Not just encryption, although it's a damn good start, it is still too easy to get access to encrypted data via various social engineering methods. How about not allowing private data to be stored on easily lost or stolen items like CDs or laptops?

Only allow access to the data through secured, encrypted links, and provide a layer of physical security around the data storage as well. That might slow down the haemorrhage. Maybe.

Of course, given the way the UK gov (and USA, and Canada, and every other one for that matter) is stripping "privacy" from us every chance they get, perhaps

it's a moot point.

In most cases that we have seen over the past month or so the data in the form it was should not have been on the media or device in the first place. Have these people never heard of GUIDs? Do they think that SELECT is always followed by *?

Proper data modelling is required and proper need to know policies. But before all of that people with a responsible attitude to data protection need to be employed.

According to the Yorkshire Post

"Moore Stephens Consulting was carrying out work on an IT system for the Yorkshire-based investment company when the theft took place"

So why did he need customer data on his laptop?

well obviously the unlinked Moore(ski) Stephens(ki) was an undercover russian(ski) haX0r who was clearly using the guise of a consultant to steal the companies data and 'lose' it to one of his buddies in the russia. Duh

Hmm... If they decide to punish these people as they deserve, will they have to multiply that punishment 1700x for the HMRC?

Other than discs, it usually seems to be data on laptops that is lost. A rule under the data protection act that sensitive personal data may not be held on anything other than a desktop or mainframe would solve most of the problems. If data is needed elsewhere it could be sent on secure encripted lines since I assume that such things exist.

Putting live customer data in the hands of a consultant, off-site, is surely a breach of trust in itself?

Security will never improve until company Directors are properly held to account with robust, easily understood law instead of the flannel we are working under. And no, UK law does not work in this respect - otherwise we would have seen some brought to book by now.

So this guy was walking around with a laptop full of thousands of customer's records... why? I can't believe that the creators of a database system that holds so much sensitive data would be so careless as to develop a mechanism that places a physical copy of so much plain text data on the client PC. So my guess is that he had a data dump on a spreadsheet. Wonderful. All the smart systems development in the world can't protect against that level of user stupidity.

Oh dear, looks like we're caught between a rock (encryption requirements to pre-emptively avoid disasterous data losses) and a hard place (RIPA sec 3).

"Told you so", a consultant might say, looking back three years.

I think we should all now assume that we have no "private" data. Assume that it's all out there already, and stop worrying about any further leaks.

As an individual, this really just means that I must always check my bank statements - which of course I do anyway. The people whose lives are made more difficult are the banks (etc.), who can no longer "verify" customers' identifies by asking for confirmation of "private" data. How they will fix this I don't know, but that's their problem.

It went walkabout because it wanted another Date with the Great Codd in the Sky.

/Is this my concrete overcoat I see before me

The article only says it was taken from a locker. I want to know was that locker on company property.

Many people here suggest that there is gross negligence by the company losing the data, as opposed to the consultants who failed to encrypt or protect it.

From a technical point of view what exactly is the solution, then?

1. Have policy and equipment requiring consultants to use a remote desktop so data always remains on site.

This has it's own technical problems, requires high connectivity, can be expensive, limits the software/os available to the consultants, and is potentially vulnerable to exploitation in itself.

2. Require consultants to always store data on remotely mounted drive located at company via VPN.

Difficult to enforce, and requires high connectivity.

3. Require consultants to keep data encrypted.

They should already have been doing this, it is difficult to enforce.

4. Prevent them from having access to all the data (select *) so they can't loose it

I've heard people say this, but what exactly are you talking about? The consultants may if fact need the data. SQL is by nature an adhoc mechanism, how would one impose restrictions while not simultaneously hampering the ability to do one's job?

The company could have DBA to create and grant restrictive views to the consultants. However if every query needed approval, efficiency would drop like a rock. And if the DBA knew which queries to grant, then they probably wouldn't need the consultants in the first place. So this still wouldn't necessarily fill the security hole.

I'm really interested in knowing how you guys would go about solving this? Clearly there are things that the consultants can do, but what about the company who's data is at risk?

what are the odds of successfully suing a company for losing all this data? and the one that really makes me laugh is debt collection agencies selling the accounts to each other, so you were dealing with one firm, then a totally different one rings up and the first thing they say is "can you confirm your date of birth for security?"... i mean, why are so many companies still using this carp system for "security"?

*meh*

@Lou Gosselin:

"From a technical point of view what exactly is the solution, then?" The solution is to create a matching database with false names, addresses and other personal information. It can be used by anyone, anywhere without fear of losing a week of paid holidays.

If 'consultants' *have* to work with live data, they do so on-site.

There are no technical difficulties whatsoever, just inconveniences, maybe.

Wait!

A far more satisfactory solution now occurs to me. One that will solve very many ills and remove many irritations.

Ban consultants.

You have in principle hit the nail on the head in a few posts.

(1) CEOs and Board members should be made liable. Not as in 'problem = go to jail' but as in 'lack of diligence = you are responsible', and to a degree this is already the case just rarely enforced (surprise :-). Leading on from that ..

(2) .. policies should be set up. Why was this consultant using an unsecured system to cart sensitive data out of the company? There are a couple of policy fault lines there:

- said consultant should have had some privacy training, not only could that help develop some insight (assuming some working braincells), it also prvides a legal handle on the guy if it goes wrong (requires less working braincells due to threat model). And it makes it a clearer case of 'your insurance or mine'.

- having full access to the data: this sort of access should go with a big red flag stating "this material is sensitive". If that cannot be done (you can't examine SQL queries for "sensitivity" - at least not without making things unworkable) than the default should be the safe posture - "if unknown, cosider sensitive".

- someone carying any sort of data past the front door - why?

- someone carrying data on unsecured equipment. Two approaches there: either the use of 'personal' equipment is allowed with all the risk of external infections and leaks, but looks good for cheapskate finance directors (money for nothing, and kit for free, to paraphrase Dire Straits) who should IMHO thus be made liable for the consequences, OR supply any contractor with company equipment which is properly secured.

You can only get away with this if you're a government. In that case, you just move someone high up to a more cushy job at, say, Cabinet Office and call that a "resignation", get some mea culpas in the press and work as hard as you can to bury the fact that it was actually 100% routine procedure so that nobody else takes any flack. In any private company, however, heads will roll..

Quite frankly I don't think that this really matters any more, on any one individual user of the internet there's a few dozen records scattered across various company's databases, most of which don't have any real security measures on.

All these thefts mean is that the people on the lists have an increased chance of being targeted, but even that isn't guarenteed because the criminal has to know where to look for you. There's safety in numbers when it comes to things like this...

Actually, this should be the universal case. Internationally. And there is a long precedence.

In the navy, a captain is ALWAYS responsible for the conduct of his crew. This translates to:

A director is ALWAYS responsible for the conduct of his subordinates. Thus, if the screening of consultants/employees is insufficient to stop this kind of idiotic mistakes, THAT MEANS THE DIRECTOR IS RESPONSIBLE. The ENTIRE cost of cleaning up after the mistake should be taken out of that directors PERSONAL account. If the amount in that account does not cover it, go one step up, and empty the next level of directors accounts. If the entire chain of command from the lowest director to the board still does not cover the cost, it's obvious that these people are taking chances that make them unfit for running a company. Basically taking that kind of chances and not being capable of paying for the clean-up should be treated no different than writing bad company cheques, which iirc can land the directors in jail for a good long time.

And this responsibility is NOT something they can sacrifice the worker that just followed their orders for.

//Svein

Get notebooks with hard disks that feature hardware based encryption. They are available today from Seagate and are actively sold by NEC and Dell Computer.

Thes hard disks feature AES government approved encryption at full interface speed. The user doesn't even notice they have an encrypting hard disk.

See here: http://www.wave.com

... losing data is the fashion of this year. ;)

...because the person with the customer data on his laptop would have been a developer. In order to develop new systems using real data as 'test' data would mean the machine would also have the private keys needed to decrypt the data....

Oh my gawd.

The only viable legal solution is not to allow personal data out to physically less secure devices or environments for the purpose of application testing. In other words, companies need to create dummy data for the purposes of all development, and re-encrypt this using non-production encryption keys. Give the development shop dummy data!!!!

When working in e-commerce in Australia, one of the leading e-commerce sites used to routinely send out 'test database' backups containing over 30,000 unencrypted credit card numbers. Managers weren't interested in the risk - billing is all they think about. The end result is that DVDs lie around the office, waiting for the cleaners to take away....

Given the amazing lengths, in Die Hard 4.0, that the US Govt went to "back up" the entire US banking system and it's terabytes of financial data - thus requiring no less than the chief architect of the system and the greatest hackers on earth to crack it and extract data from it...

Do you get the feeling that Die Hard 5, or it's British counterpart may be more of a short 3minute film than 2hour epic?

Bad guy goes to gym. Bad guy steals laptop from locker. Police are clueless. Nobody gets blamed, nobody looses their job. Bad guy sells data over IRC. Lots of bad guys credit 10,000,000 minutes of Nigerian Telecom calls against investors bank accounts. Credits roll.