Government Gateway login details found in pub car park
Transformational security breaches
Updated Key government services were taken offline over the weekend after the discovery in a pub car park of a pocket storage device containing details of the Government Gateway. The Gateway is intended to provide a central secure login service for a range of government systems, including tax credits and self assessment, so taking it offline paralyses these too, before you can say 'single point of failure'.
The device, which was passed to the Mail on Sunday last week, was lost two weeks ago outside a pub in Cannock, Staffordshire, by an employee of Atos Origin. In 2006 Atos Origin won a £46.7m five-year contract to provide managed IT services for the Government Gateway.
The Department of Work & Pensions claims that the data on the device was encrypted and the security of the Government Gateway had not been breached. However, according to the Mail, Jacques Erasmus, a security expert who examined the device for the paper, said it contained passwords, security software and "source code". Erasmus told the paper: "I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information. If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12 million accounts and those details."
In a statement Atos Origin said that the removal of the device from its premises was in direct breach of its operating principles, while the DWP said that an "urgent investigation" was under way.
By lunchtime, the Information Commissioner had weighed in, with a statement informing us Richard Thomas "is now awaiting the results of ongoing investigations to establish the facts and the nature and extent of any risk to individuals."
The statement added, "The Information Commissioner expects the Government to take appropriate damage limitation steps as its first priority."
A year after the MHMRC data debacle, this sounds hopeful, at best.
Meanwhile, in an entirely unrelated piece of joined-up data loss, DWP Secretary James Purnell has been spotted shedding confidential documents on a train. ®
@IT's all rubbish
So what if truly encryped systems were available? The government won't / can't pay for them. If you saw the crap they are using now you'd realise that.
There's a comment somewhere asking why it's always outsourcing companies that hit the headlines. It's because the government has outsourced pretty much every IT system there is. There's nobody left in the civil service who's accountable when things go wrong. I guess the government probably likes it that way - blame everyone and take no responsibility. If the government still took ownership of its IT, the same problems would still occur, but it wouldn't be able to point the blame elsewhere.
Surely allowing them to take sensitive data out of the office in the first place is asking for trouble.
Haven't they heard of VPNs? You know, things like Citrix which allow users to access the corporate network from their home PC. And access the data remotely, over a secure connection...
Oh, of course, they'll be running Vista on their home PCs, which is incompatible with most VPN software...
The problem with taking data out of the office, even if it encrypted, is that the weak link will inevitably be the password. Too many people do not understand the concept of choosing a password that will simultaneously be easy for them to remember but difficult for others to guess. Having worked previously as a school sysadmin I've seen names, dates of birth, postcodes, telephone numbers, favourite football teams - none of which are mangled in any way whatsoever. And that's just the staff - who are likely to have sensitive data in their user areas! Once you get onto the pupils, you're likely to have "qwerty" or "abcdefg" as passwords - and one school, which didn't enforce minimum password length, had a sixth former whose password was 'a'. Unsurprisingly, his classmates frequently dipped into his account...
And of course if you enforce a password that's difficult for them to remember, chances are they'll have it written down somewhere...
Are you sure
that it wasn't a privately owned drive, no one reported the drive missing & it was found in a pub car park complete with encryption keys, it sounds to me like someone was moonlighting as a tracer for a Debt Collection Agency rather than a genuine loss. And if the keys were there how would they know if the drive had been accessed?
Still I'm a cynic when it comes to thing like this.