More Information
- Government Data Security - The IPCC Case
- Privacy Commissioner Probes into IPCC Data Leak
- HK police complaints data leak puts city on edge
- Independent Police Complaints Council
- InfoSec
- Tables turned in Net leaks affair
Allan Dyer
The front page of the Government’s InfoSec website informs us, “Information Security is Everybody’s Business”, but it appears that the message is not getting through. The leak of highly confidential data about complaints against the Police from the Independent Police Complaints Council (IPCC) is a dramatic demonstration of failure.
David Webb, editor of webb-site.com, an independent site that monitors Hong Kong’s corporate and economic governance, discovered and reported the leak, and it has been covered in detail in the Hong Kong press. This brief summary is for overseas readers and is based on what has been revealed so far. It should be noted that the investigation is ongoing: About three years ago, the IPCC engaged a contractor to work on the data that the IPCC receives from the Complaints Against Police Office (CAPO). The contractor delegated the job to a sub-contractor, who requested test data. The IPCC provided the sub-contractor with data on 20,000 real cases. The sub-contractor transferred the data to a site on the Internet, so that he could work on the data elsewhere. On 9th March 2006, David Webb was using Google to search for a property address when he stumbled on the data. He quickly realised the significance of the data and decided to report it to an independent body with investigatory powers, the Independent Commission Against Corruption, and to the press. Since then, a number of other leaks of personal data (from an insurance company and a phone company) have been revealed.
How could this happen? The Government has extensive guidelines on information security, the Privacy Commissioner has even run T.V. adverts to educate everyone about the importance of personal data privacy, and the IPCC itself, on its’ website includes, “Strict observance of the code of confidentiality” in its’ values. Perhaps they are using “observance” to mean “watching” instead of “conformance to”?
In addition to the obvious questions about respect for and care of personal data, I would like the underlying issues to be addressed:
- The IPCC is a small organisation, with less than 20 members and without dedicated IT staff. There are many other similar bodies, how can their IT needs be met safely and securely?
- The Government has detailed guidelines on information security, which were, presumably, available to the IPCC. Perhaps one reason they were not followed was because they are too detailed, and therefore look like a technical IT document that the organisation’s executive just passed on. Would a much shorter policy document be more effective at informing executives about their responsibilities?
- Many Government contracts are awarded to large companies, probably because they are seen as having an established reputation, and a size to take responsibility. However, in this case, the contractor has distanced itself from the actions of the sub-contractor. Do the supposed benefits of contracting to large companies really exist if they routinely delegate the work to either their junior staff or sub-contractors, without sufficient oversight and monitoring?
- The current appearance is that IPCC staff made the biggest blunder, when they sent real data in response to a request for test data. However, surely it was clear to the sub-contractor that the data received was real, not test? Someone might make up a handful of fictitious names and cases, but not 20,000 fully-detailed records.
Loosing confidentiality is a one-way process: there is no way of recalling the data from general circulation, or erasing details from the minds of people who have seen it. However, the Government should make its’ best efforts to minimise the adverse effects on those affected, and to provide compensation where appropriate.
Learning the Wrong Lessons
Naturally, there is a lot of discussion about the incident, but not all of it addresses the core issues. At a local security conference I was told, “this would not have happened if they had been using
Mr Ken Ng, the Managing Director of EDPS, also provided some examples, in my opinion, while speaking at the ISSG Special Forum: One concerned protecting data appropriately on ftp sites… by using a username and password – doesn’t he know ftp is an insecure protocol, the passwords are sent in–the–clear! Another came when Mr Ng reported that his company’s current practice was to always deploy staff on-site, because of the dangers. This seems to be a knee-jerk over-reaction – encryption technology can protect data in transit and in storage, so a blanket rule is unnecessary. It might also lead to other risks being over-looked, and it will probably increase costs. Security is not a one-size-fits-all proposition, the particular circumstances, the threats and the sensitivity should be taken into account.
Conclusion
Looking to the future, I hope that this case awakens everyone to the importance of personal data, and their responsibilities towards it. This case it probably the tip of the iceberg, there are almost certainly far more cases of breech of confidentiality of personal data waiting to be found. The Privacy Commissioner needs some teeth, and everyone needs to realise the importance of information security.