What sort of a .net is it that doesn't have holes?
|
|
|
14,673 council voters' personal data gets nicked
A LAPTOP COMPUTER containing personal data on more than 14,000 voters has gone missing from the St Albans City and District Council office.
The council had, at least, thought to protect the information a little bit. The apparently opportunistic thief will face two levels of security to get to the good stuff. Although the council admitted that there was a "slight risk" it could be accessed. That's reassuring then.
The computer had copies of scanned postal vote application forms and postal vote statements on it. These contained the names, addresses, dates of birth and signatures used to confirm the identity of 14,673 voters.
The council is also talking with the police and its IT services manager Northgate Information Solutions to find out exactly where the laptop could be and whether 14,673 voters should think about changing their banking details.
Letters will be sent to all those who voted by mail in the last council elections on 4th June, informing them of the "situation and the risks involved", the council said in a statement.
The Conservative group leader at the council, Councillor Julian Daly, whose own personal details were also on the missing laptop, said he was troubled by the incident.
He told the Press Association, "That's all the information you need to set up a bank account. It's classic identity theft territory. That is, assuming they can get at the data. It is troubling that the data was on a portable machine and it was accessible for someone to walk off with it."
Stonewood, the company that provides encryption to the Army and British government said that comparatively, St Albans City and District council was actually ahead of some others in that they at least had two layers of security.
CEO Chris McIntosh said, however that these 'two-layers' could be as simple as 'log-in' passwords, which could be easily hacked. "The reality is laptops will be lost or stolen," he said. "The council needs to be sure that nobody would be able to view those signatures." µ
Share this:
Share
"It is troubling that the data was on a portable machine and it was accessible for someone to walk off with it."
What is it with civil service types and the need to store sensitive information on laptops - just how stupid are these people????
why don't councils use macs to hold this sort of information?
A: if the laptop got nicked, the common thief wont know how to use it.
B: if said common thief turns the machine on and does use it , it can be traced if it ever goes on-line again.
C: macs are more secure :)
D: why don't authorities use something like maglock , to physically secure a machine , even in the office ?
its seems pretty daft to me to hold any kind of sensitive data on a machine that can be picked up and pretty much put in a deep pocket. There are solutions out there which would allow them to operate , but not actually have full data on HD.
I would 100% ban the use of laptops, where any kind of sensitive data is involved. That would put an end to these almost daily embarrassing security breaches.
erm, no.
Macs are not secure, end of. Linux is not secure. Windows is not secure. Physical access, by default, bypasses filesystem layer security. Most easily by booting off a 'live CD'.
In addition, security is not related to obscurity.
Truecrypt is everyones friend... macs, linux or win. There are others, put that is my preferred weapon of choice.
Corps could use bitlocked drives (vista/win7) or thirdparty tools for data storage, then it doesn't matter if the asset gets nicked as cracking the encryption is effectively NP.
As for the article... I bet it was an Access database with user password :D They're probably under the impression that that IS encryption .<
Somewhat related. Years ago their was discussions about back door keys to encryption. Any company that produces software that encrypts must give a back door key to the government where the software is created. Is that true or not. I'm referring to the US but it could be in most countries. I wouldn't doubt that there are bilateral agreements in place to share those keys in an emergency. Just wondering.
to know how many of the letters they send to postal voters get returned 'Not known at this address'.
I don't care if you use Truecrypt with a 4096-bit key and an unguessable password, personal data has nothing to do on a laptop, period.
The only proper security concerning people's personal data is to keep that data on the server.
It should not be put on a laptop, it should not ever get near an external auditor, and consultants shouldn't even dream of seeing it.
ID fraud is a real concern. People need to be more responsible than ever before by monitoring their bank statements and credit reports to ensure fraudsters have not high jacked their accounts or opened up new lines of credit they have no knowledge of.
In the first nine months of 2009, over there were over 70,000 cases of ID fraud.
Research from CPP shops that four in ten people want companies to be fined for losing personal data. Only last week the information Commissioner's Office reported a total of 434 data breaches from organisation's in the past 12 months, up from 277 the year before.
People need to be vigilant.
Surprise, surprise. Another incident of data security negligence. I find it absolutely astonishing that the people in charge of these computers think that 'maybe there were two levels of encryption installed, and that maybe people won't be able to see the data stored on them'. I don't think that a 'maybe' is comforting enough for those who will suffer from this. The fact is that IT administrators in these organisations should KNOW for a FACT that data is not going to be exposed. We are only human, and mistakes like laptop loss are always going to happen, so make sure that when they do - you are properly prepared. There are now remote data encryption and deletion services available on the market. These managed services can range from automatic machine lockdown to immediate harddrive deletion that can be triggered remotely whenever a machine is thought to be compromised. After all, a standard encryption key can eventually be broken with the right tools and knowledge. The only way to ensure data can't be obtained is to delete it, full stop.
Given the nature of the data that have gone missing, should the people concerned change their name, address, date of birth or signature?