Many of us woke up in the UK this morning to the story that, unbelievably, 150 000 records had been erroneously deleted from the Police National Computer. The data loss, which occurred during a regular weekly purge of data, has been attributed to a coding error which has now been rectified. Reassuring as this may be in the short term, it does raise the question of how many other “coding errors” remain undetected.
Mistakes like this do happen, and will continue to do so; but one would have assumed that the data could simply be restored from a backup. However, the fact that the Government has still not said that the data has been recovered, suggests that the process is not as simple as one would imagine. What sort of information security management framework is in place at the Home Office?
It is also interesting to note the Government’s crisis communications response. There has been a repeated emphasis on the belief that “…the loss relates to individuals who were arrested and then released with no further action”; as if this makes it OK. There is no particular reason to believe that a loss of data relating to individuals who had been convicted of very serious offences could not have taken place in a similar manner.
Where organisations focus on trying to minimise the seriousness of information security incidents like this; I am always sceptical about how seriously they are committed to a thorough root cause analysis, and to implementing the necessary changes to their information security practices. Absent this commitment, history has a tendency to repeat itself.