was that the only personal data leaked in this case was encrypted as though that would protect the data. Well maybe, but only if it was strong encryption. Most people who use encryption are not aware of whether the encryption method is strong or not. For instance a quick google for “Word document password recovery” returns a huge list of choices for applicatiosn which will break the encryption on Word documents – making the encryption built into Word completely pointless. But how many people who use this encryption know that they are getting a false sense of security ?