Passwords for UK government website found in pub carpark

Graham Cluley
Graham Cluley
@[email protected]

USB memory stick

British newspaper The Mail on Sunday has itself another scoop.

A member of the public found a 4GB USB thumb drive outside a outside a pub in Cannock, Staffordshire. The memory stick, which was passed to the newspaper, is alleged to contain confidential passwords for the Government Gateway website, and its source code.

The British public register on the Gateway website to access hundreds of government services including self-assessment tax returns, VAT returns, pension entitlements and child benefits. This year, 1.8 million people are said to have submitted their tax returns via the system for instance.

Sign up to our free newsletter.
Security news, advice, and tips.

The memory stick was lost by an employee of Cannock-based Atos Origin, who manage the Gateway system on behalf of the UK government.

A spokeswoman for the Department for Work and Pensions has stated that the memory stick contained data for “only a handful” of people, and all of their passwords were encrypted. She also confirmed that the website was temporarily suspended while the department investigated the security breach.

Even if the passwords were encrypted – was it appropriate that this information was on a USB memory stick allowed out of a secure area in the first place? With the long line of recent embarrassing security breaches hitting firms and government departments, doesn’t more need to be done to control the movement of sensitive data?

Clearly the private and public sector are putting the identities of the innocent at risk through their carelesness. A few days ago at the RSA Europe Conference in London, Information Commissioner Richard Thomas gave a speech revealing that there have been 277 data breaches reported to his department in the last year. Thirty serious incidents, in both the public and private sectors, are still under investigation.

As massive databases of personal information are increasingly gathered, the risks of embarrassing data leaks increase. This has been one of the concerns regarding the Home Office’s proposal of a national identity card scheme.

As blog reader Pete recently said to me, maybe we’ll start to see the capacities of USB memory sticks advertised like this in future: “8gb, enough for 8,000,000 books, 4,000 mp3s, 16,000 civil servants personal details, 38,000 prisoners inside leg measurement…”

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.