I think there is a very simple cause of all these loses.

Now that almost all government computing services are run under PFI contracts where requests for new processing or additional queries are additional-cost items, it makes sense for most offices to keep a private copy of the database to reduce the cost of accessing the data.

I predict that government offices are riddled with unauthorised copies of databases.

The gov seriously think we can trust an ID card system ? when they cany even protect departmental ones ? is this gov mad ? after all the data thief last yesr, earlier this year, one would imagine that all laptops will have the latest and best encryption, not to mention that anyone not authorized to have the data, should NOT be taking them outside secured area, nevermind parking it outside their house or a car park.

Any one checked the Local Bargain Pages for this yet LOL

SecureDoc, TrueCrypt, PGP... it ain't fucking hard.

Oh well , I was going to say pack him off for a nice long voyage but since the mighty blighty Royal Navy is but a wraith like shadow on the water and weaker then the floating remains of the once mighty Imperial Japanese Navy at the end of another conflict last century , so thus as we speak that won't happen !

Perhaps a nice long holiday as an inmate in the Tower of London is more appropriate here !

As there is nothing much to see just another useless incompetent wanker pretending to be a sailor and adherent to the "Peter Principle" , move along now !

Or as Paris would say down on her pretend farm reality show "Sh*t happens"

Issue new ID for everybody. New bank account numbers, New phone numbers. New street addresses. Rename cities. Sale on hair dyes and wigs. Distribute 2 for 1 vouchers on face lifts.

A lot of these problems would be solved by the government going back the the big, heavy, hardware of the past. You know the idea--run everything on a server with some sort of terminal hardware rather than a desktop computer.

And if the personnel database had to be kept on a computer that needed to be plumbed into a decorative fountain for cooling, there's be few worries about laptops. I think they've sold off all those Green Goddesses.

While we're at it, chaining your mobile phone to a concrete block should reduce the number of thefts.

http://news.independent.co.uk/uk/politics/article3353778.ece

"The Ministry of Defence admitted yesterday that it was urgently checking the information thought to be held on more than 400 laptops stolen from the department in the past five years, including at least 68 stolen in 2007 alone."

Then he might take more bloody care over it. Left overnight in his car? Would he have done that with his own kit?

Make him pay five times the cost for replacement and they may actually look after the kit then. Oh, and then bang him up in a cell for two years too, for negligence under the Naval Discipline Act 1957.

I also want to know why they hold the data for that long, especially if the application was unsuccessful or the applicant withdrew.

isn't it?

Tell me so, then we can all wake up happy in the morning and have a laugh along with those hilarious guys and gals who like to teaze us by just pretending that our data is insecure...........................

A laptop was stolen from a Wing Commander David Farquhar's car containing the Desert Storm plans - and that was 17 years ago

No, they are just rehearsing for when they have got so much that it doesn't all fit on the server. Sort of like the prison over-crowding crisis, only for electrons.

My guess is that the official response to this will be to re-instate Crown Immunity! And freshen up the Official Secrets Act. Just in case its terrorism related. Oh, did you know it could all have been prevented, if only we had ID cards?

The gov is letting all this data get "lost" to soften us up and get used to the data loss so that when ID cards are forced on us and they SELL the data from them we will not care.

So a laptop was stolen... the thief thought he had a simple laptop to wipe and resell...

Now after all the media, he knows that there is valuable data, which could be sold, used etc. for far greater profit.

There are times when I feel that we the public are better off NOT knowing exact details in favour of not making the situation worse for those whose details were on the laptop.

What were the details of 600,000 people doing on a portable device to start with? This sort of data should live in a secure environment. What's the point of the MoD paying a fortune for firewalls and other network security, and locking down the physical security of their buildings - CCTV, guards, ID passes, etc, when they stupidly allow valuable data to reside on a laptop.

Unless their laptops are on a 30 metre steel cord and can't be taken outside of MoD premises or the strongest possible level of hard drive encryption is used, they should expect this sort of thing to happen all the time.

Oh, it does, and they do. My mistake.

Seriously, organisations this incompetent shouldn't be allowed computers. I'm still hacked off at the child benefit fiasco. I haven't seen any heads roll from that screw up. That was a management issue. They should expect moronic staff to do stupid things so they should have procedures to stop it from happening. Like forcing staff who require access to such a database to pass a competency test like they do in some organisations that take security and IT Risk Assessment seriously. Jokers, the lot of them! (My god, they're running the country! Aargh!)

I mean, bear in mind these are just the cases we hear about.

I could tell you guys a story about a new government IT system that's currently live but woefully incomplete and a data protection joke, but it'd probably cost me my job. Lets just say it's only a case of security through obscurity that's preventing a free-for-all on sensitive information relating to pretty much everyone in the country.

I'm weighing up my options on how much the tabloids might pay for the story.

Everyone on El Reg is being terribly harsh to the real victim in this - yes that unnamed MoD worker who is forced to personally handle the cases of some 500,000 wannabe squaddies.

Think about it - how would you like to know the well-being of half a million people is your responsibility? Doubtless the poor fellow was so stressed at being made to carry his work home at night that he made the perfectly understandable mistake of forgetting to take his laptop with him when he popped into the local Spar (or another one of the metropolis' innumerable high-quality all-night self-service consumer boutiques) for a family pack of ProPlus and a barrel of full-fat own-label cola.

Hold on, my associates wish to raise another possibility (although I am shocked to think that they would consider it), that this is a clear case of irresponsible data security with excessive numbers of personal records being duplicated, processed and stored on unsupervised machines.

I think I much prefer my scenario; one where Gerald (I think it should be a Gerald) works tirelessly to serve Britain's finest armed only with only a hot laptop, a cup of Mellow Blend and a chocolate HobNob.

So let's not berate Gerald, let's pray that the Civil Service (especially that magnificent edifice the Home Office) is staffed solely by Geralds!

method to all this madness. what it may be, who knows but seriously, all that data over the years so easily "lost" "misplaced" "stolen" from an entity who's security is supposedly equal to none?

But the government don't lie or keep secrets. The word incompetent doesn't apply to them.

It seems to me if they want everyone to have ID cards the least they can do is learn to protect such data first. I'm not just referring to the gov, every organisation should prove they can before we uniformly hand over our privacy.

If it was secure, I might not have such an issue with id cards as long as there isn't come kind of law about having it on you and getting it checked every where. I think a smart card built into it that I can assign services like drivers license, health care, bank cards and show credit and so forth all into the one card. I hate carrying so many cards and such all of. I guess the current advantage is that each having it's own security. But that would have to be secure. I'm not happy that my existing info in my wallet is very secure. Frankly right now I don't trust any organisation, including gov, with anything. Too many have their own interests that are not entirely for my benefit.

Actually I might just go burn the contents of my wallet. Hmm maybe I should burn the wallet too since it might have the impression of my bank cards in the leather.

The government has been very lucky. Ten years ago the IRA would have paid a small fortune for the home addresses of certain serving army personnel.

'applied' that and the fact the details were on a laptop; it makes you wonder what the fu*k is going on.

If you saw this happening on a TV series or movie would you believe it ?!

The UK 'X' files :

The Truth (and bank account details) Is Out There;

Trust No One (with your details) ;

I Want to Believe (no one's this thick)

Imagine the government running an ID card system!!

Last time I installed an operating system on a laptop (about a month ago, perhaps a little longer) I was offered the option of full disk encryption. I entered a fairly long and non-obvious password and now I know that if my laptop is ever stolen, the trivial and worthless crap on MY laptop will be completely unrecoverable.

How about doing this to laptops with important information on them?

Maybe all this data loss is just another way of demonstrating our complacency, that we will put up with just about anything and that they have us just where they want us. Why? Who knows. Maybe to show the overlords that the time is right for colonization? What family jewels we haven't sold, we seem to be giving away for free now.

Taxi! Take me to the free world please driver.

Is why on earth they keep copying ALL of the data to portable devices like laptops. I can understand if someone needs to go home and do some work on the information, but surely their IT department should be producing them a slice of the database containing the information they need.

If they want more, at least make them dial into a server connected to the Internet, sure you can't make an internet server 100% secure, but it's gotta be safer than these copy's on laptops...

about time to require a civil service data security course mandatory for further employment it's not beyond them no one has made it a tarring and branding issue yet it's coming.

To be fair (WHY???) they didn't release any of this info for 10 days so there's a reasonable chance the HD has already been wiped.

I hope.

Back when we were prepping ourselves for the invasion of the falkland islands, the MoD lost a laptop then aswell.

This one also contained vital information, THE invasion plans! A massive police search went out looking for the guy that nicked it from the backseat of a car.

The police officer who arrived to question the chap who'd had the laptop on the backseat asked;

"Is there anyone we should notify?"

"Yeah... I think the prime minister should know."

As I noted before christmas, and it did. And it will happen again. I wonder how many of our outraged contributors wander around with data files they shouldn't, leave their laptops where they shouldn't.... The government, private companies, clubs, charities, in fact just about everybody has been loosing peoples records for years and years, but it is only in the past few years with the widespread adoption of computing by private individuals that it has become a real issue. Loose a tape with this data on, in the past who can read it, certaily only someone with the right tape drive and O/S. Now virtually everybody uses the same O/S and puts things on DVDs or CDs that can be read by any computer.

It would be nice if some of our more vitriolic contributors actually said constructive things, rather than made stupid comments about the ability of government to protect data, ultimately it isn';t goverment you have to worry about, it's people. The government already has all the procedures in place needed to protect your data, and they do the vast majority of the people involved do the vast majority of the time. But it just takes a moments lapse, for the most mundane of reasons, for a mistake to happen. I suspect most of these commentators have never lost any data for any reason, exceeded the speed limit or ever done anything wrong. Its nice to lay blame, to crow about others misfortunes, but a darn sight harder to put yourself in their place and work to see that it doesnt't happen again. The officer involved will never make that mistake again regardless, but others will.

"The motorist who found them, however, claims he found similar documents in the same place last November."

How does he do this just stop in the middle of the roundbaout, hazzard lights a blinking and get out????

"Back when we were prepping ourselves for the invasion of the falkland islands, the MoD lost a laptop then as well. This one also contained vital information, THE invasion plans!"

Er...I didn't think we were the ones who invaded the Falklands, were we?

And I think anyone using a "laptop" in 1982 would probably have risked injury.

' government already has all the procedures in place needed to protect your data, and they do the vast majority of the people involved do the vast majority of the time'

Then it might be rather nice if they implemented them once in a while. Allowing a junior officer to have access to 60,000 database entries and just dump them to his laptop?

We're not talking human error here. Human error simply exposes the issue. We're talking about systematic and repeated failures in control. Is that the Government's fault? Damned right it is........

Incidentally, has 'I left the laptop in the car overnight' the modern equivalent of 'the dog eat my homework?'

A very secure laptop with non-trivial passwords for the BIOS, hard-drive and operating system. Lots of numbers...

If not then I expect heads will roll, not just his.

Don't ask me how I know...

Thanks chaps. There was a reason I signed up to the RAF, and not the bloody Navy. There I was stupidly thinking they wouldn't retain any pertinent data 7 years later!

I imagine if the data was encrypted, it would have been announced sharpish. At best, it'll be a password protected excel sheet.

I suppose on the plus side, whoever nicked it will get nid of sharpish. If they got caught, I imagine they could do them on all sorts of lovely charges for handling MOD property and 'data'. (Porn links and trojans from experience)

Now correct me if I'm wrong but doesnt the DPA require that data should not be stored for longer than necessaery and also (more importantly) that it should be accurate.

How can many (copied) versions of data that isnt synchronised be kept up to date??

I fail to see why CD's of data ever need to go in the post. They cant suggest for one second its more secure then sending it over the net with encryption. I mean heck we can all download a couple of gigs worth over night now so whats the problem? Laptops should NEVER hold a database of sensitive stuff unless essential and then it must be at least a complex 16 + character password and encrypt the entire disk plus bios locks. USB memory cards and sticks should be banned from containing any public persons data...........period. They must lose hundreds of these things a week and most are FAT32 and open.

Those that need access to data on a large public scale should only do it via a centralized server with a couple of layers of VPN. Then if a lappy goes missing there is nothing on it at all to worry about its just a dumb box.

Well the price of a 'Number plate to Address conversion' is apparent worth £5 a pop according to the DVLA. So think what all these magic details are worth per person!

And they trust all this data to Junior naval officers? It only takes one of them to cash in on that data and it's lost.

Hey, just set up shop, sell the data on people who applied for Navy jobs to any company that wants it. There's always data held by government that commercial companies would like to get their hands on for their own commercial gain, if the DVLA can do it, then why not the Navy?

If car parking companies can make a business out of fining people who park in Tescos and the DVLA makes it an automated system so that it can be very very profitable, then think what new business opportunities can be created by selling their bank, and health data?

You could sell it to insurance companies that want to avoid risk takers (applying for army? Risk taker!).

You could sell it to drug companies that want to test risky drugs. (Where will we find people who take risks? I know Army recruitment has a database for sale).

You could sell it to anti-war groups who want to target soldiers with propaganda.

You could sell it to litigation companies who want to sue for 'Gulf War Syndrome'.

The opportunities are endless! It's double plus Blair goodness!

"I entered a fairly long and non-obvious password"

the penguin doesn't work in support obviously.

apply this to thousands of machines and you need to have some type of system for techies to guess this password (based on serial number or asset tag, lose the sticker for either and you are screwed), which means its not secure. Techies change jobs and talk too.

If the user enters it, when the machine goes to another user later on when that person leaves, then no-one knows the password. The user forgets the password (long and non obvious), then you are screwed when you have a whining user saying "but I need that data, can't you do anything"

Ok for home users (unless they forget the long and not obvious password), not so good across an enterprise

about being secure and making us all bend over backwards just to get some insignificant data. Then they send it in an unencrypted CD, unprotectivley marked, and without any security.

It wasn't nicked because the theif probably couldn't be arsed!

Good points, well made, I agree.

Also, JSP440 (MODs security framework/policy document) states that disk encryption must be used. Since we don't know otherwise at this stage, I'd bet the disk is encrypted.

No - imagine them running a National Identity Scheme, which is what it officially is.

http://www.ips.gov.uk/identity/scheme-what.asp

We'll tell you who you are!

If you loose a tape you can use a pencil to wind it up again ...

But seriously, there are things that are top priority in every job, things where you can't afford any slips. Mistakes happen, but that's why you have failsafe and contingency plans.

... a DATABASE!!! Not on laptops, or CDs, or DVDs, etc. This way, the data can be accessed by secure clients, and not by any old johnny breaking into a car. Come on guys - we should be bang up to the jet-age by now.

On a brighter note, the worst that could happen is that someone could pay money into their bank accounts. Oh, hang on....

Can you think of a BETTER way to FORCE the biometric ID card into circulation than having it be the ONLY way to ensure that the copy of your personal information taken AT THAT TIME is correct?!

Yeah, it's black helicopter time, but it's not paranoia if they really are after you. Which they are, whether you like it or not.

By the way, I do realise there's nothing we can do about it now, which is why i'm retraining and moving to Australia. Sod this place.

When I was a humble placement student and had a work laptop, I always took it home. Even if I'd already made two trips from car to third-floor flat with heavy shopping in the pouring rain, I always went back for the laptop. Why? Because that was what I was supposed to do, because laptops are expensive and more to the point, it had confidential financial information on our clients on it.

And this isn't just a bit of nose-in-the-air "would never happen to me" oneupmanship, because sailors are supposed to be trained to obey orders without thought or question. "Don't leave your laptop in the car" should be a fairly easy order to comprehend, only slightly more difficult than "Don't jump off the boat into that big blue thing".

If I'd lost that laptop, my employer could easily have lost some of their business and I would hope that I would never be allowed to work in the industry again. I expect Gerald, being a government employee, will get off with a slap on the wrist. What he needs is a good keelhauling.

Reading through the comments over the weekend about this theft. A lot of people have been suggesting the use of Encryption. Encryption is a means of slowing down the theives from accessing the data, but if they want to get to the data then they will know how too, it may take days, but they can get to it.

Anyone looking for a method of securing laptop should look at a method of ensuring the data is removed should the machine fall in the wrong hands. The best tool I have seen for this is backstopp (www.backstopp.com). They also have a white paper suggesting methods on how these stories can be stopped. We found them extremely useful.

Something has to be done to protect our identities and our bank accounts.

You're right, completely right. But this is the public sector so would be unlikely to adopt such software without a multi-million pound investigation as to its feasability.

We are all saying encryption because it is at least a step in the right direction!

If we steal every laptop we see in train stations, left on car seats, on park benchs and where ever else fools leave their laptops we will have more data about the UK population then the ONS?

"When I was a humble placement student and had a work laptop, I always took it home. Even if I'd already made two trips from car to third-floor flat with heavy shopping in the pouring rain, I always went back for the laptop."

You left your laptop in the car whilst you unpacked the shopping?!?

What you need is a good keelhauling.

The Goverment has watched this forum and seen the evils of "M$" and how super duper, answer for everyting, super-secure, never goes wrong Open Source is.

So therefore, by default, if you share everyones bank details, Passport numbers, Home Adresess, choice of contraception,etc. etc. then by using the Open Source method, it will be perfectly safe and secure.

Heh, you've got me there. In my defence I probably did take my stuff into the house in the right order at least most of the time, it just has more effect the way I told it originally. In any case, the risk of having a laptop stolen in the 30-second window while someone carries their shopping in is insignificant, since we're talking about the risk of leaving a laptop in the car all night, in the dark, while you're asleep and not about to return to the vehicle.

according to government figures (ok these are bound to be rounded down a bit) they "misplace" over 665 laptops per year. Then again theres never any data on them at all *cough*.

The probelm is that for every big expensive database project there will be a BA working out the list of reports the users want in advance (2-5 years) which will be way off fromt he requiremnts when it goes livem so as ever someone has to buidl an access db to download huge slices of data and run some usefull reports. Thus creating this security risk.

Now if "strategic" development teams would decend from their ivory towers are care more about the end-user that their powerpoint slides then all this data might not always end up on local HDs.

"A lot of people have been suggesting the use of Encryption. Encryption is a means of slowing down the theives from accessing the data, but if they want to get to the data then they will know how too, it may take days, but they can get to it."

Bullshit. Unless by "days", you mean "many many trillions of trillions of multiples of the lifespan of the entire universe - expressed in days".

Used correctly - by which I mean, a PGPdisk or Truecrypt encrypted volume with a password that can't be guessed from a dictionary attack - encryption is an absolute brick wall. There is NO way to get through it. It's not just a matter of persistence; there isn't even enough energy and matter in the universe to count from zero to 2^128, let alone recover a 128-bit encryption key by trial and error.

If you really think that what you say is possible, please explain *how*. It could make you a very very rich man if it were only true ...

I'm in the Armed Forces and have come to the conclusion that it is a matter of when my account gets emptied - not if.

Why? Because I have to tell various members of the Armed Forces:-

a. all of my bank details

b. all of my personal details (Mothers's maiden name, wife's maiden name, addresses for the last 7 years, Parents address, wife's addresses, children's names, and birthdays for all of the above, passport number, National Insurance Number, Place of Birth.

About the only thing they do not know about me is my first Pet's name.

Ripe for a bit of identity theft? I should Coco

And in case we all think that our wonderful armed forces are above a bit of self interest, I one knew a Officer in the Territorial Army who used the names and address of his troops to open Bank accounts. He was a Bank Manager who wanted to meet his targets for new customers.

I have set up a seperate bank account which only has my Armed forces Pay going into it - and it immediatly gets moved to another account that they do not know about. It is my only defence.

6pm, Monday 21 January

BBC news reports that "...defence secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts .... the other two laptops held similar data but on fewer people, he told MPs."

As for the Birmingham incident, Browne told MPs that the Navy recruiting officer failed to follow security procedures.

So it's all down to "Gerald" the hapless underling - ministers and civil servants are not to blame. Our personal data is safe in government hands. I feel *so* reassured and simply can't wait to get my ID card.

Firstly to those suggesting crypto as a solution – please note that all crypto solutions for HMG have to be approved by CESG. Most HMG departments struggle with the concept of protective markings let alone crypto management. If the rules on storage can’t be followed then why would the password on the crypto lock be secure? In the old days of running password checks on manpower systems the favs were RoyalNavy, Car Reg, Last ship, normally in that order.

This data would have been at best marked RESTRICTED which means it could be double wrapped and sent through the normal post. In the old days of BR4006 (or was it 4005) and the first drafts of JSP440 the hard disk was to be removed from the machine and carried on the one’s person. In the early days we lost a lot of chassis which we never cared about. Machines are clearly issued with the written instruction that they have to be suitably secured and the back of the car is not listed as secure.

Finally the Falklands bit is rubbish, plans from PJHQ were very much in draft as the fleet set sail. The landings were only finalised after the practice at Ascension (which was done in bright sunshine). To almost quote Admiral Leech ‘there was no plan on the shelf for this one, we had to make it up as we went along).

"I entered a fairly long and non-obvious password"

"the penguin doesn't work in support obviously.

apply this to thousands of machines and you need to have some type of system for techies to guess this password (based on serial number or asset tag, lose the sticker for either and you are screwed), which means its not secure. Techies change jobs and talk too.

If the user enters it, when the machine goes to another user later on when that person leaves, then no-one knows the password. The user forgets the password (long and non obvious), then you are screwed when you have a whining user saying "but I need that data, can't you do anything"

"

there is such a thing called agent recover. It a nifty little thing. it allows you to export the ad min certificate. Now if you forget the password on an Efs in windows you can get into to it. I used this when I worked at a bank. The key is to limit who has access the agent recovery.

This sounds like an opportunity crime and it seems to have been announced a few days after the loss.

I thought the standard procedured after nicking a laptop was to clean it quicksmart so that it wasn't clearly not yours? And even if the thief didn't clean it I'd guess he offlloaded it PDQ to someone who did.

I'd also expect MoD to only issue laptops with encryption as standard. However, is there not a 'Recruitment Agency' or something which while it belongs to MoD may be on a longer leash.

Incidentally the Naval Disciplie Act ended a year or two back with the introduction of a joint service discipline act. That said I'm of the view that people who leave laptops visible in unattended cars are adverts for introducing penal battalions for mine clearing duties in Afghanistan.

"there is such a thing called agent recover. It a nifty little thing. it allows you to export the ad min certificate. Now if you forget the password on an Efs in windows you can get into to it. I used this when I worked at a bank. The key is to limit who has access the agent recovery."

So did I, but this lot are talking of non EFS encryption, etc, etc, which is easy to talk about, but not so easy to do across an enterprise. Couple that with who has access to agent recovery, a few people only being able to support encryption problems over a country wide enterprise. People will copy things onto USB keys to make it easy for themselves.

Most banks outsource these days, so a group of underpaid disgruntled temps (sorry, "contractors") have the keys to the castle.

'I thought the standard procedured after nicking a laptop was to clean it quicksmart so that it wasn't clearly not yours? And even if the thief didn't clean it I'd guess he offlloaded it PDQ to someone who did'

Lets hope that's the case, but with all the recent publicity on the value of data that's being exposed, just some of these thieves are going to start to realise they have something rather more valuable than a bent laptop to sell....

If you're handling laptops they should be backed up (centrally) so that the *minimal* data that only exists in accessible form on the laptop is recoverable if access is no longer possible (through loss of the hardware or of the password).

Those 600000 records should have been entered/transferred into a central recruitment/personnel database for sanity's sake.

...would stop with all this 'me too!'-ism. data loss is like that little dog Pariscarries around in her bag; everybody's gotta have one.

Like many here, I too have worked in government IT projects. Those who have will know the pain, a minute in the real world IT is equivalent to about 6 weeks in government IT. If they started looking at better encryption now, they might have a project off and running by about 2050 and then it will run by some third-party contractor and a millions miles away from the original project terms of reference!