The Department of Work and Pensions joins the inglorious list of government departments who has lost data.
On this occasion it is not personal details, but, possibly worse, user names and passwords, that allow access to a government site which contains information such as tax returns.
The details of the USB drives were on a USB drive that was found in a car park.
The Department for Work and Pensions has come out with the same, rehashed lines, used over and over again in data loss cases, stating that there is “No conceivable risk”. The DWP is making this statement as the user names and passwords are ‘out of date’.
While the passwords may be out of date, this does not mean the DWP are in the clear. In fact finding this USB drive poses more questions than is answers:
- Why is this data on a USB drive, at all?
- How long have the passwords been out of date, a day or a year?
- How did the USB drive leave the department?
- Are the current user names and passwords also on USB drives?
- Why is it so easy for this for this information to be extracted and passed around easily?
- What else has been stolen?
The government claimed that all of the data on the USB drive was encrypted but, if that was the case, then how was the USB drive identified as belonging to the Department of Work and Pensions?
Passwords are stored on most systems in an encrypted format, e.g Windows does not store you actual password but an encrypted version of it, but this encryption is easily cracked. What level of encryption was used? Has it since been changed, because this security has now been compromised?
This single incident again shows the sham that is government security.