The Register® — Biting the hand that feeds IT

Feeds

Government Gateway login details found in pub car park

Transformational security breaches

By John Lettice, 3rd November 2008
  • print
  • alert

What you need to know about cloud backup

Updated Key government services were taken offline over the weekend after the discovery in a pub car park of a pocket storage device containing details of the Government Gateway. The Gateway is intended to provide a central secure login service for a range of government systems, including tax credits and self assessment, so taking it offline paralyses these too, before you can say 'single point of failure'.

The device, which was passed to the Mail on Sunday last week, was lost two weeks ago outside a pub in Cannock, Staffordshire, by an employee of Atos Origin. In 2006 Atos Origin won a £46.7m five-year contract to provide managed IT services for the Government Gateway.

The Department of Work & Pensions claims that the data on the device was encrypted and the security of the Government Gateway had not been breached. However, according to the Mail, Jacques Erasmus, a security expert who examined the device for the paper, said it contained passwords, security software and "source code". Erasmus told the paper: "I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information. If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12 million accounts and those details."

In a statement Atos Origin said that the removal of the device from its premises was in direct breach of its operating principles, while the DWP said that an "urgent investigation" was under way.

By lunchtime, the Information Commissioner had weighed in, with a statement informing us Richard Thomas "is now awaiting the results of ongoing investigations to establish the facts and the nature and extent of any risk to individuals."

The statement added, "The Information Commissioner expects the Government to take appropriate damage limitation steps as its first priority."

A year after the MHMRC data debacle, this sounds hopeful, at best.

Meanwhile, in an entirely unrelated piece of joined-up data loss, DWP Secretary James Purnell has been spotted shedding confidential documents on a train. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (46)
Latest Comments
Anonymous Coward
Anonymous Coward

@IT's all rubbish

So what if truly encryped systems were available? The government won't / can't pay for them. If you saw the crap they are using now you'd realise that.

There's a comment somewhere asking why it's always outsourcing companies that hit the headlines. It's because the government has outsourced pretty much every IT system there is. There's nobody left in the civil service who's accountable when things go wrong. I guess the government probably likes it that way - blame everyone and take no responsibility. If the government still took ownership of its IT, the same problems would still occur, but it wouldn't be able to point the blame elsewhere.

0
0
mittfh

VPN?

Surely allowing them to take sensitive data out of the office in the first place is asking for trouble.

Haven't they heard of VPNs? You know, things like Citrix which allow users to access the corporate network from their home PC. And access the data remotely, over a secure connection...

Oh, of course, they'll be running Vista on their home PCs, which is incompatible with most VPN software...

The problem with taking data out of the office, even if it encrypted, is that the weak link will inevitably be the password. Too many people do not understand the concept of choosing a password that will simultaneously be easy for them to remember but difficult for others to guess. Having worked previously as a school sysadmin I've seen names, dates of birth, postcodes, telephone numbers, favourite football teams - none of which are mangled in any way whatsoever. And that's just the staff - who are likely to have sensitive data in their user areas! Once you get onto the pupils, you're likely to have "qwerty" or "abcdefg" as passwords - and one school, which didn't enforce minimum password length, had a sixth former whose password was 'a'. Unsurprisingly, his classmates frequently dipped into his account...

And of course if you enforce a password that's difficult for them to remember, chances are they'll have it written down somewhere...

0
0
Anonymous Coward

Are you sure

that it wasn't a privately owned drive, no one reported the drive missing & it was found in a pub car park complete with encryption keys, it sounds to me like someone was moonlighting as a tracer for a Debt Collection Agency rather than a genuine loss. And if the keys were there how would they know if the drive had been accessed?

Still I'm a cynic when it comes to thing like this.

0
0

More from The Register

SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
116
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
breaking news
Ecuador: All right, Julian, you CAN stay on our sofa - it's your human right
Minister and Wikileaker share cosy chat in tiny London flat
65
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68
NSA: We COULD track you by your phone ... if we WANTED to
Honestly, too much work, can't be bothered
53