DWP does not keep track of CIS security breaches

No replies

Tue, 25/08/2009 - 4:11pm

John

John's picture

Offline

Last seen: 1 hour 57 min ago

Joined: 09/03/2008

The Department for Work and Pensions (DWP) has admitted that it does not keep a running total of security breaches committed on its sensitive Customer Information System (CIS) database, prompting accusations that it is not taking adequate steps to protect personal data from intruders.

Nine council workers have already been sacked for snooping on the CIS

, which contains the personal records of 62million people, including 12million children.The DWP had allowed councils to use the CIS to process benefitsclaims. But abuses by council workers may be the tip of the iceberg. The DWP also allows other government departments, including HMRC and the Courts Service, andthe private sectorto access the CIS.

The DWP said it did not know how many security breaches had been committed by the 200 000 staff across all the organisations who routinely use the CIS.

"Central records are not maintained of this information and thus it is not possible to answer your request without collecting this information," the DWP toldComputer Weekly in answer to a Freedom of Information request. It saidcollecting the information would be too costly.

Security experts said the DWP could not protect personal data on the CIS unless it tracked how often it was abused.

Professor Peter Sommer, a visiting professor of information systems at theLondon School of Economics, said,"If DWP isnot putting reasonable effort into recording its own security breaches it cannot possibly know what remedies should be put in place or how much to spend on them -that is fundamental."

Professor Jon Walker, a government security consultant, said the DWP's admission of ignorance demonstrated a "scandalous" neglect of process that could put it in breach of the Data Protection Act and ISO security standards mandated in the HMG Security Framework in May.

Even if the DWP did compile a full list of known CIS breaches, it might not encompass all breaches that had occurred. Known breaches are discovered from sample checks and data matching exercises. An estimate of the total CIS breaches could be drawn from this exercise statistically.

CW also asked for this risk assessment, but the DWP refused to give it on the grounds that disclosing how often it estimated CIS security was being breached would help potential intruders.

"Information...concerning breaches of security could facilitate the commission of an offence by rendering the CIS system vulnerable to attack," said the DWP. It said it was in the public interest to conceal the information.

Sommer defended the public interest in knowing how vulnerable personal data was to abuse,"The'it would be dangerous to tell the public about our weaknesses'mantra has been the excuse of poor-quality security managers down the ages," he said.

CW also asked the DWP to provide details of the security precautions it used to protect the CIS. It refused, claiming the information could be used by potential intruders and that this risk outweighed the public interest in knowing what precautions are taken to protect its personal data.

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em><b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote><pre> <address> <code> <cite> <embed> <object> <strike> <caption>
Lines and paragraphs break automatically.
Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, acronym,, code, div, h1,, h2,, h3,, h4,, h5,, h6,, li,, pre, span,, ul,.

Full HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, acronym,, code, div, h1,, h2,, h3,, h4,, h5,, h6,, li,, pre, span,, ul,.
You may post PHP code. You should include <?php ?> tags.

More information about formatting options

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Our Campaign's

User login

Login

HELP US DO MORE

Vocabularies

RSS News Feed

Who's online

There are currently 0 users and 23 guests online.

Everyone's experience is different. There are no "hard & fast" rules here. Someone you know may have had an adverse decision/ experience but yours will be different and maybe have a more positive outcome. The information on this site and externally linked sites & information does not constitute legal advice. You should always, if you have difficulty with any BENEFIT and require PROPER LEGAL ADVICE. Engage a suitably Qualified Solicitor / Social Worker / Welfare Rights Worker or the CAB - Citizens Advice Bureau

Copyright © 2008, 2009, 2010

Request new password