Over the past few months, on
both sides of the Atlantic there have been multiple revelations of massive
security breaches where sensitive and personal data has been stolen or revealed
to the public at large, breaches by hackers, banks throwing data in bins, PC’s
being stolen, government databases being hacked, insiders selling information or
details sold by DVLA.
Government especially needs
to be more aware, as they hold some of the most sensitive data on you and me,
and the number of government breaches is going up, not least the latest NHS
scandal with the MTAS system which revealed details including name, address,
age, religion, sexuality, criminal records (if they had any), and their
references. (although this begs the questions as to why the government would
want details of their religion, sexuality etc).
More importantly it means that
this data also been exposed to the criminal elements of the world, who would most
likely use it for fraudulent purposes.
Some of that sensitive data
may be personal data that can be used to uniquely identify a person, such as
their Social Security Number or driver’s license number. If a person obtains
sufficient personal data on an individual, they can perform identity theft,
impersonating that individual in order to fraudulently open accounts, obtain
credit cards, etc. It can take the individual whose identity was stolen a long
time to get things straightened out, and during that time their credit history
is tarnished, lives are ruined, businesses destroyed.
The Government needs to
understand, and act upon the fact that it is not us, the public, who are to
blame for the levels of fraud, but indeed it is themselves and business who do
not secure the data that they hold on us, that is causing the levels of crime
and fraud that are part of our everyday lives.
Yes, Government departments, Banks and Businesses who hold our data are responsible for the fraud, they are the cause, they are the ones who are not being responsible with our personal data.
Until the Government and
Business can be trusted with the data they hold on us, then the arguments
for an ID card, ePassports and most importantly the NIR are redundant, and
any moves to force people to participate in these schemes are both divisive and
dangerous, as there is so much stolen data in the wrong hands that the
fraudsters will be queuing up to get the first ID Cards.
Before any compulsory moves
are made, both Government and Business need to prove to the populous that they can be trusted to hold this data,
and in that we need a series of laws that force government departments, agencies
and all business to report publicly any breaches of data security, and those
responsible are held to account.
Such moves are already
underway in the US, where The Cyber Security Industry Alliance (CSIA), a lobbying group
comprised of a number of security vendors, is pressing Congressional
legislators to pass a law governing disclosure in the event of a data security
In the CSIA's
annual report, the group criticized Congress for failing to pass a
comprehensive data security law in 2006 requiring companies with data breaches
to notify victims.
There can be few people in
the UK today who have not been touched by a breach in one
way or another, so I believe that such a legislative move is long overdue here
in the UK, if trust
is ever going to be a word associated with Government and business again.
Today, the trust is not there, we do not believe what they say, we do not trust what they do.
p.s. With regard to the NHS MTAS system. Any unprotected system that is put on an internet facing connection, without adequate security in place is attacked by the first hackers on average during the first 15-30 seconds of it being made available.
Any Government official who tries to downplay its importance or indicates that it was only very minor, or that no-one knew it was there because it was not advertised on the net needs their head examined, and the dangers of the internet very severely pointing out to them. (perhaps by placing all of their personal details on an unprotected machine, and connecting it to the internet).
Say NO to ID Cards, Say NO to the database state.