The Risk Factor

Today's Wall Street Journal (subscription required) published a "helpful" set of tips to those who find their IT Department's desire to keep their network safe and secure or their company's desire to have their employees work during business hours unreasonable or overly restrictive.

To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software.

Other tips are on to download blacklisted software onto your network, or cover up the fact that you are using your work computer for non-work activities during work time.

The Journal - to cover its butt - also posted advice on how to keep everything "safe" while you hacked your IT Department's system. Very nice of them.

Of course, the Journal reporter did not interview the Journal's IT Department manager to see what he or she thought of the tips; one can only assume that hacking the Journal's IT network using these tips is an acceptable, if not, endorsed behavior.

So, to all you Journal employees, I say, go for it. Hack away at the chains the Journal's IT Department has shackled you with.

Oh, BTW, if I find any of my personal information has ever been exposed by such hacking - since I am a subscriber to the Journal - I know exactly who I am going to sue. And you know what, I bet you I am going to win.

California Secretary of State Debra Bowen must decide by this Friday whether to decertify any or all electronic voting machines used in California. A recent test of three popular voting machines showed that they were vulnerable to various forms of hacking.

There is some controversy about whether the tests were realistic - the "red" hacking team from the University of California had unfettered access to the machines - and now that the vulnerabilities/threats have been exposed, whether they can be defended against by officials at state polling locations. Before the decision is made, a risk assessment of these factors, as well as whether the magnitude of any voter fraud or lost votes that could occur in comparison to paper ballots needs to be done. Given the time, I doubt a thorough risk assessment is possible.

There is a report in Dark Reading that the IT company Verus, Inc. (the link to their site is dead) has gone out of business. Verus built websites for hospitals across the company, but its work was cited in at least five security breaches where confidential patient information was exposed.

Not only is this a warning to IS&T suppliers about taking security seriously, but also for those in the medical community about ensuring that their suppliers can handle the security & privacy requirements. It also points out a warning to those who want to place electronic health records on the web.

eWeek posted an on-line slide show listing the "Most Disastrous Data Breaches" since February 2005. They list 17 of them: 5 caused by outside hacking, 1 by insider theft, 5 by inadvertent posting of information, 5 by devices (laptop, memory stick) being stolen, and 1 caused by data being lost.

One of the seventeen listed was the discount retailer TJX. The company announced last week that the cost of its data breach last year that affected 45.8 million of its customers was likely to exceed $150 million, although given its previous estimates this is probably an underestimate of at least 100% or more. To quote TJX's press release:

In the second quarter of fiscal 2008, the Company recorded an after-tax cash charge of approximately $118 million, or $.25 per share, with respect to the previously announced computer intrusion(s). This charge includes $11 million (after tax), or $.02 per share, for costs incurred during the quarter, as well as a reserve of $107 million (after tax), or $.23 per share, for the Company's exposure to potential losses. This reserve reflects the Company’s estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal and other costs and expenses, arising from the intrusion(s). In addition, TJX expects to incur future non-cash charges of approximately $21 million (after tax), or $.05 per share, that are not included in this reserve and could be recorded in fiscal year 2009. Together, these cash and non-cash charges represent the Company’s best estimate of the total losses the Company expects to incur as a result of the computer intrusion(s).

And people still argue that organizational IT security rules are meant to be broken.

A computer failure at Wells Fargo, the fifth-largest bank in the US, that knocked out its Internet access, telephones and ATMs over the weekend, has been fixed. The bank had to revert to its back-up systems until the issue was cleared up.

However, as reported in ComputerWorld, phishers are rapidly gearing up to exploit the event. According to the article, on-line scammers have been waiting for a problem to crop up at a large bank or financial institution which will help add legitimacy to their message.

So if you get something purporting to be from Wells Fargo, the best course is to ignore it.

The past few weeks we saw another flood of news about IS&T security lapses. We had Monster.com reporting that 1 million or more of its customers' had their information stolen, and the same hackers broke into the US Office of Personnel Management's website USAJobs.gov and made off with personnel information on 146K more people. Monster provides technical support to the OPM website. Monster admitted that it has been hacked several times, and only recently reported the fact.

Then there was a report that in the state of Connecticut, there was a "theft of a Department of Revenue Services laptop containing sensitive taxpayer information (which) it took eleven days to notify affected citizens of the incident."

At the same time, another report noted that, "A Maryland Department of the Environment laptop computer stolen from an employee's car last weekend held personal information, including Social Security numbers, for 10,000 residents registered with one of four state boards."

Back in Connecticut, there was this report: "Pfizer Inc. has revealed its third data breach in three months, this time affecting the personal information of an estimated 34,000 people... Pfizer said it did not realize sensitive information had been compromised until July 10. Letters to attorneys general around the nation alerting them to the data breach were dated Aug. 23, more than seven weeks after Pfizer became aware of the problem and more than eight months after the information was exposed."

In case you missed it, this week was the 25th anniversary of the first personal computer virus. The virus, dubbed, "Elk Cloner" was created for the Apple II by Rich Skrenta, when he as a ninth-grader as a prank.

It is also the fiftieth anniversary of the launch of the Ford Edsel, which became synonymous with the word blunder.

Just thought you'd want to know.

A ring-leader in the TJX credit card fraud episode has been sentenced to 5 years in prison and fined $600K.

According to news reports, Irving Escobar (aged 19) was one of 10 people who charged over $10 million using the stolen information. However, authorities admit they don't know who actually hacked into the TJX systems, only that Escobar and the others made use of the information.

Stayed tuned.

According to a story in the London Telegraph, information from stolen credit cards are selling on the Internet for as little as 25p. Bank account information sells for between £15 and £200 while social security and other identification cards cost less than £5.

The price of stolen credit card information has dropped about 75% over the past six months, as supply seems to outstripping demand. The most valuable information is detailed address and personal information say from MySpace or Facebook, to craft highly targeted phishing schemes.

With the falling prices, now might be a good time for authorities to follow Gresham's Law and deliberately flood the Net with bogus stolen credit information and such to drive the prices down even further, and force hackers to spend energy trying to determine what is real from what is bogus information.

"Unfathomable."

That's how Gov. M. Jodi Rell of Connecticut described the incident involving a computer backup tape that was stolen in June from a car in Ohio that contained bank account among other financial data for nearly all Connecticut state agencies as well as sensitive information on 1.3 million Ohio residents, according to an article in the New York Times.

The tape was in a car of an intern working for Accenture, which was hired by both Connecticut and Ohio to develop a computer systems integrating payroll, accounting, personnel and other fiscal functions. According to the Times report, "Rich Harris, a spokesman for Governor Rell, said yesterday that Accenture seemed to have used the program it created for Connecticut as a template for its project in Ohio, 'and it’s our understanding that this is how the data got mixed up' on the tape."

The Office of the Information and Privacy Commissioners of Alberta and Calgary, Canada, released a report today on the TJX data breach. Not surprising, the report found that TJX skimped on privacy safeguards. It appears that initial access into TJX computer systems was via the wireless local area networks at two of its US stores.

At 0819 this morning, a gentleman emailed to the Department of Homeland Security (DHS) a note that said he was changing jobs, and would like to receive the DHS daily reports at his new email address. The DHS daily report provides an open source news summary of articles involving the US infrastructure that might be of interest to the security community.

This gentleman mistakenly sent his request to the Distribution List email header, which was also configured incorrectly. Instead of this gentleman's request being bounced, his email went out to all the DHS daily report distribution list recipients. Chaos (and spam) soon began.

People who received this gentleman's email soon emailed back him saying that he had made a mistake - unfortunately, some used the "Reply All" button. This started another round of email broadcasts.

The New York Times wrote a nice little article this morning on the e-mail spamming mess. It claims that over 2.2 million emails were generated by the incident.

What will be more interesting to watch is how people who helped keep the spurious email traffic going and disclosing their personal contact information along the way to boot, will like seeing their names and email posted in the New York Times.

I would love to be a fly on the wall when some of these folks are explaining in the future to their bosses why IT security policy is important, why everyone needs to follow it, why they need more resources for improving security, etc., etc., and then being asked by their boss why they couldn't keep their own damn hands off the keyboard.

As the Times article notes:

"The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem."

No kidding.

I wouldn't be surprised that Congress gets interested in this little episode, given the response of both DHS and the many government security professionals (the term is debatable) who kept it going. Maybe Congress will call a few in to testify to find out what was so irresistible about keeping a spam chain letter going, and clogging up government servers. Or maybe disclosing what appeared to me to be email addresses and telephone numbers including cell phones of folks doing highly classified work. And now that this incident has been reported world wide, how valuable do you think this information is going to be, even if only for a short time?

I'll also be curious to see how the employers of those folks looking for new jobs will view it. Maybe they will help their employees find new ones.

Please, all of you who I am sure are happy to get their names and places where they work in the NY Times, let me know.

Last Tuesday, the General Services Administration, which manages '.gov" websites, shut down California's state government use of the Internet for three hours because a small California state website had been hacked (again) by a porn provider.

Needless to say, this was a bit of bothersome overkill. If this happened every time a ".gov" website was routinely hacked, well, ...

The GSA later apologized "to the citizens of California" but protecting everyone from the scourge of pornography was a highly important matter at GSA.

Contrast GSA's action to DHS's inaction the following day when the email spam problem occurred. Maybe the GSA and DHS can do a joint lessons learned and figure a good strategy to manage e-gov in times of trouble.

Last week, the Massachusetts Division of Professional Licensure mailed 28 computer disks to 23 marketing agencies who requested the names of the 450,000 licensed professionals in Massachusetts; unfortunately, the disks also contained the professionals' social security numbers.

As of today, all but one of the disks has been recovered.

According to the Boston Globe, the spokesperson for the the state Executive Office of Housing and Economic Development, which oversees the Massachusetts Division of Professional Licensure blamed it on "a software failure during computer upgrades last month. An employee noticed the error a week later."

Now, if I only had a Euro or Canadian dollar for every time I heard that lame excuse and another for the promise of a thorough review of security procedures to keep it from ever happening again after such a problem occurs.

As many as 40 employees at Palisades Medical Center in North Bergen where actor George Clooney and a companion was taken after his motorcycle accident a few weeks back are being investigated for looking at his medical records, with over two dozen suspended without pay so far. It is probably a safe guess that at least one leaked Clooney's records to the press, since the media reported in detail on his injuries within "minutes" of his admittance.

The employees got to Clooney's medical records by accessing the hospital's computers. Let's hear it for computerized medical records - makes spying so easy.

As I noted a few weeks back, a celebrity's (reported to be ex-English football coach Sir Bobby Robson) medical records were looked at in a UK hospital.

A Palisade's hospital workers union spokesperson said, "It was inappropriate but they [the employees who sneaked a peak] are paying a steep price. But I don't even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting."

"There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed," she added. The spokesperson also tried to argue that since the employees (for the most part) only looked at Clooney's medical record and didn't disclose it (what, other than to friends and relatives?), it was a "no harm, no foul situation."

I hate to differ - I think they all need to be terminated. Or how about this as a compromise: a full public disclosure of the medical records (or better tax records - what's the difference?) of all those who sneaked a peak, and for fairness, let's include the union spokesperson since she thinks snooping does not rate a suspension, let alone a firing. That's a fair trade, right?

Furthermore to say that it's the hospital's fault for not having technology to keep prying eyes out is more than a bit self serving. In the UK incident, for example, those authorized to look at Robson's medical records simply gave access to those who did not. Technology doesn't prevent bad behavior or a lack of personal responsibility.

With attitudes expressed by this spokesperson, I would say that ensuring the privacy of electronic health records still have a long way to go.

Government Computing News (GCN) reported that a "typical government agency or company now spends 20 percent of its information technology budget on security, including product purchases, training, assessments and certification, according to a survey released today by the Computing Technology Industry Association." This up from 12 percent in 2004.

I don't know where the opportunity cost of IT security becomes too great to bear, but I have to believe we are starting to get into the ballpark range.

In November 2006, "Democrat Christine Jennings, lost to her Republican opponent, Vern Buchanan, by just 373 votes out of a total 237,861 cast — one of the closest House races in the nation. More than 18,000 voters in Sarasota County, or 13 percent of those who went to the polls Tuesday, did not seem to vote in the Congressional race when they cast ballots, a discrepancy that Kathy Dent, the county elections supervisor, said she could not explain," according to a story in the New York Times.

The uproar was such that this past February, Florida Gov. Charlie Crist announced that Florida would get rid of all of its touch-screen voting machines, and instead use a system whereby voters would cast paper ballots that would be counted by scanning machines. Crist demanded that this new voting system be put into place in time for next year's presidential election.

A recent story in the New York Times discusses Florida's on-going problems with dumping all 25,000 of its e-voting machines, purchased for tens of millions of dollars merely six years ago as a result of the voting problems in the infamous 2000 presidential election. Some Florida counties, like Miami-Dade, is now in the process of throwing out 7,200 touch-screen machines alone, even as the county still owes $15 million on them. Palm Beach county is trying to get rid of 4,900 touch-screens and it still owes $4.8 million. No one, it seems too interested in buying them.

As I noted a few months back, California has placed very severe limits on the use of electronic voting machines. The road to e-voting is a hard one, I guess.

By the way, the voting machines used last year in Sarasota County are sequestered under court order as the investigation into the apparent voting irregularities continues.

Supervalu, a large US grocer, apparently was scammed out of $10.1 million after wiring money to fraudulent bank accounts. The following is from an AP report:

"Supervalu first began wiring payments due to American Greetings into the wrong account on February 28, making a total of nine payments before catching the error on March 6. During that time, more than $6.5 million was wired to HSBC Bank in Miami Beach, Florida, to accounts opened under the names Society Nights Productions, doing business as Perini."

Some one claiming to represent Frito-Lay also convinced Supervalu to wire another $3.6 million a fraudulent account. However, the $3.6 million looks like it actually was owed Frito-Lay, which suggests an inside job at Supervalu.

"The FBI was able to capture the money before it was whisked away by the scammers, but now American Greetings, Frito-Lay and Supervalu have all laid claim to the money and U.S. District Judge B. Lynn Winmill will decide where it should go."

It will be intriguing to see how this all turns out, especially who the scammers are.

An interesting article was published in today's LA Times on a federally-funded identity-theft study performed by the Center for Identity Management and Information Protection (CIMIP) located at Utica College in New York. The study says that contrary to popular belief, about half of identity theft is performed by strangers, not family or acquaintances, as reported by others like Javelin Strategy & Research and ID Analytics. Both have strongly suggested (here and here) that on-line id theft was overblown, and that consumers shouldn't be worried about it.

Javelin said that the CIMIP study didn't contradict their work (which is funded by Visa USA, Wells Fargo & Co., and others with a vested interest in promoting on-line transactions) because the CIMIP study focused "on high-dollar cases" which would "more likely to involve businesses, strangers and technology" than their broad base of consumer victims reached through telephone surveys.

Okay, sure.

Anyway, I think it is going to take some time sorting out who is at risk by whom, but regardless, on-line or off, it isn't getting any safer out there.

Government Executive magazine reported today that, "Federal agencies report an average of 30 incidents a day in which Americans' personally identifiable information is exposed, double the incidents reported early this summer."

The increase in the number was attributed by the US Office of Management and Budget (OMB) "to agencies conducting more thorough reporting on security breaches."

OMB also said not to worry, that only a small number actually "pose a significant risk to Americans' personal information."

That makes me feel much better. Only half of a small proportion of Federal government related significant data breaches have gone unreported.

The Boston Globe reported this morning that the data breach at TJX affected 94 million customers, more than twice the number TJX had admitted to previously. According to the article:

"The data breach affected about 65 million Visa account numbers and about 29 million MasterCard numbers ...A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone."

TJX claims its costs of the breach will remain about $256 million - although, given past history, I wouldn't place any bets.

I wonder how long ago TJX knew these "new" numbers, but "forgot" to let its investors (or customers) know.

BTW, the original hacker(s) have still not been caught.

ComputerWorld reports that a survey commissioned by the Information Systems Audit and Control Association (ISACA) found that 15% of respondents admitted logging onto peer-to-peer file sharing networks from work computers despite security warnings to the contrary. A further 74% of the survey respondents said they don't believe that downloading unauthorized content or software to work PCs creates a business risk.

I wonder what these 74% do consider a business risk.

Today's San Jose Mercury News has published Part 1 (registration may be required) of a three-part series on organized cybercrime, often based in Russia, and the widespread use of botnets to steal your identity and money. It also has an engaging slide show on internet crime, along with an interview with Dave DeWalt, the new CEO of McAfee.

The series coincides with the news reported today at the Dark Reading website that a "New York grand jury has indicted 17 people and a corporation on charges of identity theft, worldwide trafficking in stolen credit card numbers, and other crimes committed using the Internet." Those indicted, several with apparent ties to Russia, are said to have trafficked in more than 95,000 stolen credit card numbers and caused more than $4 million in credit card fraud

For those who are interested in this subject, as part of the article I wrote in this month's IEEE Spectrum on Open-Source Warfare, I interviewed Tom Kellermann on how terrorists are using the Internet for money laundering, fundraising, and identify theft. Kellermann was a member of the Treasury Security Team at the World Bank, where he advised central banks on monitoring illicit online activity. He’s currently vice president of security awareness at Core Security Technologies, in Boston.

Tom pointed out, as did Mercury News story, that there is this large and growing underground economy where you essentially can hire software mercenaries to build code to attack a targeted system and to data mine that system for your own use. In this community, a perverse "Robin Hood" mentality prevails: steal and take what you can or barter what you find so that you can support your efforts in the real world.

Reading the Mercury News article and Tom's interview can be disconcerting to say the least. If you wish to stay worried or become slightly paranoid, do a daily read of the Dark Reading website. After about a week, it makes you wonder why anyone, including yourself, ever signs onto the net.

The LA Times reported yesterday that John Kenneth Schiefer, a 26-year-old computer security consultant from LA, admitted to hacking into a host of personal computers "to create a rogue network of as many as a quarter-million PCs, which he used to steal money and identities."

Schiefer used botnets to steal "user names and passwords for EBay Inc.'s PayPal online payment service to make unauthorized purchases. He also passed the stolen account information on to others." He faces up to 60 years in prison and a $1.75-million fine.

It is bad enough that one has to guard against outside hackers - having to worry about IT security folks burning you from the inside just adds to irritation. If we need to hire someone to watch over the IT security personnel, do we need someone to watch over this person as well? And how many watch-watchers are sufficient?

Hmm, sounds like it may be time to revisit the classic cat and rat problem.

A story in the Wall Street Journal last week describes a highly sophisticated scam making the rounds of corporate executive offices.

Using information apparently found on Linked-in, Facebook or other websites where detailed personal information can be found, scammers are sending highly personalized and convincing phishing emails to senior company executives, saying for instance, that there has been a Better Business Bureau or Equal Employment Opportunity Commission complaint (along with a case number) filed against their company, and asking the executive to respond to it. Once they do by clicking on the convenient link provided, the executive's computer is immediately compromised with software that logs all activity and send the information to the scammer. More than one executive has been torched.

I guess that we are still a ways away from 2006, you know, the year that Bill Gates said,"Spam will be solved.” I wonder if someone has tried to spoof him recently.

Anyway, Part 2 of the San Jose Mercury News series on hacking is now available. The article starts off with the stats that 50% of the IRS employees who received phone calls in an audit test earlier this year, purportedly from the computer help desk, requesting their user names and suggesting they adopt a new password, provided the requested information. This was up from the 35% who did so in a similar test in 2004, and down from the 71% who did so in 2001.

The final part of the three part series called Ghosts in the Browser published by the San Jose Mercury News is available here. The final article focuses on the lagging governmental response to cyber crime.There is also a link to a real time monitor of bot activity.

A Lebanese-born CIA officer and former FBI agent Nada Nadim Prouty pleaded guilty this week to charges that, among other things (like submitting forged documents to obtain American citizenship) she illegally sought classified information from FBI computers in September 2002 and June 2003 concerning the Islamic group Hezbollah.

According to the New York Times, the agent's sister and brother-in-law "attended a fund-raising event in Lebanon in August 2002 at which the keynote speaker was Sheikh Muhammed Hussein Fadlallah, the spiritual leader of Hezbollah. Sheikh Fadlallah has been designated by the United States government as a terrorist leader." She checked the FBI computers to see what information law enforcement had on relatives, as well as herself.

It is interesting to speculate whether Prouty would have dared to check the FBI files in June 2003 if the Virtual Case File was visibly on track to be completed on-time (December 2003 or June 2004, take your pick), and or whether her 2002 or 2003 snooping would have also been discovered in 2004 before she went to the CIA, not 2007.

Over the weekend, the New Yorks Times ran an article on a potential IT security problem posed by errors in microprocessor chips such as the Intel Pentium error of a few years back or the recent Microsoft Excel spreadsheet bug.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel and one of the three designers of the RSA public key algorithm, circulated a research note about how an attacker could exploit an undetected subtle math error and make breaking public key cryptography possible.

The Times article notes that Mr. Shamir believes that "if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be 'trivially broken with a single chosen message.' Executing the attack would require only knowledge of the math flaw and the ability to send a 'poisoned' encrypted message to a protected computer. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, 'millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually.' "

It isn't believed that this technique is being used - yet. It still seems easier to poison PC components themselves like hard drives at the factory, which recently happened to Seagate Maxtor drives made in Thailand and which were pre-loaded with password stealing Trojan horses.

This past week a $31 million property tax refund scam conducted by members of the Washington DC Office of Tax and Revenue was revealed by the FBI. The scam has been running for at least the past seven years, and allegedly involved two tax office employees (so far) and their families. The perpetrators were so unconcerned about getting caught, they sent a phony $346,700 check to a fictitious company named "Bilkemor LLC."

The employees were able to get away with the scam because their activities weren't supervised, nor extensively if at all audited. A "breakdown of internal controls" were blamed by DC officials - something that Sarbanes-Oxley reviews of computer system controls would have made much more difficult. The District's CFO hasn't resigned, and has indicated that he sees no reason to do so. Basically, he stated that it wasn't his fault, that he has already fired the wayward employees' managers, and that it wasn't a big deal anyway, since it didn't materially affect the District's finances: "It is important to emphasize that this unfortunate incident does not compromise the financial stability and viability of the District."

Public corporations would love to operate under that definition of materiality. If the CFO or CEO were in the same position of utter and absolute ignorance of their company's finances, they would be fired, sued by shareholders, and face possible criminal charges. I guess shareholder money is more important to protect than that of taxpayers.

This week, the Security and Exchange Commission (SEC) also admitted once again that it still couldn't meet Sarbanes-Oxley requirements either - more than a bit ironic for the agency whose job is to administer it to public companies and punish those who transgress its requirements. No one at the SEC is losing their job because of material weaknesses found there either, it appears.

Reuters is reporting that the UK government Chancellor of the Exchequer Alistair Darling informed parliament that "two discs containing information on 25 million Britons had disappeared after being sent through HMRC's courier, Dutch mail and parcel company TNT NV, and a police investigation was underway."

"The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families," according to Darling. It was a "serious failure" he said - no kidding?

Hmm, let's see. The UK government desires every citizens' and travelers' DNA, every person's travel related details, has created a national registry of all children under 18, is developing a national ID card, etc., etc., and yet it can't guarantee basic protection to any of the information it collects.

Nice, very nice.

Details are now emerging on the lost confidential details of 25 million UK citizens. It appears that HM Revenue and Customs had established a practice of sending unencrypted data to the National Audit Office since March of 2007 to support its independent checks on the child benefit data, and would have likely continued if the CDs containing the information hadn't been lost in the mail last month.

Of course, the UK government is blaming the whole sorry affair on a "junior person" for not following procedures, that it wasn't an indication of a systemic failure (even though the same governmental agency had very similar security violations earlier this year), that an urgent review was being conducted to make sure it wouldn't happen again, that no one should panic (but do keep an eye on your bank account), yadda, yadda, yadda.

Prime Minister Gordon Brown told Parliament that, "I profoundly regret and apologise for the inconvenience caused"; the Chancellor of the Exchequer Alistair Darling said the episode was "catastrophic", "unprecedented" and "unforgiveable"; while the chairman of HM Revenue and Customs Paul Gray resigned, saying it was "a substantial operational failure." I do love British understatement, don't you?

Just to increase the sense of peace of mind of UK citizens, Richard Jeavons, director of IT implementation at the Department of Health admitted, when asked this week by a Commons Home Affairs Committee member about the security of the NHS Care Records Service database, i.e., "How confident are you that there won't be problems over [NHS] data and privacy?" responded that "You cannot stop the wicked doing wicked things with information and patient data..."

As a footnote, the UK government denied requests just last week from the Commons Health Select Committee to make information about NHS data security breaches public, saying that the information would, "add no value to the public understanding." I bet it wouldn't.

In regard to the