Public Sector Data Breaches – Where do we go from here?

Written By:
Content Copyright © 2009 Bloor. All Rights Reserved.

My data is very personal to me so, like many other people, I take great exception when it is lost or stolen by incompetent organisations. If data is lost by a private sector company I can vote with my feet and take my custom elsewhere. This doesn’t solve the data loss issue but it makes me feel a bit better.

Contrast this with a government body that loses my data. I have nowhere else to go, short of maybe leaving the country. This issue, coupled with the fact that government, in all its guises, handles what is my most sensitive data, presents us as citizens with a challenge – how can we make our governments handle our data more securely? For the next 20 minutes or so I am going to talk through the issue of data security and data breaches from a government viewpoint.

In the UK, public confidence in government, of whatever description, is extremely low. Fuelled by expense claims that fail the “reasonableness” test by the man or woman in the street, the view is that politicians, the government and the ruling classes are hopeless at best and criminal at worst. There is no sign that this confidence is returning.

Meanwhile government collects vast amounts of data that enables it to conduct its day to day business – licencing vehicles, paying benefits, running hospitals, tracking criminals and so on. Unfortunately it becomes a heady mix when one considers the amount of very personal, sensitive data that is being held in databases.

Even the most personal of personal data, our unique DNA code, is now, for many people, in the hands of the government. Data loss incidents raise the cry of “something must be done” but what is that something? What can we as IT professionals do to help solve the problem?

I have been getting my head around the sheer scale of government data handling failures for a few years now.

A drive to encryption has come about following the monumental loss of 25 million personal records by HM Revenue & Customs in November 2007, following which a report was commissioned to try and prevent future data losses. Unsurprisingly the report recommended that data be encrypted before being copied onto any devices that can be removed from government offices, including laptops and USB sticks.

Despite that, it’s been reported that the departments of health, transport and the Driving and Vehicle Licensing Agency (or DVLA) have all failed to make encryption mandatory despite the recommendations of a Cabinet Office report in 2008.

The Department for Children, Schools and Families and the Ministry of Justice are among the major departments that allow the copying of encrypted data onto memory sticks, but it is not clear whether this encryption is actively enforced.

On the other hand the Department of Business, Enterprise and Regulatory Reform is one of the few departments that appears to force users to encrypt data held on memory sticks.

When thinking about the government use of citizen data it quite often shocks people when they realise the amount of data that is stored across government systems. The vast majority of these databases are perfectly legitimate and form a vital tool for the administration of a country.

  • The national DNA database stores records of over 4.5 million people, which is around 5.2% of the UK population. Everyone that is arrested in the UK has their DNA taken and kept on file even if they are not found guilty, or even charged, which has raised some interesting civil liberties concerns.
  • The National Identity Register, or ID database, is another politically sensitive database currently in the design phase. It is believed by some that over time this will contain all citizen’s data as a prelude to the enforced carrying of ID cards – a very sensitive issue for the British.
  • The TV licensing database contains 28 million addresses and the DVLA database stores records of 38 million vehicles registered in the UK alongside driver and vehicle licensing information.
  • The Department for Work and Pensions customer database has 85 million records that are accessible to 80,000 departmental staff plus 60,000 staff in other departments and 445 local authorities.
  • ContactPoint is a database designed to hold the name, address, gender, date of birth, school and health provider of every child in England.
  • The communications database is planned to centralise details of calls and websites visited by users by utilising data from phone companies and internet providers. This data will then be open for inspection by over 500 public bodies.

According to the Joseph Rowntee Reform Trust ( the UK government spends £16bn a year on databases and plans to spend a further £105bn on projects over the next five years.

I believe that the biggest threat to government data actually comes from within. Despite exciting stories of hackers breaking into government databases the vast majority of data loss incidents have stemmed from the inside threat.

I use the term inside rather than insider as I believe it better articulates this problem, which breaks down into two areas;

The incompetent and non malicious is by far and away the most prevalent actor in any data loss incident. We have all read the headlines and seen the news reports. I guess someone leaving an unencrypted laptop on a train isn’t as exciting as a targeted hacking attack, but it is the reality when it comes to government data losses.

That said, of course there are competent and malicious data loss incidents where an attacker is in a position to steal data. Again I believe a lot of this is by users that already have privileged access to data in the first instance, and then go rogue. Espionage and break ins are far less common.

So what steps can government take today to help prevent data loss?

As we have seen, the public sector is often revealed as having poor data security practices, and the vast majority of headlines relate to public sector organisations failing in their data protection duty. The private sector appears to have been able to hide their mistakes away from public eyes unless a data breach attracts a prosecution or the company owns up of their own accord.

Regulators are getting more intrusive and aggressive. The UK government is now actively dealing with data protection issues with the Data Handling Procedures in Government report published in June 2008 that set out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.

All organisations – public and private – need to avoid being caught up in the headlines for the wrong reason. In the past a good flogging by the media appeared to shake a response from the public sector, but should we really rely on the fourth estate to be the ultimate sanction for data loss offenders?

Inevitably, legislation plays an increasing part in data security.

It is interesting to compare the evolution of IT related laws in the US to those in Europe. One piece of legislation that has captured a lot of mind share in the US is that of security breach notification.

These laws have been enacted in most US states since 2002 and were created in response to an escalating number of breaches of consumer databases containing personally identifiable information.

The first such law, the California data security breach notification law, was enacted in 2002 and became effective in July 2003. There are ongoing discussions across the EU, both nationally and at a European level, to determine if such legislation should be implemented in this region. A proposal was published in late 2007.

The good news is that there are some reasonably straightforward steps that organisations can take to protect their data.

Data encryption is one of the more well established data security tools and vendors have produced a number of easy to use encryption solutions that enable users to rapidly encrypt their data, be it at file level, folder level or the entire hard disk.

Alongside these many implementations  comes the inevitable downside.

For encryption this has always been key management. Relying on users to remember their encryption passwords is a risky business and can result in corporate data being locked away, sometimes never to be seen again. Clearly this is an unacceptable state of affairs and needs to be addressed before encryption has been widely adopted. Unfortunately departments that have purchased an encryption solution as a tactical add on, rather than as a part of a strategic encryption roll out, quickly realise that their quick fix ends up causing horrendous problems later on.

The most appealing aspect of data encryption is the fact that if hardware that contains encrypted data is lost the associated dramas are far less exciting. After all, only some hardware has been lost which contains an incomprehensible bunch of gibberish. Bad that hardware has been lost but no where near as bad as if it had contained valuable government data.

Strategic data encryption is a must for any system that contains sensitive data. But great care needs to be taken in rolling it out. It is vital that implementers fully understand the environment in which they are working so that all relevant hardware is encrypted. Discovery is vital – forgetting about one single USB drive may invalidate an encryption solution that has been deployed across an entire government department.

Patch management, like data encryption, is one of those basic IT hygiene tasks we all need to undertake day in and day out.

The rampant success of the Conficker code late last year was attributed to neglected patching. This included 8,000 PCs on a hospital network in Sheffield that were infected after managers apparently told staff to turn off automatic security updates. A patch, released by Microsoft in October 2008 and 3 months before the Sheffield incident, would have prevented the problem. Likewise the Ministry of Defence was still subject to a Conficker infection early in 2009.

Patches need to be tested and deployed under a controlled environment, following advice from the software manufacturer as to its urgency. Testing has traditionally been a problem as an untested patch my end up affecting production systems, so IT managers need to take a view as to the time to complete appropriate testing and the need to deploy a patch to combat a known exploit.

With good, well-managed data encryption and a robust patch testing and deployment strategy an organisation will be a long way down the road of establishing a safe, secure and compliant IT infrastructure.

It is vital that we as IT security professionals remain aware of the acts and regulations that apply to our specific geography, market place or industry sector. Government departments face increased scrutiny, quite rightly, as they store more and more data on citizens.

With the current turmoil in the worldwide finance sector there is no doubt that legislation, oversight and regulation will be under more scrutiny than ever before. The risk is that politicians will see heavier compliance requirements as a quick fix to managing far more complex and difficult issues, and that will have a knock on effect to the IT security community.

In the meantime all we can do is keep our own house in order and make sure we are able to deliver compliant and well managed systems to the business. To achieve this we all need to understand our IT environments, manage our known risk, protect against unknown risks, prevent device misuse and secure mobile devices.

Politicians need more education and awareness. Why….?
My heart sunk when I heard some of the plans the Conservative party have for NHS data. Of course NHS IT systems need to be updated. Politics aside I want to know that my medical records are stored securely but are available to relevant clinicians when they need it.

I was therefore very concerned when I heard that the Conservative party are suggesting that patients could access their records across the internet using a login name and password. The idea is that they could update their own records with their latest blood pressure or blood sugar readings.

Of course my significant concern is that as soon as any health data is exposed on the internet it will provide a magnet for those wishing to hack into other’s medical records. I don’t care what anyone says, this data will be hacked and medical records exposed.

That, to me, is a horrible thought…