WRITTEN ON November 2nd, 2008 BY Sir Bonar Neville-Kingdom GCMG KCVO AND STORED IN Data nitwittery, Foundation of Trust, What do we want?
Sir Bonar writes
I’ve been asked to say a few words about the recent loss on a memory stick of the login details of all users of the Government Gateway, together with all the source code. .The Government Gateway is the Web Site you use to register for online government services. It is an important part of the government’s strategy of delivering ‘joined up’ government, enabling people to communicate and make transactions with government from a single point of entry. Security is of key importance in the Government Gateway.
First I should make it clear this is an isolated incident.
The memory stick in question is extremely small, and therefore hardly likely to be of any great consequence. I believe these details have been lost many times before so it is highly unlikely that this particular loss will be consequential, other than for the individual concerned.
People will be further reassured that this data was not lost by a Civil Servant, but by someone working for our contractor Atos Origin. In passing I might note that when one enjoys hospitality with Atos Origin it is not quite of the calibre one has come to expect from, let us say, Lockheed Martin or Accenture. Sure enough, while we might expect a memory stick from one of the big US suppliers to be picked up at Le Gavroche or handed in to reception at Glyndebourne, this one turned up in the car park of a modest public house of the type frequented by commercial travellers.
The Gateway is a largely obsolete system with very few users. Usernames and passwords are a very primitive and insecure form of access control (as indeed this incident shows). We shall shortly be moving to full biometrics and ID Cards for all public services. These will be 100% secure. After all, one can hardly mislay one’s fingertips, can one?
I’m pleased to say that our procedures for reporting such losses are working smoothly and that our reputation as a world leader for situational awareness at such times remains second to none. We have prepared a revised version of our standard statement for the news media which you will find below:
We take this sort of episode very seriously. We have have launched an immediate and urgent investigation into this. We are going to assess what needs to be done. Senior people are involved. Gus will issue new guidance shortly.We have moved immediately to make sure there is no conceivable risk to users of the system. Thre is no evidence that the integrity of the system has not been compromised. Now that this disk has been retrieved there is no further risk to users. There is no evidence whatsover that it has been cloned or copied an any way, or that any other copies were ever made from the same source.
Although people are required to give personal details such as national insurance number and passport number to the Gateway we can reassure people that USB memory stick, also known as a flash drive, contained no health records, criminal records or inside leg measurements.
4 Responses to “Timely reassurance over Gateway access details”
A copy of the following email was sent to me, presumably by mistake:
From: Sir Gus O’Donnell
To: SecStateDTI
Date: 2 November 2008
Subject: Re: No time to do HomeSecPete
Don’t give me that nonsense. The way Darling’s going at the Treasury, there soon won’t be any trade and industry to be SecState for!
And you can tell Bunkum Mattinson for me that if he doesn’t take the K he’s looking at a tragic accident in one of the windier roads round Cheltenham.
You think you’ve got problems! Some new girl on the switchboard only put Spliff’s* mum through to me. 15 minutes I had to suffer of it isn’t fair and anyone can make make a mistake. Had to fake a heart attack to get her off the phone.
Then Spliff herself comes in and I get 15 minutes of same. I told her I’d got her her old job back co-ordinating GNVQs at Haybridge but that didn’t seem to help.
Had to stop her crying somehow so I told her I was not best pleased to hear that Atos Origin had the GovGate contract in the first place. I distinctly remember banning them from Whitehall, I said, after they published that ridiculous report about the biometrics trial. The one in which they told the truth about what a shambles the whole thing was. What’s the matter with these people!
She grabs the silk handkerchief from my Chester Barrie, dabs her eyes, smiles and says “that was Hall”.
And that’s the way it’s going to be. Hall disobeyed instructions and let Atos Origin have a new contract despite the wise counsel of the Assassin. Then Hall takes on Project Stork, making sure our GovGate works with everyone else’s. Latest revelations, leaky sieve, too embarrassing, EU insists, Hall’s got ot go.
Jackie and the Assassin get to stay.
Can you get Blue Sky Birt’s furniture out of store, stick it in the Cabinet Office and set Hall up somewhere well away from the serried ranks of disgraced ex-heads of HMRC.
We’ll need someone who knows what he’s doing at IPS. See if the MOD have got anyone they want to get rid of.
Meantime, the Mail have been on the blower. They’ve found some dirt on Levy after half an hour wandering around the GovGate with administrator privileges. Front pages for the week dealt with.
The Guardian are going with Miliband and the Congo all week. PM reckons there’s very little point the boy David coming back anyway.
The Indie are doing our green future for the next 50 years, the Telegraph have got some risqué pictures of Miss Johansson and the Times have decided that GB is in pole position, the F1 champion of chancellors and they’re hoping to fly him out to Monte for a photo-op with young Hamilton.
That was a close thing there but, no thanks to Pauline, there doesn’t look like being any credit crunch news for another week. US elections help, of course.
Best
Gus———-
* Believed to be a reference to the Home Secretary
Another weekend’s press, another data loss [that we know about]. Is there yet any sign of anyone in government wanting to talk about more secure, privacy-enhancing alternatives to large, centralised data bases? WIBBI we helpfully (re)started a positive, constuctive conversation about how to do things a bit differently?
Phil Booth comments elsewhere:
Phil Booth, NO2ID national coordinator said: “Blaming human error is a cop out. It is the fundamentally flawed policy of gathering and trafficking masses of personal information within and across departments and agencies that makes these losses inevitable.“When is the government going to wake up and take some responsibility? You can’t protect it. So don’t collect it.”
A copy of the following email was sent to me, presumably by mistake:
———-
* Believed to be a reference to Sir Bonar Neville-Kingdom
** Believed to be a reference to Sir David Normington, permanent secretary at the Home Office.