At work we have automatic notification if an email is sent to an external address - do the police need a consultant?
Ahh, but then your users are just trained to click 'OK' on it without thinking because 'it is always getting in the way'.
No help at all.
yes, it is helpful
It'd bloody well help increase my bank account if I were to get a wee consultancy gig moding cop systems. And a _second_ gig _unmoding_ them later on after the mods irritated the hell out of a few coppers for a few months. And a third gig putting the mods back on after the _next_ time something of this kind happens. And another gig removing them again once the noise level drops back down to normal background level... Job security in these troubled times, mate...
Oh. You meant that it's not helpful to John Public... Carry on, then.
Undermine public confidence
The police are absolutely right this does undermine my confidence in them. Well done El Reg for taking the decision to publish this, we as the public have a right to know when the police act incompetently and stuff like this should never be covered up.
Did they explain why they felt the need to export such sensitive data into a spreadsheet and email it to multiple recipients? What need was there for 5+ people to have a copy of the requests in this format and is this compatible for the purposes the data was collected for?
@Undermine public confidence
Sadly, this does not undermine my confidence in police competence. It just reinforces my present (very low) opinion.
As someone else mentions below, there is a very good chance that this not an export from their database storage system - it *is* their "database" storage system.
The mere fact that they asked El Reg to "sweep it under the carpet" speaks louder than anything else in the article and is a shameful indictment on the force.
Top marks for the Reg for adding that little snippet to the end as well!
You mean that Excel _isn't_ a Real Database System? Damn. Next you'll be saying that there's a possibility that MSIE 6 isn't a particularly secure web browser.
Some of us haven't had 'confidence' in the coppers in several decades.
"would undermine public confidence...
...in the force"? Are they serious? Frankly, given the depth of this fail, the public's confidence bloody well SHOULD be undermined.
Poor System Design
Under what circumstances would a full export of this database be necessary?
Why were police officers given the tools to export so much data?
It's poor system engineering and a complete lack of regard for data security.
May I be the first...
To congratulate you on some nice and responsible journalism. A very embarrassing incident for the police, but you have pointed out the circumstances fairly and made it clear what they have done and the current impartiality constraints they are operating under. (Its called Purdah).
I'm currently working under purdah and purdah has nothing to do with day to day operations. This foul up is purely down to negligence and there isn't a purdah on that.
Yes indeed, congrats to the Reg for the very responsible journalism. It's comforting to know that when your journalists end up being given confidential information by mistake the first thing you'll do is take a sneaky peak at it.
And then a much longer look to enable you to pull together some figures about peoples' jobs, statuses etc.
And then write a story revealing a load of that information, albeit not personally identifiable.
But as long as you deleted it several days later it's all good.
As good as the Sun - almost
Congrats on deleting it. But...
I'm betting if the Sun had been the recipient, they wouldn't have deleted it but would have done the honourable thing by returning the document to its rightful owners by forwarding the email back to them...
I say it is a fault of the system.
If the system had called for the data to be encrypted before it was transmitted, this wouldn't have been a problem.*
How the hell can they think that emailing sensitive information, "in the clear", is ok!!!
Obviously as long as they didn't include the password in the email!
Fail (cancel that - win!)
I just decided to respond to your post, when i suddenly realised, the part I was about to argue against, was infact a quote of a previous post that you were arguing against!
Therefor, I agree with you!
"Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would undermine public confidence in the force, but we declined."
Should have said, "Gwent Police asked The Register to consider not publishing a story about its serious data breach saying it would CORRECTLY undermine public confidence in the force, but we declined."
I should f**king think El Reg declined as well! Gwent Police are taking the p*ss with that one! For extra ha-ha's, release the name of the person(s) who asked you not to publish!
... to not pubish until the enquiry had concluded - as long as this was quick (i.e. not more than 3 months).
Worrying that this could happen in all forces as there are no central standards for encryption of such data.
They should keep this information on a secure server - and send the link by email. If you don't have the credentials, the mis-communicated email would be of no use.
The truth will come out.
Ye gods - thank goodness it was sent to someone who knew what to do about it, and I salute your stance - hopefully it will get some proper data handling in place.
We can' t have police forces (or indeed anyone else) expecting silence as a way of covering up mistakes.
I'm starting to like the conservatives more open approach, it will hopefully make things like this more transparant.
Right - i'm off to see it's appeared on wikileaks...
Al things considered
It sounds as though once the original error had been made everyone responded appropriately and no-one uttered the dreaded phrase 'lessons will be learned'. The only way to make such mistakes impossible to make is to make the system unusable for it's intended purpose so all long as people 'fess up' and the people who made the mistake are the ones that are punished in some form then there is hope.
OK, not that much hope
But at least they are trying
We have a new definition of epic fail
Not new at all...
Actually, I do believe that this sort of 'fail' has been going on ever since, and even before, the word 'fail' was first incorrectly applied as a noun on a message board somewhere.
You have to feel sorry for them
This is a combination of too much information being held (the stupidly OTT CRB process) and poor information handling procedures. Even IT professionals can cc the wrong person; when you have this kind of information held on a desktop PC that also holds random email addresses, it's an accident waiting to happen.
The solution? Maybe a dedicated system (or just a dedicated PC) for CRB processing. Then, if someone does send out this kind of info, they have clearly circumvented security procedures, and not just made a typo.
feel sorry for them ? Do I fuck
Maybe, if they hadn't been warned.
Maybe, if they had done things properly
Maybe, if their IT systems hadn't cost the earth.
then *maybe* I might have some sympathy.
As someone who has worked in IT for 20 years, I can tell you that 20 years ago, I would have been factoring into the system measures to prevent this sort of breach happening then.
IMHO this is gross incompetence from the start. Not that it would have made any difference, but the spreadsheet wasn't even encrypted FFS.
Somewhat more worrying
How many times has this been done and the recipient has not reported it to the press at the police's request or even not reported it at all?
The title is required, and must contain letters and/or digits.
Sweet merciful crap.
Under which provision of the DPA is it acceptable to dump incredibly sensitive information like that into a plain-ol' Excel spreedsheet and fling it across the Intertubes in plaintext by SMTP? Accidental cc-ing of the Reg or not - data like that should simply never find itself being transmitted from point to point using that sort of method. I think it's fair to assume that the coppers here email critical data around like this in plain text all the time though. Utter ineptitude.
"Investigators are blaming human error for the data breach, rather than the system design."
If it's human error, the erring human concerned is the one who implemented the database in such a way that exports like this are even possible.
What conceivable reason is there for anyone needing all 10,006 names? For any sort of management or analytical purpose, the names could be replaced with anonymous codes.
The really sad thing is that how to do this properly IS well understood. I recall reading about how the (1990?) census data was stored, and how queries were processed such that only sufficiently-anonymous extracts were available. (For example, it would give precise answers to questions about large areas, but once the areas were small enough that individuals could be identified it would introduce random perturbations.) How is it that in the last 20 years, things have got worse rather than better? My guess is that the people in charge weigh up the risk of a breach ("could never happen to us") against the inconvenience of properly protecting the data, and make the wrong choice. In fact, is it a case of "VIP Passenger Syndrome"? Were the 5 recipients of this email senior, i.e. more senior than the IT person who might have considered it a bad idea?
"autocomplete function in Novell's email software"
Not just Novell either.
Anyone in business these days knows the value of having a name that shares the first name and first few characters of the surname of that of someone seriously important. You can build a career out of being seen as someone who really knows what's going on, when actually all you're doing is reading all the high-level stuff that's being sent to you inadvertently.
Autocomplete in a widely used MS email product FWIW.
Ah. I understand the "Coward" bit of remaining anonymous now.
The Register has now deleted
Deleted or wiped?
I don't for a second think that El Reg would do anything underhand but I suppose you have the necessary knowledge to undelete said file so I suppose in the eyes of the police it really isn't deleted.
According the story el Reg had TWO DAYS from when they told Gwent for anything to happen.
I have this mental image of the Moderatrix in full regalia in front of the mail server guarding it from interference.
Database exports etc
Look, all those wondering why the database is allowed to be exported to Excel are missing the possibility that there is no database, just an Excel spreadsheet that some spotty office junior has to fill in when a CRB check is returned to them :-)
Sadly, I suspect the "Joke Alert" tag is misplaced.
It gets worse...
... I think your right and I don't think it's confined to just the police.
"are missing the possibility that there is no database, just an Excel spreadsheet that some spotty office junior has to fill in when a CRB check is returned to them :-)"
Many a true word spoken in jest.
Possibly the *most* frightening scenario.
we have a winner
I suspect that this is _exactly_ the case. Odds are that their entire 'database' is merely a Very Large Excel Spreadsheet. Many years ago I spent literal months building a 'database' in Excel which was a bunch of linked spreadsheets, some of which were originally Lotus 1-2-3 or Borland Quattro spreadsheets translated to Excel format. (And those who recognise the names, yes, it was that long ago.) I was under the direct orders of the MD to do this, despite recommending that perhaps a real database system would have been preferable. A real database system would have 'cost too much'.
@Al things considered
They acted appropriately ?
They threatened to fire the minion that had been told to email the data.
Not the bosses who picked the system without thinking of the problems, or who allowed data like this to be emailed around in clear, or didn't look at backup plans like detecting outside email addresses, or having a separate secure system for this type of mail.
It was PC idiot wot did it, so fire him.
this is the title
#or, indeed, the bosses who did not provide training about data security and encryption
A meaningless (and hence wrong) distinction
"Investigators are blaming human error for the data breach, rather than the system design".
But the human beings who operate the system are part of it. If a human operator makes an error of judgment, that is every bit as much a failure of the overall system as a hard disk crash or a programming oversight. The alternative - to exclude the human element from the system - is absurd, as virtually all systems include human elements who can easily make them fail.
Of course the people who are responsible for the system (and who earn really, really big bucks on account of that awesome responsibility) like to think that they can blame anything that goes wrong on the pondlife* who do the actual work. But it ain't so - they, the big cheeses, are equally responsible for hiring and firing the pondlife, and for motivating it, giving it adequate rest breaks, and generally making sure it performs up to specification like every other system component. Gee, if they are really concerned about its performance, they might even go so far as to try talking to pondlife occasionally. You can learn a surprising amount of useful stuff that way.
*Disclaimer: don't get overwrought about my use of this simple vivid term. I am pondlife myself, and very proud of it.
Data Loss Prevention?
I would have hoped that an organisation responsible for a great deal of sensitive information, some of which could put peoples lives at risk, had some kind of DLP system deployed on their email system. It’s quite simple to check outgoing email for tag like 'NOT FOR EXTERNAL DISTRIBUTION’, and hold it for authorisation before sending to external addresses. Such measures are becoming increasingly common in business where fines, loss of business and reputation are at stake.
Not a design issue?
Yes it bloody well is matey. The only way to send this data should be a method coded into the secure system, otherwise this invites this kind of error.
Paris Hilton now knows where you live.
Paris Hilton now knows where you live.
And she's welcome to pop round to further Anglo US relations whenever she wants...
I could ask
I could ask what business police officers have to
1) keep databases as excel files
2) mailing them around, even internally
but all I really care about is that the entire silly database should not even exist in the first place.
why don't they...
just put a block on any outgoing unencrypted documents/ spreadsheets/ databases, even PDFs attachments on emails...?
Having the right type of service and filters can very easily stop this. People make mistakes, very stupid ones but still mistakes. A simple setup to stop outgoing unencrypted documents/ spreadsheets/ databases would stop this and sender can be notified. Whoever did the initial system design, didn't do a very good job of it (or perhaps it was the lack of financing!)
Why the hell would anyone export over 10k records anyway? If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?
"If you need a secure method, surely you would have a more secured centralised SQL server for the police force to access confidential data from?" -
you don't mean like a "database"?! I have reservations about the amount of information the state maybe keeping on me in various databases, but i always assumed (somewhere in the back of my mind) that they were actual *databases*, only accessible by certain people that had been vetted and trained to use them. Not some poxy spreadsheet that gets cc'd to all and sundry.
damage confidence in the police?! - damage confidence in the whole damned system more like...
99% of all data breaches are due to human error at some level.
Keep banging the rocks together, guys!
Once again, the "Ooh, I'll e-mail you the data as an Excel file!" workflow of the Wintards bites someone in the behind. Either some time previously or at some point in the future, when a migration away from the usual mish-mash of Excel plus "bespoke" (in other words, "shitty ad-hoc") macros is suggested, everyone will have been (or will be) up in arms about the replacement not being as shiny: "Where'd that lovely dog/paperclip/ribbon go? I want my Brand M!" <stamps foot>, followed by later whining about needing training for the next iteration of Windows/Office.
And it'll be back to banging the rocks together and umpteen copies of confidential spreadsheets littering the "network shares" and various hard disks, to be seen in an eBay auction near you.
...should be re-assured that I, for one, have greater confidence in them today than I had yesterday. Why? Well...
Yesterday, I took it as read that such incidents occur but nothing will actually change until someone *really* screws up. Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.
«Today I read that someone has screwed up and the senior decision makers are red-faced. Therefore, it is likely that sensitive data is safer today than it was yesterday.»
Wrong assumptions lead to wrong deductions.
1) You assume that they care and thus are going to do something about it. WRONG. They ignored the issue before ("won't happen to us") and they will most likely continue ignoring it ("can't happen twice")
2) You assume that they have the technical ability and the cash to plug the hole. WRONG. This kind of incident prove that the system is fundamentally flawed. Even if they did actually want to fix the system It would take a complete audit and redesign. Which they probably don't know how to do, and they couldn't afford to anyway.
Only thing that will happen will be a couple memos reminding everyone to check their emails' recipients list twice, and that's it.
Alas, this is just another example of a condition known as "Spreadsheet Bindness" where all critical thinking ceases as soon as data is entered or imported into a spreadsheet. Spreadsheets are an amalgam of data and application logic and presentation, yet data integrity, security, consistency and versioning is ignored; complex application programming is undertaken with no design, and put into production without any structured testing.
So we end up with financial and personal information being managed by the emailing of spreadsheets: these are deemed to be authoritative data by the recipient with no consideration of their provenance, and disseminated with no consideration of basic data management.