I had been wondering what to write for the 1,000th post on this blog (!), but serendipity stepped in with a public sector data breach headline. This time it's Atos Origin who are in the spotlight, after a USB stick was found in a pub car park, and turned out to contain data and software relating to the Government Gateway server. You may remember the Gateway from this post back in September 2006, when it won a Liberty Alliance IDDY award for its implementation of interoperable authentication.
As far as the current breach report is concerned - I don't have any more details than what appears in the public record, but according to the Daily Mail (to whom the USB stick was handed after it was found), it contained
"confidential passwords, security software and the technical blueprint to the system known as the 'source code'."
That in itself raises a number of questions...
- for all the bickering about how the Government 'can't be trusted to keep our details secret', why is it that someone's first instinct, on finding a USB stick in a car park, would be to hand it to a national newspaper, rather than, say, the police?
- in 2008, are we really still at the level of IT literacy where 'source code' needs to be in inverted commas, and the best analogy the journalist can come up with is to say that it's a 'technical blueprint to the system'? For goodness' sake: a blueprint is a technical drawing from which a physical object can be constructed. By extension, it's a design document from which source code could be developed. Is that distinction too hard to grasp? (Please, don't feel you have to respond by reference to the Daily Mail's target readership... ;^)
If I've interpreted the Mail's story correctly, the USB stick also contained a high-level description of the Gateway's architecture, some individuals' tax/NI details and some user IDs and passwords. A DWP representative said the passwords were 'hidden using an industry standard technique', but seemed to stop short of using the word 'encrypted'.
And if I've interpreted the BBC's article correctly, the DWP said that the user details and passwords on the stick were dummy accounts used to test a previous version of the Gateway.
On the basis of the information available - tempered by the knowledge that it may have been imperfectly understood, and/or dumbed down for public consumption - it's very hard to do any kind of risk assessment. That said, the implications seem to be more of a concern for Atos Origin and their management of internal procedures than for the average citizen/Gateway user.
At present the DWP (who took ownership of the Government Gateway project from the Cabinet Office) haven't issued a press release on this topic, but if they do, I'll link to it here.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}