Losing Data

Today it has been revealed the data of 80,000 prisoners has been “misplaced” by a contractor working for the Ministry of Justice. It seems not a month goes by in the halls of power where some rather sensitive does not go missing.

What amazes me is the slapdash nature of data handling practise. If the data was simply encrypted before burning to CD or memory stick this wouldn’t be an issue. It would take but a few minutes. Then, the conversation on the Today Program would go:

John Humphrys: So, we again(!) hear about a CD with 80,000 people’s bank account details going missing.

The Minister: Yes, that’s correct. But, the data was properly encrypted using strong passwords, which means the end of the universe will happen before the data can be read1.

John Humphrys: Oh. Well… that’s okay I suppose.

What a change that would be! And what a short interview.

The computing industry has a lot to do to put its own house in order. Each time I use internet banking, I worry about the skill level of those who coded the site; especially whether any knowledgeable experts were consulted and their advice acted upon. I think the source code to such sites should be viewable to all: if the site is secure, having the code to hand isn’t going to help an attacker very much.

Typically, however, in this case the convenience of internet banking triumphs my qualms.

Convenience too, I suspect, is at the heart of our latest hiccup. The process for transferring data should be: “Encrypt all data moving outside the internal network with a strong encryption scheme without screwing it up2”. It’s inconvenient to do this, of course. It is somewhat less so than having your credit card number in the hands of a criminal, however.

Update: The Guardian has a handy page listing the most recent data mishaps from the government.

1 Or quantum computing happens, I suppose.

2 With weak passwords and the like.