Connecting the Database Dots

July 11th, 2007

Note the new category; ‘Post Tipping Point’. This is shorthand for, “we are not going to link back to BLOGDIAL articles on this subject inside this post that you should already have read or should be able to find with the google”.

Here we go….

Watchdog seeks an end to ‘horror’ of personal data security leaks

Business leaders oppose stronger powers to investigate breaches

Phillip Inman
Wednesday July 11, 2007
The Guardian

Phillip Inman; you fail it.

Britain’s data watchdog sparked a row with business leaders yesterday when he called for more powers to confront companies that fail to protect personal information held on computers. He wants a new rule that would allow investigators to look at files without the permission of company directors.

His plans ran into immediate opposition from business leaders who said his request for increased powers were a heavy-handed response to the problem.

The information commissioner, Richard Thomas, said that a “horrifying” succession of data security breaches in recent years at high-profile companies – including mobile phone operator Orange, building society Nationwide and mail order retailer Littlewoods – had shown that many companies failed to understand the risks to their customers and to their own reputations of keeping vast databases without adequate security.

The fact of the matter is that Richard Thomas is a busybody beurocrat twiddling his thumbs in his office while the government puts together ContactPoint, which will be a database delivered over the internets, via browsers (read Internet Exploder) and available to 300,000+ people who will be authenticated by a username and password.

THIS should be his main concern. THIS is where he should be putting his ‘expertise’ to good use; to stop the greatest child protection disaster ever from being rolled out.

Instead, this anti-business Neu Labour aparachick loser wants to punish business, that people engage with voluntarily, for lapses in their security.

How pathetic.

Mr Thomas said giving him the power to conduct an inspection and audit to ensure compliance with data protection laws would allow him “to force the pace” and encourage more companies to change their behaviour. Now, he must gain the consent of an organisation before starting an investigation. He also questioned whether companies should be obliged to report data security breaches in the same way the banks are forced to report suspicious money laundering.

How about government agencies who hold data on citizens involuntarily being forced to submit to independent audits? How about obliging every government agency using a database being obliged to report data security breaches? This is far more important because the databases that the British public are forced into are just that, by force, they make it impossible or very very hard to get yourself removed from the most simple databases.

Did you know that your personal and private medical records are the property of the department of health and that if you want to get your records deleted from any of their systems, you have to have the written permission of the secretary of health to do so?

In the commercial world, where all your stuff is voluntary, you can reduce your data shadow considerably, by following some simple rules. For example, use an alternate name everywhere and anywhere you can. Use a pay as you go mobile phone. All of these things can be done, and you would be surprised at how friendly these companies are when you ask them about deleting your account. Businesses are more responsive to the needs of their customers than the government is, and frankly, Richard Thomas needs to get off of his ass and implement citizen friendly data practices throughout government, like an end to biometric passports, cancellation of ContactPoint, and of course, the complete cancellation of the NIR and ID cards.

“Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information. The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying.

Whatever you scumbag. What is FAR MORE HORRIFYING are the numerous breaches of GOVERNMENT DATABASES (the ones that we know about) where insiders have leaked information, violated privacy, and just been plain incompetent; we have documented and dissected some of these on BOOGDIAL of course.

Wrong hands

“How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?”

Mr Thomas, who was speaking before the publication of the commission’s annual report today, signed a deal with the banks last year that effectively gives him access to inspect and audit their systems without permission. He extracted the concession after a series of high-profile breaches at prominent high street banks and building societies.

This is utterly outrageous. This man has no business going into a private company and auditing their security (which means of course, looking at all the accounts, finding out where the back doors are, so that even ‘security through obscurity‘ will not work). Anyone who knows about the systems used by banks understands that they are hugely complex, written in a variety of old and new languages; unless this Richard Thomas has expertise in these languages, and is given access to the source, he cannot possibly be able to audit the systems. Even if he did get access to the source, it would take years to audit it all, and the government does not have this expertise; that is a FACT.

That the banks have signed this agreement is also very very weird. I would like to read it….but I digress. Obviously they signed it to try and stop some new legislation coming into force. This is a bad, bullying bastard government.

In one instance, Halifax allowed details of 13,000 mortgage customers to go astray after the briefcase holding the documents was stolen froma member of staff’s car.

That has nothing to do with computers. No audit would catch this sort of insider blunder.

The incident came after Nationwide’s lax security procedures put thousands of customers at risk from fraud. A laptop was stolen from a long-standing Nationwide employee in a domestic burglary. The employee reported its loss and then went on holiday, but it took three weeks for the building society to realise that the laptop contained confidential customer information.

All this sort of event requires is the writing of guidelines, i.e., you do not put customer data on laptops. Ever.

Mr Thomas said a similar agreement allowing his inspectors access to companies in all sectors would prove to be more effective than spending the next few years painstakingly negotiating with each area of industry and commerce.

Richard Thomas is a moron. What this means is that anyone running a database (presumably over a certain number of rows in size) would be liable to one of these audits. Any company with even half a brain cell would immediately leave the UK for more sensible shores. There would be nothing that Richard Thomas and his army of ‘experts’ could do about it, and in fact, this is already happening. Banks, telephone companies (BT) have moved their data processing to India. When you get a call from an Indian call centre, they have your name, account number, date of birth, address and everything else they need to serve you.

There is nothing that Richard Thomas can do about it, and frankly that is a good thing. If Britain wants to become a business unfriendly zone, all modern businesses from LastFM to Orange will simply go elsewhere. Its all transparent to the user and the company, so why not? Why put up with these zealots and idiots and control freak morons who do not know the difference between what is public and what is private?

He said he also needed a more effective sanction where there are “flagrant, far-reaching breaches of the law”.

The ultimate sanction is a lawsuit, and customers leaving you. That is what you should facilitate. After you have cleaned up your own house.

Debt collectors linked to a financial services subsidiary of General Motors and private equity firm Cabot Square Capital were named in a court case this year over the illicit market in private information stolen from government databases.

And there you have it.

What I have been saying all along about copies of databases, illegal trading of data etc etc. and yet, this brain dead journalist cannot connect the dots and pull Richard Thomas up on the shenanigans that he is a part of, and the danger he is putting the 11 million children of Britain in.

Its is sickening, like watching an avalanche bearing down on you in slow motion as jabbering idiots throw snowballs at each other.

The commissioner brought a prosecution against a private investigator who was used by companies chasing vehicle hire purchase and bank debtors. The private investigator posed as another member of staff in telephone conversations in a practice known as “blagging” to gain access to personal information. The companies say they told the private investigator at the time not to break the law.

It is not called ‘Blagging’ you cretin, it is called ‘Social Engineering‘, and Kevin Mitnick wrote a very good book about it (which I have read) that everyone like Richard Thomas and Phillip Inmann should read. If they have read it, then double shame on them for not taking it seriously.

Mr Thomas said he was concerned that a market in stolen data was growing despite recent adverse publicity. “During a recent investigation we turned up at the offices of a private investigation agency and while we were there the fax machine leapt into life. It was a request from another firm asking them to find out if a woman had cancer. It also asked the agency to check a list of clinics to see if another woman had had an abortion.

This is astonishing. Does Richard Thomas really think that the underground market in stolen data is going to stop growing because of adverse publicity? And does he truly believe that if ContactPoint, the NIR and ID Cards are rolled out that this market will shrink?

Is he that delusional?

“In this instance we are not talking about a small misdemeanour. This is the illegal soliciting of personal information and the kind of thing that we need to investigate thoroughly.”

Bastardy mixed with ignorance. What needs to be done is to stop the compulsory aggregation of personal data into monolithic systems that are widely accessible by civil servants. That means no ContactPoint, no ID Cards and no NIR. Period.

But the CBI said enhanced powers to investigate alleged breaches of the data protection rules would have wider implications. “The nature of business is changing dramatically, so the way companies handle customer data is increasingly important,” said the employers’ body spokesman Jeremy Beale. “Some firms need to improve their data policies but there are no easy answers or silver bullets and the CBI wants a national debate to help identify where the responsibility for different aspects of data protection lies. By calling for the ability to inspect firms’ files without consent, the information commissioner is in danger of leading businesses into the very surveillance society he is heeding against.”

Exactly. And looking at files has nothing to do with laptops escaping offices or garbage being thrown out un shredded.

Mr Thomas said this year he was concerned that the vast amount of data being collected on individuals meant we were sleep-walking into a surveillance society. He said he lacked greater powers only because when the government translated the EU data protection directive into law it left out crucial elements. “The EU wants the government to give us the powers. Our experience tells us we need the powers,” he said.

Our experience, which is greater than yours simply through reading, is that:

  • You people don’t know what you are doing
  • You say one thing (protect data) and then do another (collect children’s details in an open system)
  • You do not admit to data breaches, and take no responsibility for them
  • You have no expertise in this area at all
  • You have nothing of substance to offer
  • You use this and every possible excuse to get into people’s private affairs

The Ministry of Justice is responsible for overseeing the Information Commissioner’s office. Yesterday it said: “We believe that the Information Commissioner already has adequate powers.”

Amen. What this dunderhead needs is TRAINING and EXPERIENCE in the systems he is trying to get to grips with, so that he can read and write best practice documents and then implement them INSIDE HER MAJESTY’S GOVERNMENT.

Don’t bank on banks to keep your secrets

For consumers who have been studiously shredding their old credit card statements and other sensitive data, the information commissioner’s move cannot come soon enough.

Despite repeatedly warning their customers to be careful about what they put in the recycling bin, several banks and other institutions have shown a disregard for their customer’s important financial data.

Two years ago the Guardian exposed how the Grand hotel in Brighton – bombed during the 1984 Conservative party conference – had thrown thousands of its customers’ credit card details, home addresses, and phone numbers in a skip outside its back door. Passers-by were helping themselves. We were able to ring up some of the former guests and read out their credit card numbers – to their initial bemusement, and ultimate anger. In some cases we even had their passport numbers. And the Grand was by no means alone.

The Grand Hotel in Brighton is not a bank, last time I chequed.

Since then, banks have been caught leaving bin liners full of customers’ details out in the street. Others have allowed staff to take unprotected laptops containing sensitive data home, which have subsequently been stolen.

In the usa there are now services that lock down your stuff and make it harder for thieves to use your accounts, should they get hold of your SSN. The market responds to these challenges and people are willing to pay for them. Like I predicted, ‘Dorian Grey’ services will begin to emerge onto the markets, where your identity will be shielded for a fee. You can do all your shopping and everything else you need to do whilst using an alternative managed and disposable identity. This will be the only way to keep yourself out of the legal and illegal databases, making you freer and more flexible.

A further concern was the case last year of Abbey’s call centre staff who were selling its customers’ bank details in an underpass near Bradford. In fact, this happens far more often than is realised because the banks always hush up breaches of security.

And what about the NIR, Identity Cards and ContactPoint you simple minded numbskull pinheaded journalist loser? Did it not occur to you, with that vivid image of people sneaking around in an underpass that this is the way perverts are going to trade ContactPoint data?

Honestly!

Sri Lankan staff in petrol stations recently perpetrated a £30m chip and pin fraud after they recorded details and then cloned several customers’ bank and credit cards.

Did that happen in Sri Lanka or the UK? Why mention the country that the bad guys were from? Nasty!

The government is another culprit. In one instance, temporary staff at the Child Support Agency were allowed access to one of the country’s three main credit reference agencies. The staff could ask for credit checks on individuals and get other personal financial information. To make matters worse, they were able to continue accessing the Equifax database for several months after their contracts ended.

That was a breach of Equifax, not a breach of a government database. Anyone can pay to get access to Equifax, so this example is totally bogus and garbage.

Next week HM Revenue & Customs is expected to announce that its tax credit system suffered fraud and error worth £1bn in 2005/2006. In its first three years the level of fraud and error will reach almost £3bn.

Irrelevant. Obviously Phillip Inmann has run out of examples because he actually doesn’t know anything about this subject, and also, cannot even use the google to find relevant examples. What a complete jackass!

So you are far more likely to be the victim of identity fraud because of something an institution holding your details has done – or not done – than you are from not shredding your documents at home.

The brain dead, computer illiterate, irresponsible, useless Guardian

[…]

What a pathetic conclusion. The majority of people do not suffer identity theft. That is a fact. It is also a fact that people in the UK are less vulnerable because there is no single identifying number attached to everyone’s name as there is in the USA, with their despicable Social Security Number. Britain is better off than the USA in this respect, and idiots like you keep failing to connect the dots and point this out whenever you get the chance. Don’t worry; there are many people who are doing your job for you, who actually know what they are talking about, and in fact, they have had a bigger audience an influence than any of your lackluster articles have had.

Leave a Reply

You must be logged in to post a comment.