Risk Factor iconRisk Factor

A Few More Shoes Hit the Floor in the UK

A few more shoes hit the floor in the UK id scandal.

According to the London Telegraph, the cost to secure those missing CDs containing the personal details of 25 million UK citizens was a whopping £5,000. HM Revenue and Custom senior officials didn't want to spend that amount of money to filter out sensitive personal data because to do so would "overburden the business by asking them to run additional data scans/filters that may incur a cost to the department". The current estimated cost of mitigating the risk of losing the data may reach £200 million, even if no fraud is committed. Nove cost/benefit ration, don't you think.

The Chancellor of the Exchequer Alistair Darling claimed that senior HMRC managers were not informed for three weeks that the 2 CDs went missing. Yet, in fact, HMRC was told within 6 days of the CDs being sent that they were missing by their intended recipient, the National Audit Office (NAO). The children's chant of liar, liar, pants on fire seems most apropos here.

The BBC is now reporting that instead of just four CDs, there now appear to be six HMRC CDs containing UK citizen private information that are missing. No one should be surprised that this number steadily increases over the coming week.

In the same BBC report, there is now a growing row between the UK government and the banks over who will pay for any fraud that might be committed. The UK government says that the banks are responsible in making their customers whole, and the banks naturally are saying, wait a minute, the government should be the ones paying since it caused the mess.

Anyone want to bet that the government will win in shifting its moral if not legal financial obligation to the banks, and the banks in turn will soon jack up their fees as an excuse to pay for "future fraud payouts," as well as play hardball with any customer who claims id theft?

The Sounds of Shoes Dropping Everywhere

In regard to the massive loss of personal data by the UK government earlier this week, it has emerged that senior UK government officials had been repeatedly warned that sensitive data was at risk of being compromised months ago because of slack security procedures. However, even after being told this, officials insisted that the data protection approached being used were "fit for purpose" - i.e., acceptable. Shoe Number 1.

An almost exact replica of this problem happened in 2005 involving HM Revenue and Customs and UBS customers. At the time, HMRC said, "This is a one off incident in a single office which receives thousands of pieces of post per week. We are urgently reviewing our procedures to make sure this does not happen again." Yeah, right. Shoe Number 2.

Seems that senior officials at HM Revenue and Customs knowingly refused taking even minimum security measures to protect the data being sent to the NAO because it was seen as being too expensive to do so. Shoe Number 3.

These senior officials - not the "junior official" whom the government blamed for the mess (who in fact looks like an administrative clerk) - apparently also authorized the method of data security (password protection, not data encryption) and the means of getting the information to the NAO (on CD sent by unregistered post). The junior official was merely following orders. Shoe Number 4.

It has now come out that HM Revenue and Customs has had over 1,211 - yes, 1,211 - data protection breaches in the past year, but as I mentioned earlier - this was apparently seen as being perfectly acceptable. HMRC has refused to talk about them. Shoe Number 5.

It was also disclosed that there are at least two other CDs that are missing on top of the two that are currently missing. Again, HMRC refuses to comment. Shoe Number 6.

The Chancellor of the Exchequer Alistair Darling informed parliament that he delayed announcing the loss of the CDs for 10 days after being told about it on November 10 because banks wanted more time to prepare anti-fraud measures. The banks vehemently dispute this. Shoe Number 7.

The government has told people not to worry - if any fraud is committed because of the breach, they will be covered. Now, all you have to do is prove a causal link. Good luck and God speed on that one. Shoe Number 8.

The "junior official" involved has been at least suspended (and some say sacked), and is at a safe house under 24 hour protection, supposedly for the person's own safety. More likely the government doesn't want this person talking to the press. Future Shoes Number 9 to ???

Hmm, its looks like UK Government's closet is as full of shoes as Imelda Marcos' closet.

LAUSD Payroll Debacle Explained - and Still Not Over

David Brewer, superintendent of the L.A. Unified School District, gave an interview to the LA Times in which he gave his reasons as to why the LAUSD payroll system blew up:

"The failure was this: That first of all there was no contractor oversight. That there was no real person in charge of this thing, at least the person who was in charge of it was not technically smart enough to know how to work the system. There was no separate chief information/technology officer dedicated to this. That was the first thing. We were depending on people who frankly speaking did not know how to interpret the problems that the system had technically."

I wonder why the project risk assessment didn't catch those pretty glaring risks/problems - wait, maybe there was no risk assessment. Does anyone out there in cyberspace know if there was any risk assessment done for this project?

Also, Brewer added in the interview that the payroll system "cannot account for about 500 people inside of the system who do not work to a standard calendar, even though we were told that we could. And now my contractor oversight says if that doesn't happen, they can't get paid." Two weeks ago, Brewer claimed that the payroll system was essentially fixed - I guess it isn't, after all, is it?

UK Government Security Blunder Continued

Details are now emerging on the lost confidential details of 25 million UK citizens. It appears that HM Revenue and Customs had established a practice of sending unencrypted data to the National Audit Office since March of 2007 to support its independent checks on the child benefit data, and would have likely continued if the CDs containing the information hadn't been lost in the mail last month.

Of course, the UK government is blaming the whole sorry affair on a "junior person" for not following procedures, that it wasn't an indication of a systemic failure (even though the same governmental agency had very similar security violations earlier this year), that an urgent review was being conducted to make sure it wouldn't happen again, that no one should panic (but do keep an eye on your bank account), yadda, yadda, yadda.

Prime Minister Gordon Brown told Parliament that, "I profoundly regret and apologise for the inconvenience caused"; the Chancellor of the Exchequer Alistair Darling said the episode was "catastrophic", "unprecedented" and "unforgiveable"; while the chairman of HM Revenue and Customs Paul Gray resigned, saying it was "a substantial operational failure." I do love British understatement, don't you?

Just to increase the sense of peace of mind of UK citizens, Richard Jeavons, director of IT implementation at the Department of Health admitted, when asked this week by a Commons Home Affairs Committee member about the security of the NHS Care Records Service database, i.e., "How confident are you that there won't be problems over [NHS] data and privacy?" responded that "You cannot stop the wicked doing wicked things with information and patient data..."

As a footnote, the UK government denied requests just last week from the Commons Health Select Committee to make information about NHS data security breaches public, saying that the information would, "add no value to the public understanding." I bet it wouldn't.

UK Government Mislays Half the Country's Personal Details

Reuters is reporting that the UK government Chancellor of the Exchequer Alistair Darling informed parliament that "two discs containing information on 25 million Britons had disappeared after being sent through HMRC's courier, Dutch mail and parcel company TNT NV, and a police investigation was underway."

"The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families," according to Darling. It was a "serious failure" he said - no kidding?

Hmm, let's see. The UK government desires every citizens' and travelers' DNA, every person's travel related details, has created a national registry of all children under 18, is developing a national ID card, etc., etc., and yet it can't guarantee basic protection to any of the information it collects.

Nice, very nice.

Why Government Needs Sarbanes-Oxley - and its Penalties

This past week a $31 million property tax refund scam conducted by members of the Washington DC Office of Tax and Revenue was revealed by the FBI. The scam has been running for at least the past seven years, and allegedly involved two tax office employees (so far) and their families. The perpetrators were so unconcerned about getting caught, they sent a phony $346,700 check to a fictitious company named "Bilkemor LLC."

The employees were able to get away with the scam because their activities weren't supervised, nor extensively if at all audited. A "breakdown of internal controls" were blamed by DC officials - something that Sarbanes-Oxley reviews of computer system controls would have made much more difficult. The District's CFO hasn't resigned, and has indicated that he sees no reason to do so. Basically, he stated that it wasn't his fault, that he has already fired the wayward employees' managers, and that it wasn't a big deal anyway, since it didn't materially affect the District's finances: "It is important to emphasize that this unfortunate incident does not compromise the financial stability and viability of the District."

Public corporations would love to operate under that definition of materiality. If the CFO or CEO were in the same position of utter and absolute ignorance of their company's finances, they would be fired, sued by shareholders, and face possible criminal charges. I guess shareholder money is more important to protect than that of taxpayers.

This week, the Security and Exchange Commission (SEC) also admitted once again that it still couldn't meet Sarbanes-Oxley requirements either - more than a bit ironic for the agency whose job is to administer it to public companies and punish those who transgress its requirements. No one at the SEC is losing their job because of material weaknesses found there either, it appears.

NASA Hack Costs $1.5 million to Fix

Government Computer News reported that recent intrusions into NASA's Earth Observing Systemâ''s networks â''cost NASA $1.5 million for incident mitigation and cleanup costs alone,â'' according to NASA's inspector general, Robert Cobb, in a memo issued Nov. 13.

According to Cobb, these costs were above the operational costs NASA sustained by the loss of systems availability. Cobb noted further that, "We have again included IT Security as a most serious management and performance challenge because our work and that of the Agency continues to report that significant weaknesses persist and many IT security challenges remain. Significant management and operational and technical control weaknesses continue to impact the Agencyâ''s IT Security Program and threaten the confidentiality, integrity, and availability of NASA information and its systems. That threat is tangible in that the Agency continues to be a target for criminal computer intrusions."

Good IT News, Bad IT News at Department of Justice

The annual report by the Department of Justice's Office of the Inspector General (OIG) on the state of IT in the DOJ says that the FBI has made progress in implementing its Sentinel system. The report notes that, "Over the past several years, the FBI has instituted better IT management processes and controls through its Life Cycle Management Directive. Continuity in both the FBIâ''s CIO position and its project management staff â'' a huge problem in failed previous efforts â'' also has stabilized. In addition, all of the FBIâ''s IT activities have been centralized under the FBI CIO, who now controls all agency IT spending.â''

However, the IG goes on to note: "The Department also faces the challenge of assuring that the more than $2 billion it receives annually for the Departmentâ''s IT systems is being spent effectively. A June 2007 OIG report examined the Departmentâ''s inventory of IT systems and identified 38 major IT systems estimated by system mangers to cost over $15 billion through 2012. The OIGâ''s audit found that the cost information the Department provides on its IT systems to Congress, OMB, and senior management within the Department is unreliable. Specifically, IT system cost reporting within the Department is fragmented, uses inconsistent methodologies, and lacks control procedures necessary to ensure that cost data for IT systems is accurate and complete."

The OIG also said there was big trouble with the Integrated Wireless Network (IWN), a $5 billion joint project among the Department of Justice, the DHS, and the Department of Treasury that is intended to address federal law enforcement requirements to communicate across agencies, allow interoperability with state and local law enforcement agencies, and meet federal mandates to use federal radio frequency spectrum more efficiently. The OIG concluded that, "the IWN project was at a high risk of failure. Despite over 6 years of development and more than $195 million in funding, the OIG concluded that the IWN project does not appear to be on the path to providing the intended seamless interoperable communications system. The causes for the high risk of project failure include uncertain and disparate funding mechanisms for IWN, the fractured partnership between the Department and DHS on IWN, and the lack of an effective governing structure for the project."

It's a good thing, I guess, that you can't IWN them all.

Subtle Chip or Apllication Math Errors Can Lead to Big Problems

Over the weekend, the New Yorks Times ran an article on a potential IT security problem posed by errors in microprocessor chips such as the Intel Pentium error of a few years back or the recent Microsoft Excel spreadsheet bug.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel and one of the three designers of the RSA public key algorithm, circulated a research note about how an attacker could exploit an undetected subtle math error and make breaking public key cryptography possible.

The Times article notes that Mr. Shamir believes that "if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be 'trivially broken with a single chosen message.' Executing the attack would require only knowledge of the math flaw and the ability to send a 'poisoned' encrypted message to a protected computer. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, 'millions of PCâ''s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually.' "

It isn't believed that this technique is being used - yet. It still seems easier to poison PC components themselves like hard drives at the factory, which recently happened to Seagate Maxtor drives made in Thailand and which were pre-loaded with password stealing Trojan horses.

Air Canada Computer Problems

Air Canada said there was a communications error between the airline's central reservation and check-in system affecting airports across Canada beginning at 0430 Friday morning. The system-wide problem affected both international and domestic flights with the worst delays experienced during the peak morning travel hours.

The delays weren't as bad as the recent problems at LAX.

Most Commented Posts

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributors

 
Contributor
Willie D. Jones
 

Newsletter Sign Up

Sign up for the ComputerWise newsletter and get biweekly news and analysis on software, systems, and IT delivered directly to your inbox.

Advertisement
Advertisement
Load More