The BBC has a nice timeline of events in a page - Lost CD's - Sequence of events and also a write up of the events in a story Brown apologises for records loss".
I personally am angry as my children get child benefit along with almost all other children in the UK, now my details that i entrusted to the government are floating around an office, post office or who knows where waiting for someone to get at them.
The timeline above is amazing. It states that the first set of two disks with password protected records - (what is used? - MS Excel Password, Winzip, what?) went missing and when they package failed to arrive they sent a second one. This is in addition to the record that a juior official (doesnt say if its the same one?) sent a full copy of HMRC child benefit data to the NAO, it goes on to say that that data is returned. Does this mean the CD's were posted back? - if so how do we know that the data was wiped from everywhere it was written to at the NAO?
To download all of this data once and write it to CD's is bad, but to do it again and again is crazy. How does a junior official get access to a system to download all the personal details and to then write them to CD in the fisrt place?
The moral of this story? - database security is complex, its complicated to design, implement, to harden existing systems and more but the data has no security at all if you take it from the databases and away from the RBAC, the audit trails, the procedures and write it to CD or disc or any other medium. it bypasses the security completely.
I have to ask another question. If this action had not gone wrong and the CD's had arrived, presumably someone in the NAO, loaded the data onto other systems, who controls the CD's, where would they be kept, would they be destroyed, what about the data on the NAO analysts machines, how is that protected - MS Excel password?, how long is it kept, how is it destroyed?
There are so many questions, this is why database security is so important, our personal details, NINO, bank accounts, names, childrens names and more? should be held in secure databases and audited, protected with strong RBAC, accessed by authenticated and authorised users only and much more, my data and that of every other parent in the UK should not be taken from the secure database and applications and sent to anyone on a CD. There is no security whatsoever on a CD that is password protected.
As i said - Gob-smacked!!!
There has been 4 Comments posted on this article