The BBC is reporting that a number of police authorities have admitted to data loss incidents and misuse of police computers by staff. Of these, the most disturbing is an incident involving Gwent Police, where a CD containing personal details of 2,300 crime victims went missing in the post. The incident, which happened in May 2007 (pre-HMRC), was not deemed worthy of reporting because the data:
was password-protected but not encrypted.
The victims of crime whose details were held on the CD were not told of the loss because “it was deemed that this information could not have been accessed,” the force said.
It’s time for the information security community – and in particular the police’s own security experts – to step up to the plate and explain to whatever fools came up with that old chestnut that password-protected but unencrypted must be treated in the same way as unencrypted. Password protection is a mechanism to give data a bit of protection against idly prying eyes on a shared network. It is a meaningless technique from a data protection perspective that does nothing to hide the file’s contents.
Would Gwent Police care to confirm the actual password-protection mechanism used (let’s assume it was an MS-Office document); whether or not the password was sent with the CD; and most importantly what all that personal information was doing on a single CD in the first place?