The Department for Work and Pensions(DWP)has
admitted that it does not keep a running total of security breaches
committed on its sensitive Customer Information System(CIS)database, prompting accusations that it is not
taking adequate steps to protectpersonal data from
intruders.
Nine council workers have already been sacked for snooping on the
CIS, which contains the personal records of 62million people,
including 12million children. The DWP had allowed councils to use
the CIS to process benefitsclaims. But abuses by council workers
may be the tip of the iceberg. The DWP also allows other government
departments, including HMRC and the Courts Service, andthe private
sectorto access the CIS.
The DWP said it did not know how many
security breaches had been committed by the 200,000 staff
across all the organisations who routinely usethe CIS.
"Central records are not maintained of this information and thus
it is not possible to answer your request without collecting this
information," the DWP told Computer Weekly in answer to a Freedom
of Information request. It saidcollecting the information would be
too costly.
Security experts said the DWP could not protect personal data on
the CIS unless it tracked how often it was abused.
Professor Peter Sommer, a visiting professor of information
systems at the London School of Economics, said,"If DWP isnot
putting reasonable effort into recording its own security breaches
it cannot possibly know what remedies should be put in place or how
much to spend on them -that is fundamental."
Professor Jon Walker, a government security consultant, said the
DWP's admission of ignorance demonstrated a "scandalous" neglect of
process that could put it in breach of the Data Protection Act and
ISO security standards mandated in the HMG Security Framework in
May.
Even if the DWP did compile a full list of known CIS breaches,
it might not encompass all breaches that had occurred. Known
breaches are discovered from sample checks and data matching
exercises. An estimate of the total CIS breaches could be drawn
from this exercise statistically.
CW also asked for this risk assessment, but the DWP refused to
give it on the grounds that disclosing how often it estimated CIS
security was being breached would help potential intruders.
"Information...concerning breaches of security could facilitate
the commission of an offence by rendering the CIS system vulnerable
to attack," said the DWP. It said it was in the public interest to
conceal the information.
Sommer defended the public interest in knowing how vulnerable
personal data was to abuse,"The'it would be dangerous to tell the
public about our weaknesses'mantra has been the excuse of
poor-quality security managers down the ages," he said.
CW also asked the DWP to provide details of the security
precautions it used to protect the CIS. It refused, claiming the
information could be used by potential intruders and that this risk
outweighed the public interest in knowing what precautions are
taken to protect its personal data.