I read a couple of things over the weekend that seemed to vindicate my main thoughts from last week (well, I would hardly read or report on stuff that contradicted me, would I?). Whilst it’s never nice to blow your own trumpet, if I don’t give myself a couple of toots it’s unlikely anyone else will, so what the heck.
Toot! I said that I found it hard to believe that the breach was caused by a junior official deciding on his own initiative to copy the entire database. I thought it was much more likely that the whole thing was down to systematic incompetence. According to The Sunday Times yesterday, “the Revenue routinely sent secret data with no security“. That doesn’t quite square up with what the good Chancellor of the Exchequer (the government minister in charge of this department, international readers) said in Parliament, but it doesn’t surprise me at all. In fact, it confirms what I suspected. The main cause of this loss of data was an endemic laissez-faire attitude within Customs and Excise with regard to citizens’ personal data. They didn’t care enough about it to treat it as valuable. Hopefully they (and other agencies and companies who hoard this stuff) might just have been frightened enough by the reaction to “datagate” to change this attitude before it happens again. Which it will.
Toot! Toot! I also said that this affair should convince us all to oppose the National ID Card and database, simply on the grounds that it will not be secure and its contents will inevitably be exposed to ne’er-do-wells and ID thieves either through negligence or a crooked employee (who now knows the real value of the data). The Government’s answer to these concerns is “Biometrics”. They claim that as the database will contain our encrypted biometric signature, there is no way ID thieves could ever steal our records, as they wouldn’t be able to use it. Yah, shuah. Ben Goldacre at Badscience.net does a far better job than I could on systematically dismantling this claim. Sorry, but if you make something valuable enough, someone, somewhere is going to work out how to steal it and how much more valuable is someone’s biometrically-authenticated identity than a plain old NI number?
Anyway, enough on this for now, more riveting real-world enterprise IAM and not-very-funny lolcats to follow shortly, I promise.