If the information wasn't on the laptop in the first place, encryption is not needed. First they should find out how & why the information got there.

This is just another reason why the idea of a central UK ID database is a bad idea. People put vast wads of data, unencrypted, onto their laptops because they can. Technology makes it easy, and it makes their work easier to have the data to hand. It doesn't matter what regulations the organisation has in place, and people aren't being malicious or even lazy, they do it because they can.

Now consider how data storage is progressing. It is not inconceivable that in 10 years time somebody at UK_ID central is going to download the entire ID database onto their mobile phone. Because it's convenient for them, and because they can.

Now, if this is almost inevitable and easy for someone who is simply wanting to make their work easier, what's going to stop someone who is actually has more devious plans in mind for the data (and by that I don't just mean criminals)?

What I want to know is how and why all these laptops in all these losses are always stuffed full of thousands or even millions of customer/staff/whatever records.

I can't imagine a scenario where it would ever be necessary to have all that information immediately to hand, remotely, on a laptop, on the back seat of a car. Surely that type and amount of data is the sort of thing that would only be kept secure in a centrally held CRM system - unless they loaded it up when in the office, hit select-all, and copied it all to a text file so they can work from bed or the pub. Either that or their CRM system does actually consist of an Excel spreadsheet that they email round to everyone when someone makes a change.

I'm fairly senior in my organisation, but If I lost my work laptop, all the little pikeys would have is a bunch of training manuals, timesheets, and expense reports. I don't need customer information stored on here, and certainly not every customer/prospect/supplier/cleaner that we've ever spoken to in the history of the business.

Can someone comment on if we can bring the equivalent of Class Action status lawsuits against HMRC, MoD, the DVLA, and the inspectors who EPIC FAIL at their job for not spotting this?

I'm serious. Someone find out. We need to stop this.

Why is this data on a laptop in the first place?

Ok, I think it's time for El Reg to update it's "scales of measure".

We've got weights and spaces, and so on, but we need a new measure of "leakage" I think. Is a Burrell more porous than an MoD? Is a DWP more leaky than a clean install of a Vista?

We need answers Reg, and we need them now!

(Hilton icon because I need things making really simple!)

"Lost" is nicer as it implies it might soon be found with minimum damage or inconvenience. "Stolen" should be used as it implies it's gone forever at the hands of criminal nerdowells with associated prejudicial consequences. (eg I've lost my socks, someone has stolen my Ferrari). If the data is valuable the effort to crack any encryption will be commensurate - wooops!

I anticipate some squaddies may well be wanting to tax their brother/sister soldiers on their deficiency in the security measures taken in this matter.

If it weren't so sad it might be laughable. What is the UK equivalent of a Siberian posting? There is an applicable quote from Oscar Wilde but I can't remember it 'cos I've longterm misplaced my marbles.

And no doubt the Home Office are still insisting that our ID data will be safe with them...

(Paris because Jacqui Smith seems about as bright...)

Historically it was Kilgetty. http://www.cesg.gov.uk/site/caps/Kilgetty/index.cfm.

Anyone reckon there's plenty of bidding for COMPAQ Evo N600c laptops round about now?

Yes, he should have the book thrown at him. It's not as if the fiasco about the missing CD's didn't make the news. He can hardly say he didn't know.

BUT the person who runs the systems should also be shot. It should not be possible to download the stuff onto a laptop in the first place.

I tend to keep very little data on my laptop, but sometimes I have to travel far and then need to lug it al with me. I've had for years full disk encryption on my laptop, and even when using Linux the /home partition is an encrypted mount.

It's all very cheap as well so there is no excuse IMHO. Encrypt by default, but put strong data management procedures in place too. I'm waiting for some idiot to suggest DRM - it almost seems a strategy to drive the Gov that way. Have you noticed just how many stories have emerged?

[sarcasm]

Is someone trying to boost Vista sales?

[/sarcasm]

I suspect that sometimes these are like "the man that never was" (a corpse made to look like a drowned naval courier, with planted false invasion plans, in WWII) -- a way of leaking misinformation to certain parties. They'd have to be well-packed with other information, to stop it being too obvious.

This loss could have been avoided with the use of LDB&M encryption.

Locked Door, Bricks & Mortar would have stopped it being nicked in the first place - what kind of cretin leaves a laptop in a car?

Yeah, there's no LEGAL way of getting redress from your government.

Your only routes are

a) voting them out (doesn't work for civil servants and unappointed quango's etc)

b) insurrection. revolt.

Try to sue a lawyer, though.

Will. Not. Happen.

Well, at least they can use the details of 25 million citizens to make it look authentic - they're out there already anyway, so might as well brick their market value somewhat..

Presumably, if there *were* an all-singing, all-dancing central database, you wouldn't be able to get it onto a laptop. There are far better arguments against than that.

I'm more worried about the new spirit of openness from Government agencies here. Rather than coughing under duress to losing something last year, they're now issuing press releases pointing out that they lost important data yesterday (i.e. *before* it's had its hard disk wiped and been flogged down the pub) and giving away enough detail to ensure that whoever's got it knows they have.

Whoever's nicked it must really appreciate this.

Losing it is stupid. Telling the thief that his latest aquisition is stuffed with highly valuable data while this piece of information is still of great interest is sheer f***ing lunacy.

By the look of the laptop it was probably supplied before it was mandatory for laptop HDs to be encrypted (assuming it's even an MOD supplied laptop).

The encryption used for restricted info and above is robust so it's a fair comment re the military grade encryption statement (look at the likes of becrypt).

Whatever way, the technical rules here were find - depending on how the material was classified if should never have been on the machine at all (thin client) or encrypted. This isn't a fault of us techies, but the management!

But what will actually happen...

Why tell him, so he can tell them they've been naughty and not allow them to use their Playstation for a week?

Until Richard Thomas and his department hand out some meaningful fines vital data will continue to be posted on CDs, stored on laptops given to morons and dumped on roundabouts.

but Kilgetty was ported only to MT4 (no personal experience, but I gather it was a bit of a clunky b****rd to use)

Our MinDef wasn't quite accurate when he stated that MoD use something better than that available to us mere mortals. Currently the full-disk encryption for laptops processing up to RESTRICTED (pertinent level of Protective Marking in this instance) approved by CESG is AES@128-bit.

AES@256-bit is approved for downgrading SECRET to be treated as if it were RESTRICTED.

For higher levels of Protective Marking and for purposes other than full disk encryption CESG approved algorithms tend not to be public domain. In the lack of any evidence to the contrary, I will not provide any opinion about acceptability of security-by-obscurity.

Sack the junior officer for leaving the laptop in the car. No excuses. He wouldn't leave his wallet on the passenger seat would he?

And sack the IT staff repsonsible for allocating laptops if they failed to notify the user about leaving equipment in a car. Definitely sack them if they're allowing confidential data to be taken and moved onto a laptop in this slipshod manner.

Obviously Des 'two jobs' Browne is in over his head, so off with it! (His head that is...)

"Vote them out" - and watch them be replaced with another set of corporate whores, hell bent on recreating 1984 with astonishing accuracy? Not liklely.

"Insurrection. Revolt." - It's not really something one does by one's self. Plus, the nation is so blase right now regarding personal privacy vs. (in)Security thanks to Terr'rism in High Definition that it would get no momentum.

This government and the corporations it protects so diligently are the hand pushing down on the head of the water-treading UK population. They'll either paddle until their legs give in and fall listlessly into slumber, or they'll grab that hand and drag them down with them.

Jeebus, I sound like a conspiracy nut. Maybe they had a point all along...

...to lose three looks like carelessness. :)

Apologies to Oscar Wilde.

Oliver.

"People put vast wads of data, unencrypted, onto their laptops because they can."

I think they put vast wads of data irrelevant to their immediate purpose on laptops because it's easier than extracting just the data they need.

I wish I could just give Home Insulation Grants every detail of 1.3 million people instead of trying to pick out the ones who are over 70 and haven't got social landlords and still live here and aren't in care homes or prison or dead or duplicate records...

the large and difficult to remember passwords (of which you tend to require at least three different ones to log in) tend to be stuck on to the laptop itself as nobody can remember them.

Go into any MOD office and look under the mousemats to see how secure the IT network is...

Low Level - can be guessed

Mid level - requires some processing power

High level - a Post-it on the top of the screen

It won't really do anything (voting them out) as civil servants are appointed whereas politicians are elected.

It is an age old <cough! cough> in which those doing the things are hidden under politicians cloaks?

"the implementation of the encryption mechanism within these specific products has been assessed such that its strength is considered suitable for the protection of MoD data"

The 3 laptops I bought off ebay last week clearly show this isn't the case..

If all organisations used a 'morning after' tool they wouldn't need to worry about encryption. Once a laptop is reported lost or stolen it can be located through the mobile phone network and the data deleted before the machine has even completed the boot sequence.

The thief has a blank laptop but so what, the owner has a report that states categorically that all the data was deleted, where and when. It can even triangulate and locate the laptop so if the police were interested they could pinpoint it on a map.

This could change the world

Simple solution here for the Govt in general. All data relating to, or from, the citizenry needs to be classified data. Stick a "Confidential" classification on it and it won't get lost. Don't bother with "Restricted" - that's controlled slightly less than illicit photocopies of the Times crossword .

Yes, this will drive costs up, but not as much as widespread identity theft? The only downside is that the news hacks will have to look a little further for stories about Govt imcompetence (but not **that** far eh?)

Although I'm outraged at the lack of security these organisations seem to have, the real issue is not how easy it is for criminals to get hold of personal information, but how easily they can use it to obtain money, goods and services!

Banks, as the main gateway to your money, need to have better procedures to prevent misuse of personal data for financial fraud. After all, much your "personal" data is public domain anyway, it gets handed to individuals and organisations all the time: hire a car and book a flight and you wil be asked for your passport number, driving license number and credit card details. We hand these details over on a regular basis.

Most 'personal' data is really just a User ID; its the rest of the security mechanism (the password, certificate etc.) that needs to be protected.

Jeremy Clarkson's recent "experiment" highlighted this very problem.

"The Royal Navy ... is considering what action to take against the junior officer."

Well clearly they should court-martial him and give him a slap on the wrist, followed by a promotion and a transfer to Naval intelligence as liaison officer to the foreign agency that wanted the data. If it works out well, later on they could make him First Sea Lord.

Years ago, there was a break-in at one of my former employer's sites. We were told the next day, "[n] laptops were stolen. But don't worry, they were all new laptops, waiting to be issued to employees."

Cutting out the bulk of the story, there were five managers whose laptops were stolen. Only one of the five managers had any significant unencrypted data on his system. (Unfortunately, one of the unencrypted data items was a passwords list, which included passwords for a few encrypted files on a second manager's laptop.) The manager was not specifically penalized for his lack of data security.

...and now it's Flagstone. Except if you're a plank, and you haven't turned your data-stuffed laptop in in order to have Flagstone fitted.

Umm. Think this one should be Anon...