Security - they have heard of it
In what appears to be an unacceptable & humongous breach of security, the much maligned MTAS website was found to be critically lacking in protection for the personal details including among other things addresses, sexual orientation & phone numbers of hundreds of applicants (Foundation programme applicants) according to Channel 4 news who were made aware of it this afternoon.
They showed footage of the website on the 7 ‘0′ clock news this evening with Jo Hilbourne from the BMA & Matthew Jamieson Evans from Remedy UK onscreen to comment. Andrew Lansley was on air to excoriate the govt who didn’t bother to send anyone to the studio to catch the flak.
“I’m absolutely gob-smacked, I don’t know whether to laugh or cry. I’m not going to be able to laugh because it’s so serious. After I’ve scraped my jaw up off the floor I’ll say that I’m not really surprised - it’s a level of ineptitude that has characterised this whole procecss. It takes the concept of a botched IT job just to a new dimension.”
- Matt Jameson-Evans, Remedy UK
Shadow Health Secretary Andrew Lansley:
There should be redress against anybody who is responsible for such a serious breach of people’s data confidentiality. But frankly, I come back to the point I was making a moment ago. We know that more than a month ago there was a risk to security.
There is an open challenge to the DoH from Jon Snow to send anyone in for an on-air explanation. Patricia Hewitt / Lord Hunt / Andy Burnham / Caroline Flint / anyone?
Throughout the junior doctors’ recruitment saga, we’ve been asking the Health Secretary Patricia Hewitt to appear on the programme, but she’s always declined - and tonight was no exception.
We offer her an open invitation to come on to Channel 4 News.
Who knows for how long the information has been exposed! It has been available for atleast a day. (Channel 4 reported on the 26th that the data had been exposed atleast for 3 days.)
The website was secured late this evening but the flannel put out claiming that it was accessed via an URL not meant to be available to the public is ridiculous. Putting the information on an excel spreadsheet without even a simple password protecting it is not just negligence, it is idiocy. Then placing it on a publicly accessible location is another thing altogether.
I hope that each & every applicant potentially affected by this complains to the Information Commissioner. Fines can & should be levied. (The initial response that there was nothing they could do on the other hand needs explaining by the IC).
And this is a government that claims to be able to secure the massive amounts of information an ID card database or the Electronic Patient Record (Spine) will collect. Show some competence in protecting the data of a few thousand people before attempting to do so for the entire country.
The muppets at Methods Consulting should not be allowed near a computer again.
April 26th, 2007 at 11:48 am
There isn’t any excuse for not passwording both the spreadsheets and the page (leaving aside whether this is a proper use of Excel) and whoever is legally in charge of that site should be in deep shit (is that Methods? probably, but not clear).
On the other hand, it may be that not much actual damage has been done because the URL was not linked from the site and was not publicly known. I think that a lot of the outraged commenters don’t understand this possibility. The Channel 4 report also says that theyfound out about it “after a tip-off from a doctor”. I do hope that the doctor in question wasn’t one who had in fact been given the URL properly becasue he or she was part of the checking exercise.
BTW, your new colour scheme looks pretty from a distance but is very hard to read. I vote for a return to black on white.
April 26th, 2007 at 12:04 pm
The MTAS site is run by Methods Consulting on a turnkey basis I understand & whatever the shortcuts taken by the MMC team, Methods are responsible for the site. That includes information governance arrangements & security policies I should hope. Given that they run the NHS Jobs site in addition to other sites carrying personal data, maybe their customers need to take a closer look at what is going on.
Whether the URL was linked from the site or not, it could easily have been discovered by a probe, or indeed leaked out as it did from the dozens of people who had knowledge of its existence. I do not believe that it was an authorised user who tipped off Channel 4.
Re the colour scheme, I am experimenting with a few themes but they all need work on their CSS files to get them to display properly. In the meantime, I will allow readers to choose the theme that they prefer out of a set of 6.
May 9th, 2007 at 3:09 pm
http://www.methods.co.uk/Ourservices/ITconsulting/tabid/63/Default.aspx
” We are currently working with a number of government departments on the adoption of these new technologies to assist with areas including fraud reduction, access management and identity management. ”
if they were responsible for the MTAS security mess I wonder what we are in store for next. Are similar disasters waiting in NHSjobs and other government websites?
For those whose data was lost, losing money through ID fraud will be the least of their worries going by what i saw on this link curtesy of DrCrippen.
http://www.lightbluetouchpaper.org/2007/04/20/extreme-online-risks/