Is The Information Commissioner About Investigate His Own Office Or Is It Something Murkier?

Police in Liverpool, in an early morning raid on a house in Cheshire, seized a memory stick from a retired former police officer who used to work for the Information Commissioner’s Office. Whilst at the ICO he was responsible for working on Operation Motorman, an investigation into the intrusive information gathering that was being performed by the media using Private Investigators, and was part of the team that pounced on Private Investigator, Steven Whittamore, back in 2003. In a statement Cheshire Police said: “Following information received, a warrant was executed at an address inWidnes. The warrant relates to an investigation into allegations concerning breaches of the Data Protection Act 1998.”

When Mr Owens and the team investigated Mr Whittamore, he had a list of transactional services he had performed for various newspaper reporters and these amounted to around 17,000 entries! Mr Owens quit his job in 2006 claiming the Information Commissioner failed to investigate these transactions resulting in Mr Whittamore only getting his knuckles rapped and a two year conditional discharge. This was for a deliberate breach and flouting of The Data Protection Act 1998 where he illegally obtaining personal information and sold it on for personal gain. It also let the hundreds of reporters and newspaper editors off the hook.

Following a request from the current Information Commissioner, the police are looking to question Mr Owens with regards to possible breaches of the Act in that he leaked information to the Independent newspaper. The memory stick the police took relates to the work Mr Owens was doing when employed by the Information Commissioner, he did however, refuse to hand over a copy of the statement prepared for the Leveson Inquiry. Mr Owens has allegedly described the police as being on a ‘fishing expedition’ and that there was no doubt as the result of an ICO complaint.

Mr Owens is meant to be giving evidence to the Leveson Inquiry later this month into the media’s use of private investigators to illegally obtain personal information. He has notified them of the police raid but it is understood he has already supplied Strathclyde Police with a statement and a copy of the Motorman disk to aid their investigations into the media’s illegal practices inScotland.

So, who is investigating whom? The current Information Commissioner seems hell bent on investigating something his predecessor did and using the police to do so. Is this right or is there something more sinister happening here? Why would this suddenly come up just days before a former employee was to give evidence? Is the Commissioner’s Office trying to hide something? On speaking to someone at the ICO it was carefully explained that they would not comment about that and also that they would not respond to a Freedom of Information request I tried to file.

I will watch this one carefully as I am sure something else is going to come out about it……

Posted in Uncategorized | 1 Comment

The Legal Profession and Data Protection – Is It Ignorance Or Pure Arrogance?

Once again we hear of another legal eagle being hit by the Information Commissioner for not holding personal information securely. Yet when I contact the local solicitors to try and discuss their data security all I get is silence, is this ignorance or arrogance? To my mind it is a bit of both. Very few solicitors have an in-house specialist that can handle their data protection compliance and, from experience, very few of them have a scooby about what it means to them nor do they care!

The ICO has recently published another press release relating to an advocate of all people who did not keep her laptop secured and it was stolen yet she waited 2 years to report it to the Commissioner!! Why oh why oh why do we put up with this? These people are meant to know the law yet it seems that The Data Protection Act 1998 has slipped ‘off their radar’ either that or they are blissfully ignorant and really do not care about data security, the latter I think is more the case! See what you think after reading the press release and feel free to respond with your thoughts

The ICO’s press release goes like this:

A Scottish advocate breached the Data Protection Act after failing to encrypt a laptop containing sensitive personal data which was later stolen, the Information Commissioner’s Office (ICO) said today.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

“The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”   

Posted in Breaches, Data Protection, Information Security, Justice, Solicitors | Tagged | Leave a comment

Is My Password A Good Password?

This is something I have been asked about many times over the years and basically the password is a secure as you make it. We all have our own idiosyncrasies for the way we ‘design’ our passwords, myself included, but how secure do we make them?

The vast majority of people use either the names of their children or pets as a password and dates of birth for PINs and other number based passwords. Quite often these passwords are no longer than about 6-8 letters or numbers but does this help?

The Telegraph has published the top 25 worst passwords (from SplashData) and these are:

1. password

2. 123456

3. 12345678

4. qwerty

5. abc123

6. monkey

7. 1234567

8. letmein

9. trustno1

10. dragon

11. baseball

12. 111111

13. iloveyou

14. master

15. sunshine

16. ashley

17. bailey

18. passw0rd

19. shadow

20. 123123

21. 654321

22. superman

23. qazwsx

24. michael

25. football

It may help you as it is easy to remember but it also helps the hackers of this world as it will be easy to get your password and access your computer. If you use names and dates of birth as passwords, anyone who wanted to hack into your PC would try these as a first port of call as they are the easiest way to try. Therefore, the best thing to do is mix up your password by using upper-case letters randomly placed throughout the word, add in some numbers and maybe even a symbol or two.

For example, let’s say I decide to use a pet name like Rover. This would be easy to remember and quick to type in but it is something that someone could find out about me. Therefore, what I should be looking at is making it something like rOveR-07. This introduces mixed case in the word, a symbol “-“ and numbers (these representing the year he arrived). This would be harder to crack than just the one word name and I would suggest that you all look at your passwords to see that they are like this.

Some of you will remember the debacle in October 2007 when HM Revenue & Customs lost the records of 25 million child benefit recipients. This caused untold panic as a lot of people had used their children’s names as passwords and we were then telling them all to change passwords quickly to prevent any possible attack on their accounts etc.

The vast majority of us also use Windows as a computer operating system which is probably one of the ‘friendliest’ systems around. It offers to remember your password for any website you want to visit where you have to log in. This is done by windows holding it in two blocks of seven so my password rOveR-07 would be held on Windows as rOveR-0 : 7 in its memory blocks. Now this is really useful as it means I do not have to remember the password and, if I forget it, the website will either reset it for me or give me a hint as to what it is.

The only problem is that there is software available that can be run on your computer and within 30 minutes will give me all your account details and their passwords. Therefore, the only really secure password is one that is mixed case, symbol and number and over 14 characters in length. Why? Simple, if it is over 14 characters, Windows cannot remember it so nobody can get hold of it. I would suggest that if you are storing sensitive information you use this type of password as you can never be too safe. Facebook is reporting that there are over 600,000 attempts per day to hack into accounts so this really brings it into perspective!

Some top industry tips for passwords:

– Vary different types of characters in your passwords; include numbers, letters and special characters when possible.

– Choose passwords of eight characters or more. Separate short words with spaces or underscores.

– Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts

If you have any concerns that you or your company may not have safe passwords or just want more information, please feel free to contact KPG Professional Services on data@kpgps.co.uk or by calling 07413 943228 for help and guidance.

Posted in Blagging, Cookies, Data Protection, Fixing Facebook, Information Security, Password, Uncategorized | Leave a comment

Is Vince Cable Really Guilty Of A DP Breach? What About The Blagger?

Interesting question I think as what actually happened? It appears some of his constituency staff decided to be ‘green’ and put out old paperwork for recycling. Unfortunately this included information about his constituents which, quite rightly, they are up in arms about but how did this all come to light?

Reading through the stories on this one it would appear the newspapers and media became aware of the situation due to a ‘concerned citizen’ opening the recycling bags, rifling through the paperwork in them and taking some papers out of the bag over a series of weeks!!

Now let us look back at who should be in court over this. Mr Cable could be prosecuted for non-notification and an assessment would be made of the breach. If I was involved in the defence of this then we would be looking at damage limitation and instilling some harsh new measures to ensure this does not happen again and throwing ourselves at the mercy of the ICO. But, what I would also be pursuing would be the criminal prosecution of the ‘concerned citizen’ who stolethe papers from those bags.

This person is no better than a blagger, going round and removing confidential information from folks bin bags and waste bins. I am struggling to find any excuses for their behaviour as, when they found out that this was happening, why did they not just speak to the constituency team and point out what they had been putting out in the bags? No, they were so concerned that they kept stealing papers and then once they had enough, allegedly sold it to a newspaper for a sum of money! They are not a concerned citizen, they are a common thief and blagger and I would like to see The Commissioner prosecuting them for this to make a showcase of what can happen if you start dipping your fingers into other people’s waste paper.

We see plenty of other folk being prosecuted for blagging but so far no-one has mentioned this as they are all too concerned with vilifying Mr Cable for his office doing what they thought was the correct thing to do. Yes, they will be sacked and yes, Mr Cable will be fined but if the blagger gets away with it then where is the justice in this world?

I have no political affiliation to Mr Cable nor the Lib Dems but I do have an affiliation with seeing justice being done fairly so let’s start making a noise about it.

Posted in Blagging, Breaches, Data Protection, Fair Processing, Freedom of Information, Information Security, Justice | Leave a comment

How Secure Is It When Buying Online?

Given the number of transactions per day online this is a very good question recently asked by one of my readers. It is also quite timely as my debit card was cloned a couple of
weeks ago from an online purchase so let me try and help you understand how it works.

Firstly, when you are buying something online, make sure the comp0any you are buying from is legitimate and trustworthy. Many companies now accept payment via PayPal and this is fairly secure however, in recent months we have seen the rise of the false payment
window where a scammer has created a false webpage identical to the PayPal one and asked you for the information. This it appears is what happened to me.

So what can you do about it? Really it is quite simple, when you are entering a payment page online, the address line will change slightly and instead of having “http://” you will see that it changes to “https://” indicating that this is a secure area. There will also be a wee gold padlock symbol in the address bar showing you who the company is. If this does not appear then it is not really safe to input your details. You can also set up a “Verify By Visa/Mastercard” setting so that when you go to pay anything, the website will divert you to enter your verification password, this prevents any fraudulent activity on your account and many sites are now using this as part of the payment process.

You should also check the Privacy Statement for the website you are using, this will explain how they are using your data, where and how it will be stored and how to contact them about your information.

The sort of things to be aware of are the sites where you are asked to input personal information or bank details where there is no “https://” in the address line. It does not mean they are not secure but it does mean they are not using a secure payment site and this was my downfall. I needed to get an update for my SatNav and used a site which did not have the https but felt that having read the information relating to the payment it would be safe. Three days later, the night before I was going on holiday, my account was relieved of over £1400….. The bank felt this was unusual and blocked my account until I had contacted them to clarify what had happened. They sent me an email asking me to call them, if you ever get one asking you to fill things in online just delete it, it is a scam! Once
I had called them we started to unravel the fraud and I eventually got my account back a week later.

Posted in Data Protection, Email, Fair Processing, Information Security | 1 Comment

Today Is International Right To Know Day

International Right to Know Day was established by access to information advocates from around the globe. It was first celebrated on 28 September 2003, and 2011 will see the 9th International Right to Know Day.

The aim of Right to Know Day is to raise awareness of every individual’s right of access to government-held information: the right to know how elected officials are exercising power and how the tax-payers’ money is being spent.

Whether you have tried to ask ‘that’ question of your local council or a government department, today is the day you should try. It really is easy, all you have to do is email them asking the question you want an answer to. Currently I am assembling statistics on the number of data protection breaches the police in Scotland have incurred and the actions taken. You may just want to know how much money has been spent on those ridiculous speed bumps in your road or why there are so many mini roundabouts or sets of traffic lights in the town and how much of your council tax has been spent on them.

Do you ever wonder what that big chimney on the edge of town is for? What causes the smoke and why it smells so bad? You have the right to ask under the Environmental Information Regulations, just ask.

All you need to do is log on to the council website and go to the Freedom of Information section and just send in your request. They have to reply to you within 20 working days and also tell you the answer to your question or where you can find the answer.

So go on, give it a try, what have you got to lose?

Posted in Uncategorized | Leave a comment

Who knows what about you and how do they do it?

You would be surprised how much information about you is publically available and is also
used by companies to target their products at you.

Let us imagine that Mark is a 20-something who enjoys using a popular social networking site. He has done what the people behind the site have said and fully completed his profile
information including his address, mobile phone number and his date of birth. There is also information added about his family and friends and he has also put photographs on there from his last ‘lads weekend’ in Prague. He has allowed anybody to read his profile without restriction as recommended by the site and regularly posts on there his thoughts on where he works and his colleagues.

Mark decides that he wants to change jobs and finding the job he has always wanted as a
games programmer, applies to them. When the company receive his application they decide to look into his background and, as part of this process, they make a search on the social networking sites. They discover Mark’s pages and profile and note that he has not taken any security measures to protect his identity. They also see his photographs on there and find that there are some very controversial ones taken in Prague when Mark had had a bit too much to drink.

They then read his comments and see what he has been saying about the company he currently works for and note they are less than favourable and that he is also not very complementary about his colleagues. Based on all this they decide not to invite Mark for interview and write back to him telling him so.

Now, some of you may feel indignant that this company searched through his personal pages on the social network site but I am afraid this is what a lot of employers now do.

So how can you stop this from happening to you?

First, make sure you only put on a minimal amount of information about you, your family and your social life.

Secondly, restrict the access to your profile by ensuring it is only friends that can see what you have written and also your photos. This prevents people prying into your private life and means that prospective employers cannot use anything you do not want them to see.

Third, make sure you do not ‘slag off’ your company and colleagues in public like this, it is easy to find what you have written even from using a simple search engine as it is all electronically held and is therefore open to access via the internet.

Finally, do not publish photos of you or your family that are not complementary, by doing
this you can prevent any accidental exposure through an image seeking search engine.

Posted in Data Protection, Fixing Facebook, Freedom of Information, Information Security | Leave a comment

How To Get Your Facebook Pages Back The Way They Were…

HOW TO GET YOUR FEED BACK TO NORMAL AGAIN: To get your Facebook feed back to normal:

1.  go to your Account then go to Notifications.

2. At the top right is a box that says Email Frequency.

3. Un-check the box, and your Feed will show all the posts again.

4. Go to your Home Page and click on the Down Arrow in the upper right and “un-mark as Top Story” anything in “Top Stories”,

Now your News Feed will be setup by Time-Stamp, rather than randomly picking “Top Stories”

Posted in Fixing Facebook, Uncategorized | Leave a comment

Do you know who you give your information to?

“Excuse me, do you have a few minutes to spare?” is the usual opening line from a ‘chugger’ the name now given to the groups of young people that are in the High Street,
usually in a diamond or square formation, to stop people and ask them to donate to the charity they represent. The name comes from combining charity with mugger….

Now, the vast majority of people walk straight past them, not making eye contact or by
just ignoring them but some still feel it impolite or support the charity so they stop and have a ‘chat’ with one of the chuggers.

They are always very pleasant and have a clip-board on which they have a series of
structured questions to follow and to get the most information about you they can without you realising it. This is done by asking non-related questions such as;

“Are you a home owner?

“Where do you shop?”

“What type of car do you drive?” etc, etc…..

You find yourself answering all these questions (and a lot more besides!) as they all sound innocuous but what are you actually telling this stranger, standing in front of you? You are giving them a profile of your lifestyles and they can then score the questions and at the end they will ask you something like “So, would you be able to donate £10 a month to save ancient buildings?” Because you have already given them so much information their calculations show that this is the probable amount of money you could afford and once you are asked they will try and persuade you to agree.

When you have finally been persuaded that this is what you want to do they produce another piece of paper, the direct debit mandate or credit/debit card mandate. Now this is where common sense should prevail, the chugger is asking you for your bank or card details so they can fill the form in for you but instead of just asking them for the form to complete at home for yourself, a lot of people just give them the information, in the middle of a busy street……..

What happens to all this information you have just given them? The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder they are holding.

So, what can you do? If you want to donate to the charity, ask the chugger for a leaflet
explaining about what they do and it will also show you how to donate, safely! Do not give out your personal information on the street, especially not your bank details, as this is the easiest way to lose your identity.

If you have any concerns that you or your company may not be processing personal
information in line with the Act, please feel free to contact KPG Professional Services on data@kpgps.co.uk or by calling 07413 943228 for help and guidance.

Posted in Data Protection, Fair Processing, Information Security | Leave a comment

Why Do I Keep Getting Calls From Windows Internet Support?

You are sitting down reading the paper one afternoon and the telephone rings, answering it you see it is an ‘International’ call. When you say “hello” a voice at the other end says “Good Afternoon, may I speak with Mr McGuffey please?”. As this is you, you confirm it to the voice and they continue, “I am from Windows Internet Support and we have detected a problem with your internet connection, could you please turn your PC on and we will try and repair it for you”. The voice then tells you he is James and is helping you sort out your computer’s software problem and that it should not take longer than ten to fifteen minutes. He then asks you to turn on your PC, when you confirm it is he says to log on to your account and tell him when you are at your desktop (the screen where all your buttons are).

This is where he takes over, he asks you to click on the windows icon at the bottom left of the screen then type in eventvwr into the search box. You do this and a box comes up with all sorts of data in it. James asks you to check in the Summary of Administrative Events section and to tell him the total Critical errors there are. You check and tell him how many there are (no computer will have zero). He will sound pensive, “Hmm, that is a lot” and ask you to click on the + sign and tell him what is there. You tell him that there are three Kernel-Power System criticals. He will respond with something like “that is a very serious problem and I will need to get that sorted for you otherwise your PC will end up badly corrupted and you will need to buy a new one”.

He asks you to open your internet browser (Google/Yahoo, or something similar) and to type in http://www.logmein123.com to the address line and press enter. It brings up a screen asking for your 6-digit code which James will give you. You enter this and he has full access to your PC and can see everything on there. He can control your cursor and will be looking in various directories for information. He will also run some programmes which he tells you it is quite normal as he is trying to identify the problems. Finally he tells you that he has found the problem is will have to install some software to clean it and prevent it happening again which will cost you £40. When you tell him your credit/debit card details over the phone he ‘processes’ your payment and you will see him installing the software on your PC before telling you that it is all now cured and should you have any problems to call him back. He will then thank you for your time and end the call. So what was his telephone number?

This is a scam, as you have probably guessed, and what he has done is take your bank card details to ‘pay for the work he did’ which was basically a nosey round your personal files and then install some tracking software on your PC to pick up any account details you have. He will use this information in one of two ways, either to use your accounts to defraud you or sell your details and those of your accounts to other scammers who will then use your accounts for nefarious means.

If you get a call like this, tell them you are not interested and will go to the police about it and make sure they put down the phone. Do not identify who you are and please, do not follow their instructions.

If you have any queries about any of this or think you may have been scammed please feel free to contact me at KPG Professional Services on data@kpgps.co.uk or by calling 07413 943228 for help and guidance.

Posted in Data Protection, Fair Processing, Information Security | Leave a comment