Saturday, 19th July 2008

Aftermath of a breach

TWO things have become clear since we published details yesterday of a major security breach affecting the States of Guernsey website and confidential information relating to islanders.

The first is that the failure was more serious than initially understood and left bank details exposed to potential theft.

The second is that Treasury and Resources is attempting to play down the significance of this incident.

Having had the breach drawn to its attention by this newspaper and agreeing to its ICT director participating in a demonstration of the system’s vulnerability, it yesterday tried to present that demonstration as the unauthorised entry.

It went on to claim that ‘this was a determined effort’ to access the system and could have been achieved only by an expert with specialist software.

Unfortunately, that version of events does not correspond with reality. Its representatives were visibly embarrassed by the speed and ease with which the flaws were highlighted, culminating in the hasty deletion of patient records that the States’ own negligence had left exposed.

The department also took hasty – and expensive – legal action over the weekend to injunct the whistleblower when a simple phone call would have got all the undertakings on confidentiality Treasury could have wished – and in writing.

As a Guernseyman, the whistleblower’s stated interest was in ensuring the breach was plugged and he came over at his own expense to show how bad things were.

The department’s treatment of him indicates just how red-faced its ICT professionals are over this and the legal moves confirm how potentially serious the breach of security was, that it needed to be contained by obtaining a High Court order on a Sunday.

Because the demonstration we arranged was simply to indicate that a problem existed and not to hack into the system, only those responsible for the site’s security know the full extent of the personal data that was exposed.

Nevertheless, the data protection commissioner is investigating a complaint against the States of Guernsey and that in itself is revealing.

Have your say on 'Aftermath of a breach', comment below

This article posted on March 18, 2008 at 9:00 am, filed under Comment, News.
Homefinder - 468
Your Shout - 230x170History & Heritage - 230
Guernsey Books (468) - Buy Online

One Article Comment

  1. Stephen John
    | March 18, 2008 at 3:47 pm

    I suggest the comment “red faced” is generous.

    Incompetent is more appropriate.

Post a Comment on this Article

Your email address is never published nor shared. Required fields are marked *

*
*

Disclaimer: We prefer short comments that include no external website links. Please ensure your comment is concise and relates to the article it accompanies. If it is irrelevant or deemed too long, it will not be approved. We reserve the right to edit or reject comments and will not enter into correspondence over editing decisions. Comments that appear on the site are not representative of the views of the This Is Guernsey or Guiton Group.

Your Shout: View all recent comments. More detail on the comment icons.

If you wish to make a comment about this website, please use our feedback form.