The Home Office has suspended its contract with PA Consulting after the firm lost a memory stick containing sensitive data
Home Office suspends PA Consulting contract
/v3-uk/news/1949905/home-office-suspends-pa-consulting-contract
22 Aug 2008, Rosalie Marshall , V3
The Home Office is to suspend its three-year contract with PA Consulting following the loss of a memory stick containing data on 84,000 criminals.
PA Consulting was contracted by The Home Office last year to track prolific offenders through the criminal justice system.
The JTrack programme (PDF) is aimed at providing law enforcement agencies with tools to compare offenders' data.
PA Consulting provided application support and trained users on the system.
"The transfer of data on this assignment to the external contractor has been suspended," said a Home Office spokesperson.
"It was downloaded onto a memory stick for processing purposes which has since been lost."
The data, relating to all prisoners in England and Wales, was not encrypted and contained names, birth dates, prison release dates and home detention curfew dates.
PA Consulting refused to comment on the data loss or the suspended contract even though it is also the body helping the government to implement its National ID Card scheme.
Security experts have argued that PA Consulting clearly lacks adequate security processes.
Matthew Brown, director of product management at security firm Workshare, said: "We can protect and manage that information as it flows inside and outside of an organisation so that risks are stopped before they have a chance to happen."
Greg Day, security analyst at software provider McAfee, added: "Had the data on the memory stick been encrypted, its loss would have posed no risk.
"As a result of insufficient security procedures, this information could provide valuable information to those who may misuse it."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Inappropriate business process
In this day and age there is no reason, whatsoever, for data to be carried around on memory sticks, CDs, DVDs or laptop hard drives. No ifs ands or buts.
Posted by Carlos Bridgestream, 22 Aug 2008
Fraud crimes will get worse until banks make signature and PIN systems reliable as proposed.
Banks do have option to deter virtually all fraud crimes simply by making signature and PIN systems reliable. Why would anyone get tempted to do identity fraud when they know that their signature personalised with their ID sticker will expose their identity? Current signature system does not even expose person's gender and so boosts identity fraud. Only this system will deter use of fake documents.
Why would anyone get tempted to use stolen or skimmed cards when they know that they will not be able to activate the transaction without new security code which will change to a new value after every transaction?
This system will also eliminate the need for us to protect our personal an card details since fraudsters will not be tempted to misuse these stolen details.
Organisations would make their customers personalise signatures by letting them use mobile phone size device which will capture image and activate printer to print their ID sticker virtually instantly.
Proposed system will deter virtually all fraud crimes including those Chip and PIN, data protection and even biometric ID cards will not deter.
This KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world.
To make the government and banks exploit proposed system media could help them by debating use of both these systems with the public.
Posted by Roger, 22 Aug 2008
Encryption is only part of protection
"Had the data on the memory stick been encrypted, its loss would have posed no risk".
Sorry but this is simply not true, encryption can be broken. The data should yes of course not be transported on non-operational systems, and yes it should be encrypted, but the encryption should be a last line of defence.
Posted by Richard Atkins, 01 Sep 2008