Only 55 of the data loss breaches have actually been reported

If you can’t stop data breaches, at least cover them up! This seems to be the data security code British authorities go by. Too bad for them there is something called Freedom of Information Act requests… A new report issued by privacy campaign group Big Brother Watch showed that councils across the UK experienced over a thousand data loss cases over a three year period – August 2008 to August 2011.

To get the information, the group sent 433 FOIs to local authorities and councils across the Great Britain and showed s shocking discrepancy between the reported 50 something incidents and the harsh reality. Not only did BBW uncover the data mishandling cases, they also requested information on what happened to the employees of said councils – if they had been disciplined, fired or prosecuted over the data breaches -, and inquired about the council’s response to each incident. 

According to the 395 replies received,

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF). ”Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Only 55 of the incidents were subsequently reported to the Information Commissioner’s Office, which handles data loss complaints. In only 9 cases, those involved in the data breach were fired.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates. ”This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

For a list of some of the most important data incidents included in the report, read the story published by the Register.

The latest annual statistics from the UK’s National Fraud Authority show that more than £38bn have been lost over the last 12 months due to fraud. This amounts to an increase of more than 25%.The public sector (£21.2bn) reported the biggest part of the loss, while the private sector cost the government only £12bn, with another £4bn in losses from fraud against individuals.

According to the NFA the increase was to be expected, at least in part, due to improved reporting procedures. The figures include estimates for procurement (£2.4bn) and grant fraud (£515m) for the first time.

In the financial services industry £3.6bn in fraudulent losses have been recorded last year. The highest figure in the private sector was £3.8bn and represented a slight decrease from 2009. Losses attributed to plastic card (£440m) and cheque fraud (£30m) have also increased by up to 14%, reaching £60m. Insurance fraud (£2.1bn) and mortgage fraud (£1bn) both remain high.

According to Gavin Cunningham, director in the specialist forensic fraud investigation firm, BTG Global Risk Partners, fraudulent losses are only likely to rise in the future.

“These figures make grim reading for both private and public sector business leaders alike and reflect the significant financial impact of fraud in the UK,” Cunningham said. “With the UK still struggling to recover from the recession and some uncertainty as to what the future may hold, there is unlikely to be a reduction in fraud in the short term; historically, there is evidence that fraud increases as a recession ends, in part because businesses uncover fraudulent actions as the effects start to build up and in part because there is more scrutiny of hidden and unknown costs in tougher times.”

Cyber gangs appear to be one step ahead of e-crime experts.

UK Metropolitan police commissioner Sir Paul Stephenson, has stated that he believes police officers trained to fight against the growing number of cyber criminals are as vital as uniformed officers in the streets. In a letter to “The Sunday Telegraph” he outlines his beliefs that cutting back -office staff in favor of more street officers is wrong.

“Online fraud generated £52bn worldwide in 2007 – a staggering sum. There is a significant fight back by the financial institutions, working with police. In the Met, we play our part in a ‘Virtual Task Force’,” he said.

He has also stated that leaving cyber crime to other institutions like banks and retailers is a mistake and that uniforms should not be put before specialists. More uniforms then specialists is not a good way to serve the general public in his opinion.

Sir Stephenson has also explained that cyber crime dedicated law agencies should exist as we face the growth of this crime form. These agencies should work along side the financial institutions that strive to combat this trend.

“It is a ground-breaking venture and would be less effective without the involvement of experienced detectives. The Task Force is working to predict, prevent and respond to cyber threats.”

A few figures stated by Sir Stephenson show that for every £1 that it costs, The Virtual Task Force saves £21, although this is not enough and the task force is still loosing the battle.

“We know that, at any time, the police service is only actively targeting 11 per cent of the 6,000 organised crime groups in England and Wales.” – this is another fact stated by Sir Stephenson

Back in 2008, assuming that the human factor would eventually fail at some point and people would make the mistake of plugging an unsecured memory stick into a military laptop, several memory sticks were scattered in a US military base in the Middle East that was providing support for the Iraq war. All these memory sticks were deliberately infected with a computer worm.

It resulted in the self-propagation of a computer worm into the computer system of Centcom – the central command of the US military. The eradication process took 14 months. Apparently this attack, acknowledged by the Pentagon only in august 2010, was very similar to a Stuxnet worm attack which was used in attempts against Iraq’s nuclear facilities and Iran’s nuclear programme.

The attacks appear to have been highly funded, this bringing forth the possibility of being orchestrated by another country. The Stuxnet worm has infected 30,000 of Iran’s computers and was apparently delivered by intelligence operatives. This tactic appears to be an almost duplicate of the cyber attack against Centcom.

After these attacks, the US gas attempted an exercise called “Cyber Storm III”, an exercise that had as main purpose the countering an all-out cyber war. The exercise that involved government agencies and 60 private organisations in various sectors such as banking, chemical, nuclear enery, IT took place on Thuesday. The results have yet to be disclosed.

James Lewis of the Centre for Strategic and International Studies in Washington stated:

“Cyber war is already here.We are in the same place as we were after the invention of the aeroplane. It was inevitable someone would work out how to use planes to drop bombs. Militaries will now have a cyber-war capability in their arsenals. There are five already that have that capacity, including Russia and China.”

He added  the he believes only 3 countries  have the drive and means capable of launching the Stuxnet attack on Iran: the US, Israel and the UK.

Lewis also believes that a deliberate hacking of an electric generator at the Idaho National Laboratory has previously proven that infrastructure can be persuaded to destroy itself.

“There is growing concern that there has already been hostile reconnaissance of the US electricity grid,” he said.

Due to the fact that Israel has a specialised cyber war unit, called “unit 8200”, some analysts have been led to believe that the Stuxnet attack against Iran was orchestrated by this country.

The fact that a file called Myrthus, a reference to the book of Esther and Jewish pre-emption is present in the worm’s structure can be a proof but also a red-hering.

“Reality has quickly caught up” says Dave Clemente, a researcher into conflict and technology at he International Security Programme at Chatham House in London. ”You look at the Stuxnet worm. It is of such complexity it could only be a state behind it,” Clemente said.

He also points out that the US and UK are putting large ammounts of resources ino cyber warfare defense. According to his statements, a centre for cyber security operations in GCGQ and a new office of cyber security in the Cabinet Office have taken form.

A few steps against Stuxnet infections can be found here

Over more than 1000 data losses for the NHS. This is a new record.
Of which alone 307 were as a result of stolen data or hardware and 233 due to lost data or hardware.

The Information Commissioner’s Office has warned organisations that they need to minimise the risk of mistakes, as the amount of losses reported tops 1,000.

The ICO claimed that staff need simple procedures on how to handle personal information with appropriate training to ensure the importance of securing it is fully understood. It also said that it is essential that the protection of people’s personal information is part of organisations’ culture and DNA.

An ICO report revealed that 254 breaches were as a result of information being disclosed in error, 307 were as a result of stolen data or hardware and 233 due to lost data or hardware.

A further 83 were due to a technical or procedural failure and 59 were lost in transit. A breakdown of companies revealed 305 incidents were recorded by the NHS, 288 in the private sector and 132 by local government. Only 81 incidents were the result of central government.

David Smith, deputy commissioner at the ICO, said: “We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us. Extra vigilance is required so that people’s personal information does not end up in the wrong hands.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it.

“We are keen to work with organisations to prevent breaches happening in the first place and to help ensure that things are put right when they do go wrong.”

Source and full article: SC Magazine

When one thinks of institutions like the British Ministry of Defense, one expects tight security. Tight as in you cross us once, we expect you not to cross us twice. Apparently, things go another way, as the MoD, quoted by V3.co.uk, says the number of data breaches they have been exposed to was 4 times higher in the past year.

The Ministry’s  latest resource accounts show it suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year.  The most serious case lead to the loss of a portable hard disk from a contractor’s premises containing the names, passport information and bank account details of about 1.7 million individuals. That’s a big blow!

Other incidents included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and some of their next of kin.

And in April last year, an unencrypted laptop was stolen from government premises containing the personal records of 300 people.

The MoD admitted that it had lost electronic equipment, devices or paper documents from outside government premises on 15 occasions, and in six instances they were lost from within government offices.

We’d say it’s about time they actually did something to prevent such breaches! A private company would have probably done so 8 breaches sooner…But then again, it’s public funds, isn’t it?

Although the numbers of data breaches reported in the UK has been significant this year, the UK Government has recently announced it will not implement a compulsory data breach notification law for the private-sector companies. The decision was made after reviewing a recommendation made in July by information commissioner Richard Thomas.

On the other hand public-sector organizations are obligated to report any significant potential or actual data loss. Their private-sector counterparts should report the losses in the spirit of “good business practice”. So if your data is exposed by a public-sector institution and only 2 others have been affected, or if a private company looses thousands of private record but does not see reporting the incident as good practice, you will never find out.

“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” states the Response to the Data Sharing Review Report.

Private-sector companies are not clear of all consequences, as fines for organizations found in breach of data-protection laws will soon be raised. According to the same report, The Ministry of Justice is working with the Information Commissioner’s Office to determine the level of the maximum fine.

If you are British and have been plotting to stalk a member of the British National Party (BNP) you might just have missed the opportunity. A list with all the party’s members, including names, addresses, and email addresses has recently shown up online. Some of those who just got exposed online are also underage (an extra “benefit” of the family plan BNP offers) and others had mentions of other personal details made public, such as job or hobbies.

As the Register puts it, “That’s how we know that that BNP members include receptionists, district nurses, amateur historians, pagans, line dancers and a male witch.” Members reacted pretty strongly, filing their comments with courses and outrage. As certain professions in the UK are expected to have no political color, they might even lose their job and according to several blog sources, some pretty powerful people in the BNP are to blame for the leak.

BNP spokespersons found out of the leak from the Register, but although completely unaware, they promised to treat whoever is responsible quite harshly!