The scale of yesterdays admission by the Government of a catastrophic failure of basic security procedures is, as you'd expect, the talk of the papers this morning. The Government's defensive line on the incident however do not stand up to any serious scrutiny.
1: The disk was password protected but the data was not encrypted - this is sheer bloody insanity. How was the disc password protected for a start? Are we talking about a password protected zip file? Crackable in seconds and you can bet it's a dictionary word too? If it's not a zip file then what operating system dependencies are there on the protection? If the disc was entered into a machine running Linux or OSX then what happens?
2: It was a 'junior official' that did it - what is a junior official doing have read access to that data? How did they get the data? Did they extract it themselves? If so what does this say about the system's internal policy procedures that someone who should not have done this had access to production data? Who else, and how many more junior officials have this level of access to this sort of data across Government? Why do they have CD burners available to them? Remember that the Government has a vision to share our data across the whole of Whitehall.
3: The second disc was sent by registered post and arrived - whether it arrived or not is irrelevant, as is using registered post. Once the data leaves your hands into a third party then it is an unknown quantity. The trust relationship should be explicity known throughout transfer. In other words you use an encrypted tunnel and transfer electronically. This reduces the risk down to the security condition of the two systems talking to each other which is far more manageable that handing it to a bloody courier who could copy the disc enroute.
4: It is not believed the data is in the wrong hands - it doesn't matter what you believe. The minute you lose data and the potentiality of compromise is known you assume that the worst possible scenario is the case. Period. You can hope of course, but trying to reassure people that your hope is a certainty is politiking at best and dishonest at worst.
5: There will be a thorough review of what happened - this is the second time in a month that HMRC have been found to be transferring secure data by stupidly insecure means. This does not look like an isolated incident it looks like standard bloody practice. A review may bring this to light, but should it do so how many more security breaches of this kind have occured that we do not know about? Security by obscurity is not a sound model for anyone especially Government.
There are also other very serious questions that need to be raised across Government systems now. This is not just about the data on the discs. The first and foremost is whether any data of financial significance is stored on actual databases in an unencrypted format.
In the private sector, companies are heavily governed by regulations on this matter and have to meet all manner of compliancy testing else face PR hell and massive penalty fines. If the company is listed on a US market they have to meet Sarbanes-Oxley compliance which is even stricter too and can result in jail time for directors. Are Government systems anywhere close to compliance?
It is not a thorough review of this incident that is needed, there needs to be an inquiry that looks at every single Government system - central, regional and local - that holds data about the public and ensuing legislation to restore any semblace of confidence in the systems.
This doesn't mean an inquiry that asks some mandarin if something is secure. It means a full security review of architecture designs with added penetration testing. Any legislation should include a requirement for security reviews throughout new system design phases as well as regular penetration testing through the lifcycle of a project. These reviews and testing should become a part of standard operating practice. Any legacy systems found to be failing should be taken offline immediately.
What's more, there should be an Information Security Committee drawn up that oversees Government systems. This should be a body that places information security at its core, not political expedience, and it should be independent of Government. It should be made up of people that actually know about this subject and are not afraid to say "No" and block a system from going live or take a system offline when it fails to meet the required standards. There should be a ministerial level role specifically for information security and legislation should ensure that the buck stops at that position.