Business Daily from THE HINDU group of publications
Monday, Dec 03, 2007
ePaper | Mobile/PDA Version
Business Daily from THE HINDU group of publications Monday, Dec 03, 2007 ePaper | Mobile/PDA Version |
|
|
|
|
|
eWorld
-
Security Info-Tech Tenth Anniversary Special Columns - Security Musings Safety took backseat
R.K.Raghavan 
Riding on the info highway calls for care. There is huge embarrassment to IT managers in the UK government from a recent goof-up by a junior manager at the HM Revenue & Customs (HMRC), which is the country's largest tax collector. It all started in March this year when the National Audit Office (NAO) demanded from the HMRC the National Insurance numbers of all those in the child benefit database. Where relevant, the bank account details of these beneficiaries were also to be forwarded to the NAO. The database covered 15.5 million children, 7.25 million claimants and 2.5 million alternative payees. The negligent junior manager copied the data on to CDs and mailed them to the NAO through a courier. The CDs were, no doubt, password-protected but the data was unencrypted. These were delivered without a hitch, and there was no controversy at either end, although the procedure adopted for the transfer of data from one office to another was in total violation of standing instructions. The problem arose when there was a second demand of data, this time on October 18. The same procedure as on the earlier occasion was repeated. Unfortunately, the two CDs sent by the HMRC never reached the NAO. Hearing about this, the HMRC promptly obliged the NAO with another copy of the data, again on CDs dispatched by registered mail. These were received by the NAO without a problem. It was only on November 8 that the senior management of the HMRC was told of the earlier missing CDs, and the Chancellor of the Exchequer notified two days later. There is a furore in the UK Parliament, and outside, over the apparent government incompetence in handling sensitive data. While the HMRC Chairman, Paul Gray, promptly put in his papers accepting responsibility for what he called an "operational failure", the episode has triggered a major debate on lack of accountability in government and a lack of teeth in the country's data protection laws. Although there is no information yet that either the lost data has been compromised or data thieves have broken into relevant bank accounts, there is a clamour that the system in vogue should be reviewed. PWC LOOKING INTO LAPSE The Metropolitan Police is probing the matter. In addition, auditing giant PricewaterhouseCoopers (PwC) has been appointed to look into the lapse and suggest measures to plug existing loopholes. It is almost certain that PwC would come down heavily on a system that permitted a lone lowly official to access and copy vital data all by himself, and without authorisation from any higher formation. It is bound to ask why an available security protocol such as encrypted batch transfer was not employed by the HMRC when it sought to transfer voluminous data. The HMRC should have known that a CD is hardly the medium recommended for storage of sensitive information, especially when it is common knowledge that a CD is liable to be lost in transit. Interestingly, it is now known that while the NAO wanted the data in question without bank information and names or addresses of individuals, the HMRC official took the stand that deleting such information from the existing database would be tedious and cost money to government! Do we need any further proof that security does not come cheap, and that parsimony in data protection could sometimes result in disaster? TIGHTENING DATA PRIVACY LAWS The current controversy over HMRC's failure is cited by some in conjunction with two earlier incidents in the same organisation. In October, the HMRC lost a laptop containing details pertaining to 2,000 individuals. A month later, 15,000 Standard Life customers were warned that a CD containing insurance numbers, dates of birth and pension data was lost while in transit from HMRC to Standard Life's offices in Edinburgh. All the three incidents together have triggered a demand for tightening data privacy laws in the UK. On top of the agenda is a mandatory regulation that would stipulate a prompt disclosure of a breach to those adversely affected. This is in the context of criticism that in the recent case it was weeks before the government took the public into confidence about the loss of data. The Chancellor's stand is that the time taken was meant to alert banks about a possible break-in by ID thieves, if by any chance the lost data had fallen into their hands. This stand has not convinced many experts who are emphatic that the whole matter had been mishandled. They would like to see the UK borrowing from the California law known as SB 1386 that has been adopted by many other US States. This law makes it obligatory for both government and the private sector to promptly notify citizens, if any of the latter's unencrypted personal information had been compromised. FALLOUT OF LAPSE Embarrassment apart, the HMRC incident should introduce uncertainties in the implementation of the national ID Card whose enormous cost had drawn flak from many quarters. It is an open secret that while former Prime Minister Blair was a great votary of such a card, his successor, Gordon Brown, is lukewarm. Also in question will be the security of the National Health Service (NHS) computerisation project. When operational, it would make sensitive health data of its subscribers all over the country accessible to about 300,000 NHS staff, all of whom may not be trustworthy or expected to observe cyber discipline. In any case, I personally believe that neither the HMRC incident nor the tight regulations in force in the US regarding disclosure of breach should go unnoticed by Indian authorities. Data protection should become an obsession and mandatory instead of being left to the mercies of untrained or dishonest public officials. Coming back home, there is extreme nervousness over the fact that terrorists who struck in three UP cities on November 23, 2007, sent in an e-mail to the media, minutes before they set off the explosions. They followed this up with another e-mail, a few days later, declaring their resolve to hit other cities as well. The cyber caf‚ in Delhi from where one of the mails was sent has probably been identified. Was this cyber terrorism, some asked me. I responded: "No, not at all. Far from it." These e-mails were indicative merely of the terrorist desire to romanticise their operations. They do nothing more than confirm a fact, already known to us, that these violent individuals are computer savvy. They are no doubt capable of overturning our cyber systems. But the fact that their principal objective of unleashing terror in the community is more effectively achieved through explosions is one reasonable guarantee that tinkering with computers manning essential services, such as water and power supply, will be a slightly lower terrorist priority, at least for the present. The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd More Stories on : Security | Security Musings
Article E-Mail :: Comment :: Syndication :: Printer Friendly Page
|
Stories in this Section |
|
The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |
Copyright © 2007, The
Hindu Business Line. Republication or redissemination of the contents of
this screen are expressly prohibited without the written consent of
The Hindu Business Line
|