The largest database of Europe - Welcome to the courtyard!

According to the analytical center InfoWatch, the safety of the largest databases in Europe, containing about 90 million records, has been repeatedly violated over the years members of Courts of Her Majesty the Queen of Great Britain, the Ministry of Work and Pensions, as well as employees of other ministerial departments.

Last year, the British authorities dismissed 26 public officials for unauthorized access to data contained in the Consumer Information System (ICP), Ministry of Work and Pensions (MinTiP). COI has about 90 million records, being the largest database of Europe.

According to the British version of Computer Weekly, with the inception of the database, ie Since 2005, members of the public sector have repeatedly come across on the theft of personal data or browsing the database MinTiP. In the period from 2009 to 2010 MinTiP registered 124 cases of violation of database security consular officials. As stated by the Ministry of Justice (MOJ), for the same period tracked 23 cases of unauthorized access to personal information database servants of Her Majesty's Courts. There are currently 180 known cases of illegal entry into the COI state officials to view the records about themselves, their relatives, friends, colleagues and celebrities. Overall, access to the database are 200 000 people!

Unsafe safety

According to the Justice Ministry, the security audit database of the affected ministries held regularly once a quarter. However, it is obvious that this was not enough. Developed by the Ministry of Justice, security measures were so vague that IT-ishniki MinTiP not know specifically what they must do to protect personal data stored in the database. Periodically, their reports of a possible threat information, however, often several months after the leak occurred.

The first report on the diversion of the Ministry of Justice has received from MinTiP after 3 years after the employees of Her Majesty's Courts have made unauthorized access to the database. At the request submitted to the Division of Risk Analysis MinTiP from the Justice Ministry for help in the investigation of an incident a few weeks later was received the following reply: "The jurisdiction of the department do not include the provision of testimony in this case."

As a result, the Ministry conducted its own investigation: it was dismissed 35 people. But the lesson for the rest of civil servants are no more. Access to the database permanently or periodically have 200 000 employees, and all who had not been fired. Did not help and the system of electronic identification - insiders successfully bypass it.

In February 2008, MinTiP sent a request to the Ministry of Justice, which said that does not specify security measures should be reviewed. Now, not every employee the opportunity to access the database for personal gain. Most all the same - to perform official duties, for example, to confirm the right of citizens to receive free medicines or school supplies.

In 2009, Britain adopted Coroners and Justice Act, a provision which has been tightening procedure checks the British Commission for information on organizations for compliance with the Data Protection Act (Data Protection Act). However, the necessary safety measures were not specified in the Act.

During the proceedings it became clear that the Justice Ministry does not keep count of the number of violations and actions taken to resolve the situation. In connection with all the circumstances, the UK authorities were forced to take disciplinary action regarding the staff of British ministries. As a result of the 81 offender, only 8 were dismissed.

The situation is commented principal analyst InfoWatch N. Fedotov:"It is encouraging that even if violations occur, but are revealed, while the guilty are punished. Force security forces are not thrown completely to conceal the incident, and measures of protection are not limited to the compilation of various papers, as is customary in some other countries.

We would also like to note that all the violations are related to insiders in excess of their delegated authority. But no mention of the incidents of unauthorized access "external" violators. It must be concluded that protection from "external" threats (unauthorized access, interception of the communication channels, the selection of passwords, the introduction of Trojan horses, etc.) is set among the English well. The defense against internal attackers - has always been more difficult.