One of the classic images from The Benny Hill Show that lingers in many people’s minds is that of the blundering police officer. I always imagined it to be a good ribbing, or possibly intended to spark a bit of outrage in what was a very (seemingly) proper and buttondown era. But when I run across stories like the following, it makes me wonder whether it was the highest form of satire.
UK Ministry of Justice Fined… Again
According to many news sites, the UK’s MoJ has been fined a significant amount by the Information Commissioner’s Office (ICO). Indeed, the fact that the MoJ has to fork over £180,000 in penalties for a 2013 data breach has been the leading headline of the story, followed by the fact that it was its second data breach is as many years: in 2011, the MoJ was fined £140,000, although the circumstances of that particular data breach were very different from the latest one.
The 2013 data breach centers on the loss of an external hard disk drive that was used as backup media. Information on 2,935 prisoners was contained in it, including “details of links to organised crime, health information, history of drug misuse and material about victims and visitors.”
The use of encryption software would have prevented the data breach. And, following the 2011 data breach, the Her Majesty’s Prison Service did provide hard drives with encryption (from computing.co.uk):
in May 2012 the prison service provided new hard drives with the option to encrypt data to all of the 75 prisons across England and Wales
Excellent! The system of propagating data security down the line works! Except…
the ICO found in its investigation of the back-up hard drive from HMP Erlestoke in Wiltshire that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly. (my emphasis)
In Their Defense, It Can Get Confusing
If not using encryption to protect information on data storage devices is a blunder, having access to encryption tools and not using them is an even more terrible one. Unless, it could be argued, one made an effort to use them. And it seems that, in a weird way, employees at HMPs did: as far as I can tell, the ICO has not indicated that anyone was found with unauthorized storage devices. The problem has been with the authorized hard drives themselves.
It is not necessarily ignorant to assume that a hard drive that comes with encryption already arrives encrypted. For example, Apple’s iPads, iPod Touches, and iPhones come pre-encrypted (in fact, you can’t turn it off). One is only required to apply a password or a 4-number PIN to guarantee data security. Plus, there are numerous external data storage devices that come pre-encrypted. Again, setting a password is all you need to do.
The confusion can also extend to encryption software, which is why AlertBoot provides encryption status indicators on endpoints as well as in its management portal, albeit it’s more for monitoring and auditing purposes.
Regardless, there’s a reason why you train people how to use tools. If the MoJ had truly just distributed the hard drives without giving a second thought to teaching people how to use it, or to conduct a security audit soon afterwards, to see whether they were being used correctly, it’s only logical than an exasperated ICO is coming down on them with furious might.
Related Articles and Sites: