+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
IT News Thread, Oh dear more data loss in Other News; BBC NEWS | England | Manchester | Details of 33,000 children stolen Who on earth is storing such sensitive data ...
  1. #1
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30

    Oh dear more data loss

    BBC NEWS | England | Manchester | Details of 33,000 children stolen

    Who on earth is storing such sensitive data on laptops and why??

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,234
    Thank Post
    894
    Thanked 1,780 Times in 1,534 Posts
    Blog Entries
    12
    Rep Power
    462
    If the data is stored locally why wasn't it encrypted?

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,157
    Thank Post
    522
    Thanked 2,552 Times in 1,981 Posts
    Blog Entries
    24
    Rep Power
    877
    Why was it stored locally at all?! Information like this should be centralised and then connected to via a VPN or other secure connection...

  4. #4
    mossj's Avatar
    Join Date
    Dec 2008
    Location
    Leicester
    Posts
    1,466
    Thank Post
    157
    Thanked 189 Times in 174 Posts
    Rep Power
    52
    IT was password protected, but it all depends on how it was protected....

    More to the point why is it stored locally at all, surely having something stored on a server would be much safer when it comes to theft....

    posted just after localzuk

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,234
    Thank Post
    894
    Thanked 1,780 Times in 1,534 Posts
    Blog Entries
    12
    Rep Power
    462
    Hopefully it will just be petty theft and they sell it on or it gets reformatted. The new owner will probably have no idea what data was on it.

  6. #6

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,772
    Thank Post
    873
    Thanked 674 Times in 443 Posts
    Rep Power
    503
    Well. now they do - thanks the the BBC!

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    341
    The information is password protected and bosses believe that the information will be of little use to those who stole the computer.
    That makes it alright then doesn't it? It frustrates me that in 2009, data protection is becoming a real problem yet no one takes the bull by the horns and sets down proper regulation or procedure.

    The one fundamental question which should always be asked is "Why was the data taken off site and for what purpose?" Lessons can and should be learned from this, but I think a lot of lessons can also be learned from the banking industry. Although not perfect, a lot of their procedures should be adopted and should be implemented in other industries; education being one of them!

  8. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,157
    Thank Post
    522
    Thanked 2,552 Times in 1,981 Posts
    Blog Entries
    24
    Rep Power
    877
    Quote Originally Posted by Michael View Post
    That makes it alright then doesn't it? It frustrates me that in 2009, data protection is becoming a real problem yet no one takes the bull by the horns and sets down proper regulation or procedure.

    The one fundamental question which should always be asked is "Why was the data taken off site and for what purpose?" Lessons can and should be learned from this, but I think a lot of lessons can also be learned from the banking industry. Although not perfect, a lot of their procedures should be adopted and should be implemented in other industries; education being one of them!
    The problem is a lack of leadership from the top. And I don't mean in the school, I mean at an LEA level. There are now detailed guidelines on what should be happening, and they have been discussed quite a bit on this site, but as yet, we have yet to receive any guidance on what is expected at a school level from our LEA down here. When we have asked them about it the reply was 'we're looking into it' and that's it.

    The data protection issue always seems to take a back seat, coming up as an afterthought time and time again. ie. SIMS.net, for example, implemented without much thought to the security of the data held within in my opinion. No method of forcing a time out of sessions, no method of ensuring data isn't being projected onto a screen in a classroom, no support for 2 token authentication. Sure there is a complex ACL system for letting different people see different things, but this is not enough. What about when people go and export data willy-nilly. Littering their local file systems with insecure excel files and word documents?

    Whenever I think of a new system, the first thought is 'what security is involved' and then work from there. Otherwise, the end result is a system filled with security flaws and holes.

  9. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    Quote Originally Posted by localzuk View Post
    Why was it stored locally at all?! Information like this should be centralised and then connected to via a VPN or other secure connection...
    The use of laptops to process such data is common as it removes the risk of central services being down and not having access to the information. This is important if you have to go to difference locations and work / present the information and those locations may not have connections to the central services ... an example would be an Ed Psych coming in to your school and wanting to show information to various folk but they have to have a live 'Net feed to do it over a VPN. How would you feel is a random person came into your school and asked to connect it to your wireless / wired network to set up VPN access to another location?

    So ... local copies of the data are there to make it usuable.

    I do agree with the question about the data needing to be encrypted and for all we know it may have been encrypted too ... the news article doesn't really give enough information about it.

    When it comes to MIS ... then many do have two-factor authentication ... you have to authenticate against a client and then again against the MIS ... the human problem is ensuring that the details for both are not on a post-it note on the screen!

  10. #10


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    Quote Originally Posted by localzuk View Post
    Why was it stored locally at all?! Information like this should be centralised and then connected to via a VPN or other secure connection...
    http://download.smoothwall.net/pdf/laptopdata.pdf

    Been moaning about this brand of idiocy for 3 years

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,157
    Thank Post
    522
    Thanked 2,552 Times in 1,981 Posts
    Blog Entries
    24
    Rep Power
    877
    Quote Originally Posted by GrumbleDook View Post
    The use of laptops to process such data is common as it removes the risk of central services being down and not having access to the information. This is important if you have to go to difference locations and work / present the information and those locations may not have connections to the central services ... an example would be an Ed Psych coming in to your school and wanting to show information to various folk but they have to have a live 'Net feed to do it over a VPN. How would you feel is a random person came into your school and asked to connect it to your wireless / wired network to set up VPN access to another location?

    So ... local copies of the data are there to make it usuable.

    I do agree with the question about the data needing to be encrypted and for all we know it may have been encrypted too ... the news article doesn't really give enough information about it.

    When it comes to MIS ... then many do have two-factor authentication ... you have to authenticate against a client and then again against the MIS ... the human problem is ensuring that the details for both are not on a post-it note on the screen!
    Ah, but why would they need the details of 33,000 people like in this case? Also, we now have a world of 3G internet connections, so there is no longer any excuse.

  12. #12

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    3G does not work as a reliable connection solution for fast access. How many of us moan about poor mobile signals in buildings?

    33000 people is not a lot. If you have an offline copy of a database it may be that you simply have the version that covers secondary schools. That wouldn't even cover our secondary students in Northants.

    So, again, I ask you, would you allow them to connect to your network?

  13. #13

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,413
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Quote Originally Posted by GrumbleDook View Post
    So, again, I ask you, would you allow them to connect to your network?
    Providing they had valid credentials, then yes - but only to the internet DMZ. They wouldn't get access to our LAN.

  14. #14

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,992
    Thank Post
    1,359
    Thanked 1,828 Times in 1,135 Posts
    Blog Entries
    19
    Rep Power
    602
    And you have a VLAN in place that takes them to your DMZ? How often do you get such visitors and did you have a struggle with your smt to get the funds to set it up?

    Good to hear about it though.

  15. #15


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by GrumbleDook View Post
    The use of laptops to process such data is common as it removes the risk of central services being down and not having access to the information.
    Then they should make their servers reliable.

    they have to have a live 'Net feed to do it over a VPN. How would you feel is a random person came into your school and asked to connect it to your wireless / wired network to set up VPN access to another location?
    They wouldnt be a random person, they would be a person who is responsible for a hell of alot more data than i am, or any of my school are for that matter. Besides which most of us now are on the Northern/Birmingham/etc Grid, what exactly is this grid for if it isnt for this purpose?


    So ... local copies of the data are there to make it usuable.
    I doubt very much they needed that sort of detail. I fell it is infinately more likely that de-personalised data would have surficed. *


    When it comes to MIS ... then many do have two-factor authentication ... you have to authenticate against a client and then again against the MIS ... the human problem is ensuring that the details for both are not on a post-it note on the screen!
    The first line of authentication relies on us, the techies, a breed soon to be replaced due to our incompitance (when talking on a national level). Not really good going so far. Now what about when SIMS is using its Active Directory authentication? Not the best method anyway, but what about if a user leaves themselves logged on, or if our system is insecure? What if we have a generic user called "teacher" with a password of "teacher"... and i think its fair to say we could all name atleast one school which has such a user.


    * Following on...
    Quote Originally Posted by GrumbleDook View Post
    33000 people is not a lot.
    It is for doing data processing. 33,000 people having data processing perfomed on them is not a job for a laptop. Given this i personally can think of 2 likely reasons for the data being on there; The user is one of these people, who despite being told to leave data on the server, he/she copies it onto his/her laptop whilst doing work. Or he/she was doing data analysis/reporting/graphing/etc, in which case i go back to my original thought of there is no need for peoples personal details to be on that laptop.


    Its exactly that attitude of "oh but its easier [to just have copies of the data flying all over the place, saves me having to plug my laptop in to the network/etc]" which puts me firmly against ID cards. What about when someone "loses" your full DNA data? (A natural progression of biometrics) Do you just apply for new DNA? lol
    Last edited by j17sparky; 5th April 2009 at 11:32 AM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Loss of IP
    By rolfea in forum Mac
    Replies: 2
    Last Post: 10th November 2008, 11:19 AM
  2. Loss of internet
    By theeldergeek in forum Windows
    Replies: 13
    Last Post: 12th June 2008, 11:25 AM
  3. A sad loss to fantasy
    By GrumbleDook in forum General Chat
    Replies: 5
    Last Post: 8th February 2008, 01:44 PM
  4. Facility ePortal data loss
    By DaveP in forum MIS Systems
    Replies: 2
    Last Post: 3rd May 2007, 04:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •