Category Archives: security

Officials black out IT security report after it’s published in full

By Tony Collins

In one of the most bizarre regressions since the FOI Act came into force in 2005, officials at Somerset County Council have redacted an audit report on SAP security weaknesses after the report was published in full.

The result is that anyone can see links to both reports. This is the report with parts of it redacted – blacked out. These are links to the full versions, which were published before the redactions – here and here.

The report was written by auditors Grant Thornton for Somerset County Council and highlights weaknesses in a database that is shared by the council, Taunton Deane Borough Council and Avon and Somerset Police.  The database is part of a SAP system run by Southwest One on behalf of the three authorities.

Southwest One is an IBM-led enterprise that provides IT and other services to the three authorities under a controversial outsourcing contract. Dave Orr has written comprehensively about the deal.

Somerset published the Grant Thornton report in full. The media including Campaign4Change published some details of the IT security weaknesses mentioned in the Grant Thornton report. It appears that Avon and Somerset Police asked officials at Somerset to black out details of some of the weaknesses.

Somerset-based FOI campaigner Dave Orr says the blacking out is to save the blushes of the police.

Says Orr: “Much of the redaction in the Somerset County Council IT Controls report by Grant Thornton, especially generic and available password advice in Section 3, is not based in a genuine security threat, but looks to be rooted in a Police culture that seeks to avoid criticism and/or embarrassment.”

Somerset MP Ian Liddell-Grainger says:

“SAP was built on the cheap by IBM to serve three different customers – the County Council, Taunton Deane district council and the Police. It would have made sense to bung in a few partitions to stop council eyes taking a peek at police matters, or vice versa. But that would have cost money – perish the thought.”   

 Police SAP systems’s “significant” security weaknesses. 

Security breach costs US CIO his job

By David Bicknell

Beware of data security – a breach can cost you your job.

According to Government Technology, a breach of health data within the Utah Department of Health in the US has cost the state’s CIO, Steve Fletcher, his position.

Fletcher’s departure was part of Utah Governor Gary Herbert’s actions following the breach, which was discovered on April 2 and is believed to have compromised 280,000 Social Security numbers other personal information of an estimated 500,000 people, including names, addresses, birth dates and some details contained in patient health records.

In response to the data loss, Utah has now started a comprehensive security audit of the state’s technology systems and created a new position of “health data security ombudsman.”

The data breach was found to have occurred on March 30, and is believed to have been caused by a weak password that allowed hackers to break through the department’s security and steal the personal information of as many as 780,000 people.

Government Technology reported that the breach was regarded as ‘preventable’, and that the incident shows that greater funding is needed to protect government’s IT systems.

At the same time, it shows the problems CIOs – in both the public and private sectors – face in trying to put adequate protection in place to prevent security breaches before they occur.

The problem is that if you ask for security funding before anything has happened, the request risks being rejected by executives. And if you wait until a breach occurs, as in the latest Utah case, it’s a bit like shutting the gate after the horse has bolted.

Dept of Technology Services CIO resigns over UDOH data breach