On 22 May 2006 17:48:20 -0700, New Deal Veteran wrote in
uk.politics.id-cards :

>In the early weeks of this year I discovered that the private details
>of over 5800 people had been left on an unprotected computer desktop
>for two weeks.  The computer was one of ten PCs in the internet access
>room of a company called 'Instant Muscle Ltd', on Powis Street in
>Woolwich London.
>
>These computers were available & intended for use by dozens of
>unemployed people on the government's New Deal IAP scheme. None of
>these people had individual user accounts, no passwords were required
>to view or copy any data left on the desktop by other users.
>
>The trouble was that some of those other users were Instant Muscle
>staff themselves.  One member of staff left behind a couple of files
>they had been using to generate junk mail for the company...
>
>How were they generating this junk mail?  They were extracting people's
>names and addresses from an Excel spreadsheet.

So we've been here before then?



-- 
"Life should NOT be a journey to the grave with the intention of 
arriving safely in an attractive and well preserved body, but rather to
skid in sideways, champagne in one hand, strawberries and chocolate in
the other, body thoroughly used up, totally worn out and screaming
WOO HOO - What a Ride!" 

anon

So learn how to use your DELETE key and strip the irrelevance from the
messages you reply to!

"Phil O'Sofa"  wrote in message 
news:alm7k3ps4s0f1v2fmh9unfai298sul9gkg@4ax.com...
> On 22 May 2006 17:48:20 -0700, New Deal Veteran wrote in
> uk.politics.id-cards :
>
>>In the early weeks of this year I discovered that the private details
>>of over 5800 people had been left on an unprotected computer desktop
>>for two weeks.  The computer was one of ten PCs in the internet access
>>room of a company called 'Instant Muscle Ltd', on Powis Street in
>>Woolwich London.
>>
>>These computers were available & intended for use by dozens of
>>unemployed people on the government's New Deal IAP scheme. None of
>>these people had individual user accounts, no passwords were required
>>to view or copy any data left on the desktop by other users.
>>
>>The trouble was that some of those other users were Instant Muscle
>>staff themselves.  One member of staff left behind a couple of files
>>they had been using to generate junk mail for the company...
>>
>>How were they generating this junk mail?  They were extracting people's
>>names and addresses from an Excel spreadsheet.
>
> So we've been here before then?


Don't think the latest incident was the DWP's fault, think the loss of 
information came from HMRC this time.

Syberian wrote:
> 
> "Phil O'Sofa"  wrote in message 
> news:alm7k3ps4s0f1v2fmh9unfai298sul9gkg@4ax.com...
>> On 22 May 2006 17:48:20 -0700, New Deal Veteran wrote in
>> uk.politics.id-cards :
>>
>>> In the early weeks of this year I discovered that the private details
>>> of over 5800 people had been left on an unprotected computer desktop
>>> for two weeks.  The computer was one of ten PCs in the internet access
>>> room of a company called 'Instant Muscle Ltd', on Powis Street in
>>> Woolwich London.
>>>
>>> These computers were available & intended for use by dozens of
>>> unemployed people on the government's New Deal IAP scheme. None of
>>> these people had individual user accounts, no passwords were required
>>> to view or copy any data left on the desktop by other users.
>>>
>>> The trouble was that some of those other users were Instant Muscle
>>> staff themselves.  One member of staff left behind a couple of files
>>> they had been using to generate junk mail for the company...
>>>
>>> How were they generating this junk mail?  They were extracting people's
>>> names and addresses from an Excel spreadsheet.
>>
>> So we've been here before then?
> 
> 
> Don't think the latest incident was the DWP's fault, think the loss of 
> information came from HMRC this time.

well, parts of the HMRC perform functions that used to be part of the 
DWP / DSS. Child Benefit used to be administered by social security and 
a lot of the working practices are much the same as they were under the 
previous government department. Though in this case it was (seemingly) 
an error on the part of someone who appeared either not to know the 
procedure of how this data should be sent or wasn't being supervised 
adequately enough when performing their tasks.

-- 
Robbie

Mike wrote:
> On 21 Nov, 15:30, Robbie  wrote:
>> Syberian wrote:
>>
>>> "Phil O'Sofa"  wrote in message
>>> news:alm7k3ps4s0f1v2fmh9unfai298sul9gkg@4ax.com...
>>>> On 22 May 2006 17:48:20 -0700, New Deal Veteran wrote in
>>>> uk.politics.id-cards :
>>>>> In the early weeks of this year I discovered that the private details
>>>>> of over 5800 people had been left on an unprotected computer desktop
>>>>> for two weeks.  The computer was one of ten PCs in the internet access
>>>>> room of a company called 'Instant Muscle Ltd', on Powis Street in
>>>>> Woolwich London.
>>>>> These computers were available & intended for use by dozens of
>>>>> unemployed people on the government's New Deal IAP scheme. None of
>>>>> these people had individual user accounts, no passwords were required
>>>>> to view or copy any data left on the desktop by other users.
>>>>> The trouble was that some of those other users were Instant Muscle
>>>>> staff themselves.  One member of staff left behind a couple of files
>>>>> they had been using to generate junk mail for the company...
>>>>> How were they generating this junk mail?  They were extracting people's
>>>>> names and addresses from an Excel spreadsheet.
>>>> So we've been here before then?
>>> Don't think the latest incident was the DWP's fault, think the loss of
>>> information came from HMRC this time.
>> well, parts of the HMRC perform functions that used to be part of the
>> DWP / DSS. Child Benefit used to be administered by social security and
>> a lot of the working practices are much the same as they were under the
>> previous government department. Though in this case it was (seemingly)
>> an error on the part of someone who appeared either not to know the
>> procedure of how this data should be sent or wasn't being supervised
>> adequately enough when performing their tasks.
>>
>> --
>> Robbie- Hide quoted text -
>>
>> - Show quoted text -
> 
> Extracting this kind data held on the DWP systems is simply not
> possible by rank and file processors.  It requires a specific scan of
> an offline copy of the database (GMS).  When I have requested scan
> data I've had to sign a request which was authorised by the office
> manager and given an undertaking regarding access, keeping it secure
> and retention.  I was under no illusion what my responsibilities were
> and this was a scan of only a few thousand cases.
> I would expect the HMRC to have similar in place. What I want to know
> is WTF the NAO needed my bank details - they were not making payments
> nor checking they'd gone in, the NAO is a high level audit.
> As many of these customers won't be on any other benefits or credits I
> suspect that if the info gets into the hands of criminals they will
> use it to make false claims en-mass.
> Attempts to use stolen ID details do occur already, I've come accross
> a few and it's only because there were existing claims they were
> picked up.  Had they been taxpayers with no benefits they could have
> gone undiscovered for many many years.
> 
> 
> Mike

According to what I've read, the same data was send to the NAO months 
earlier and returned as it wasn't needed. I want to know why the data 
was being obtained (by a junior official - what do they mean by a junior 
official?) and if it wasn't needed why on earth was someone obtaining 
it, and how?

I'm intrigued how every single piece of data about every recipient could 
be captured with such ease - there's more to this than meets the eye.

To have data on 25% to 30% of the UK population disappear like this is a 
worrying development - the Government owe it to us all to do a little 
bit more than just apologise and send in the police.



-- 
Robbie

Mike  wrote in
news:81d7ee57-b43b-48f5-9097-12886fd6977f@c30g2000hsa.googlegroups.com: 

[snip]

> Extracting this kind data held on the DWP systems is simply not
> possible by rank and file processors.  It requires a specific scan of
> an offline copy of the database (GMS).  When I have requested scan
> data I've had to sign a request which was authorised by the office
> manager and given an undertaking regarding access, keeping it secure
> and retention.  I was under no illusion what my responsibilities were
> and this was a scan of only a few thousand cases.

I'd be interested to know the format that the data is in.  News reports say 
it was "password protected, but not encrypted".  Does this mean it's just 
some kind of Excel / Access file?

Do government departments have procedures for encrypting data that they 
send through their internal post?

On Wed, 21 Nov 2007 11:11:45 -0800 (PST), Mike
 wrote:

>On 21 Nov, 19:03, bealoid  wrote:
>> Mike  wrote innews:81d7ee57-b43b-48f5-9097-12886fd6977f@c30g2000hsa.googlegroups.com:
>>
>> [snip]
>>
>> > Extracting this kind data held on the DWP systems is simply not
>> > possible by rank and file processors.  It requires a specific scan of
>> > an offline copy of the database (GMS).  When I have requested scan
>> > data I've had to sign a request which was authorised by the office
>> > manager and given an undertaking regarding access, keeping it secure
>> > and retention.  I was under no illusion what my responsibilities were
>> > and this was a scan of only a few thousand cases.
>>
>> I'd be interested to know the format that the data is in.  News reports say
>> it was "password protected, but not encrypted".  Does this mean it's just
>> some kind of Excel / Access file?
>>
>> Do government departments have procedures for encrypting data that they
>> send through their internal post?
>
>Whenever I've had scans done I've had the choice of paper or excel
>spreadsheet with the only protection being excels own.  That said the
>file has been e-mailed to me via an internal e-mail system so it
>hasn't left the gov system.
>
>I've never sent customer data outside the DWP en-mass.
>
>Mike

I imagine the number of Subject Access Requests (SARs) made under the
Data Protection Act will shortly reach epic proportions when Jo and
Joanne Public go into panic overdrive mode. This will cause a severe
reduction in the overall level of service provided by already
over-strained Data Protection Officers. 

Despite opinion to the contrary it's not possible to simply push a
button and get a full cross departmental record print or find the box
with Jo or Joanne's name on - a box containing *everything* right back
from day one. Oh no - nothing like as simple as that!

Even if it were that simple it could be weeks, months or even years
before evidence of identify theft came to light. ID thieves don't act
in haste.

On Wed, 21 Nov 2007 19:03:07 GMT, bealoid wrote in
uk.politics.id-cards :

>I'd be interested to know the format that the data is in.  News reports say 
>it was "password protected, but not encrypted".  Does this mean it's just 
>some kind of Excel / Access file?

I read somewhere it was on Excel, but  I can't believe they could get
25 million records linked with all the details listed in *just* 2 CDs.
>Do government departments have procedures for encrypting data that
they 
>send through their internal post?

If they were Excel files and password protected they are a challenge
to try and crack without knowing something about the data or the
author.

Unless the password is one of the blindingly obvious ones.

Phil O'Sofa wrote:
> On Wed, 21 Nov 2007 19:03:07 GMT, bealoid wrote in
> uk.politics.id-cards :
> 
>> I'd be interested to know the format that the data is in.  News reports say 
>> it was "password protected, but not encrypted".  Does this mean it's just 
>> some kind of Excel / Access file?
> 
> I read somewhere it was on Excel, but  I can't believe they could get
> 25 million records linked with all the details listed in *just* 2 CDs.
>> Do government departments have procedures for encrypting data that
> they 
>> send through their internal post?
> 
> If they were Excel files and password protected they are a challenge
> to try and crack without knowing something about the data or the
> author.
> 
> Unless the password is one of the blindingly obvious ones.
> 

According to the HMRC it was a password that was known only to the HMRC.

Yes!

So it was only known by 92,000 people...

-- 
Robbie

Phil O'Sofa  wrote in
news:gmf9k3hac60jlqsmjkibpqfssuiebg8fut@4ax.com: 

> On Wed, 21 Nov 2007 19:03:07 GMT, bealoid wrote in
> uk.politics.id-cards :
> 
>>I'd be interested to know the format that the data is in.  News
>>reports say it was "password protected, but not encrypted".  Does this
>>mean it's just some kind of Excel / Access file?
> 
> I read somewhere it was on Excel, but  I can't believe they could get
> 25 million records linked with all the details listed in *just* 2 CDs.
>
>>Do government departments have procedures for encrypting data that
>>they send through their internal post?
> 
> If they were Excel files and password protected they are a challenge
> to try and crack without knowing something about the data or the
> author.
> 
> Unless the password is one of the blindingly obvious ones.

ISTR some Excel password cracking softs can brute-force files using muliple 
computers over a network, making such attacks feasible.  Especially for 
Russian criminal gangs. :-/

On Wed, 21 Nov 2007 23:30:56 +0000, Phil O'Sofa
 wrote:

>On Wed, 21 Nov 2007 19:03:07 GMT, bealoid wrote in
>uk.politics.id-cards :
>
>>I'd be interested to know the format that the data is in.  News reports say 
>>it was "password protected, but not encrypted".  Does this mean it's just 
>>some kind of Excel / Access file?
>
>I read somewhere it was on Excel, but  I can't believe they could get
>25 million records linked with all the details listed in *just* 2 CDs.

CSV file.

MM