01/05/2008 by gerry.
More than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data, it has been revealed.
In a Commons written reply, Treasury Financial Secretary Jane Kennedy said that in many cases the penalty for staff was dismissal.
There were 238 people disciplined in 2005, 180 in 2006, and 192 in 2007.
The secretary was responding to a question from shadow home affairs spokesman James Brokenshire.
Ms Kennedy said the figures showed “the strength of HMRC’s disciplinary procedures”.
The numbers represented less than 1% of HMRC staff, she added.
Ms Kennedy said HMRC has a “strict policy forbidding staff to access customer records unless they have a legitimate business need.
“Breaches of this policy are taken seriously and any breach will result in the commencement of disciplinary proceedings.
“Each case is treated on its merits but in many cases the disciplinary penalty for breach in dismissal.”
HMRC was formed in April 2005, when the Inland Revenue and HM Customs and Excise departments merged.
Gerry adds : There’s a good chance that some of these breaches were made easier by the plethora of non-production databases which had not been masked!
Posted in Uncategorised | Print | No Comments »
22/04/2008 by gerry.
Companies and public bodies are not doing enough to protect customers’ data, the UK’s privacy watchdog and a major survey of security have said.
The Information Commissioner said that the 94 security breaches reported to him last year was an “alarming” number. The survey of more than 1,000 firms suggested that almost 90% of them let staff leave offices with potentially confidential data stored on USB sticks.
Firms and public bodies were urged to make data protection a priority.
Information Commissioner Richard Thomas said of the 94 data breaches, two thirds were committed by government or other public sector bodies. Data had been recovered in only three of the 94 cases, he said.
Stolen computers
The material included personal details of UK citizens, including health records.
“The evidence shows that more must be done to eradicate inexcusable security breaches,” he said. Mr Thomas’ findings and the separate Information Security Breaches Survey will be detailed at the InfoSec show in London, the world’s largest event of its kind.
The survey was carried out by Price Waterhouse Coopers on behalf of the Department for Business Enterprise and Regulatory Reform. According to the survey, almost 80% of firms that had reported a stolen computer had not encrypted data on the hard drive.
Chris Potter, from PricewaterhouseCoopers, which compiled the survey, told BBC News that overall attitudes to security had improved in the last 12 months.
System failures
“Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures. “These tend to have caused the greatest cost in terms of business interruption.” But he said the “biggest concern is around the protection of customer data, which companies clearly want to be good at. “Sometimes that’s not translating into real action.”
He said particular threats were around the lack of encryption of data on laptops, the use of USB memory sticks and newer technologies like Voice over Internet Protocol.
“In all these areas the controls are not as strong as they are over traditional threats,” he said.
Mr Potter’s comments were echoed by those of the Information Commissioner.
Mr Thomas said: “The government, banks and other organisations need to regain the public’s trust by being far more careful with people’s personal information.
“Once again I urge business and public sector leaders to make data protection a priority in their organisation.”
Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector.
Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS.
According to the PricewaterhouseCoopers report, fewer companies today are encrypting data on laptops than two years ago, despite a recent spate of high-profile instances of laptop losses with unencrypted information.
Mr Potter said: “We have seen in successive surveys that companies tend to be very good with preventing yesterday’s problems. Companies need to say on their toes to make sure they are addressing tomorrow’s problems.”
Risen dramatically
The report found that the number of attempts to hack into company networks had risen dramatically over the last two years. “What is a really big concern is the proportion of large businesses that say hackers have got into their networks,” said Mr Potter. Two years ago one percent of large businesses reported a hacker penetration compared to 13% in the current report. The survey also said that figure was likely to be under-reported because many large firms did not admit to successful hacks on their networks.
Security breaches cost UK business roughly several billions pounds a year, said the report.
Posted in Uncategorised | Print | No Comments »
02/10/2007 by gerry.
Some retailers have tried to mitigate the damage by using older customer data, on the belief that such data would have outdated information that might be less valuable if intercepted. But Mark Rasch, the former head of the U.S. Justice Department’s high-tech crimes unit and currently a security consultant in Washington, questions that premise.
ADVERTISEMENT
“The fallacy is that there is something called ‘old data,’” Rasch said, adding that most credit card information—including name, address and often the credit card number itself—does not change with any frequency. “What’s personal about me tends to remain personal even with the passage of time,” he said.
The credit card’s expiration date will periodically change, but Rasch said there’s such a small number of possible month/year combinations in the typical 2-year period that a thief could simply try them all until the right combination was discovered.
Rasch also has concerns about whether the use of such information for network testing violated “the implicit agreement between the merchant and the customer” that “you get my data for certain purposes, primarily to sell me the product and to validate payment.”
As for why test data hasn’t been created to safely test systems, Rasch said it’s a matter of money. To make it work, the test data would have to have a lot of numbers, with segments created to replicate various banks and other processors. It would do a retailer little good, for example, to test a Visa connection using a MasterCard number or even a card number from one major bank when testing a different bank’s card. “The question really is, ‘Who’s going to pay for it?’,” Rasch said.
Money is also behind the lack of security on the networks transmitting the test data, said the PCI Security Vendor Alliance’s Taylor. “These people are operating on a limited budget. What you secure first is the production environment and anything that is outwardly facing,” he said.
As for protecting the data itself, that’s a combination of laziness coupled with cheapness, Taylor said. There is a way to properly sanitize test data, he said, but it’s a lot of work.
He cited one insurance company that was testing with non-sanitized test data. “They didn’t have any way of generating test data on an enterprise basis. No tools, no procedures, not even a policy. They had no system-level prevention at all,” Taylor said. “They were using production data without masking, without encryption, without scrambling.”
Why? “Hey, it’s hard. Unless someone makes them do it, they’re not going to do it,” Taylor said. “You need policies. It’s so much easier to just copy production records.”
Is there a way out? Taylor said such numbers could be created by a group of card issuers coordinated by some overarching entity, such as Visa or some other industry group. Why has it not yet happened? Said Taylor: “I just assume it’s not their priority.”
Gerry adds: This is a great reason to have a look at tools like Data Masker. Making the process easy and repeatable as data is refreshed is what it’s all about!
Posted in Uncategorised | Print | No Comments »