Opinion: 2007: The year your data went AWOL
We’ve been talking about data security, phishing, and online scams for years, but it feels like 2007 was the year that everything went completely pear-shaped.
With visions of Nicky Campbell rummaging through the litter bins of major high street banks fresh in the mind, it seems that every Government agency, and even a few private companies, have had a go at losing our personal data this year.
The Inland Revenue (sorry, Her Majesty’s Revenue and Customs), the Driver and Vehicle Agency, Fasthosts, the Diabetic Retinopathy Screening Service, Leeds Building Society, the Citizens Advice Bureau… I could go on, but it’s too depressing.
Yes, despite all the warnings about how vigilant we, the innocent members of the public, should be — shredding bank statements, having decent security on our PCs, securing our home wireless networks, and so on — it seems the “big boys” still aren’t getting it right.
Is it getting worse, or is it just being reported more? Either way, it’s slapdash, shoddy practices that should be near-watertight which have caused the problem.
I’m not naïve enough to think that any organisation can be 100% secure, but many of these breaches were down to human incompetence.
CDs — containing unencrypted, unprotected data at that — should never be entrusted to the Royal Mail’s standard postal service. These “money saving exercises”, allegedly employed by junior members of staff and sanctioned by managers, not only end up costing more financially to sort out, but put the public at risk and make the agency look incompetent.
Fasthosts, having been hacked in some way back in October, decided to lock out hundreds of innocent customers just before Christmas with an enforced password change.
This begs a number of questions.
Why did it take two months for Fasthosts to enforce a password change? This should have been enforced as soon as the breach occurred.
Why did Fasthosts lock out some customers who had already changed their passwords?
Why did Fasthosts not scale up their customer services team to deal with an issue that was caused by their own inadequate security systems?
Why did Fasthosts think it acceptable to send out plain text passwords by first-class post? They should at least have spent extra money to send out obscured passwords in the same way that banks send out PINs.
But enough about Fasthosts.
The only companies that seem to be benefiting from these blunders are security vendors. I’ve lost count of the number of press releases which try to raise the profile of some software or hardware system that will improve security.
All very nice, but there’s not much point having fancy, effective security 99% of the time if some idiot is standing on the street corner handing out bank statements and passwords.
Basic data security might be seen as a chore, but perhaps if people were a bit more like Gareth Keenan, there’d be less of a problem. Yes, I know that blasted paper shredder makes a helluva noise.
[Image: Getty]Related posts:
UK government contractor loses loads of personal data – again
Getac launches P470 rugged notebook with added security
Microsoft executive claims security flaws are patched quicker in Windows than other operating systems