By Sharon Gaudin InformationWeek July 3, 2007
A senior level database administrator for ContactPoint is being accused of stealing and selling sensitive information on 2.3 million British children.
The now former employee whose name was not released allegedly took the information and sold it to a data broker, who in turn sold the information to several direct marketing companies, according to a press release posted by Capita, which is the company that won the contract to operate ContactPoint.
“As a result of this apparent theft, the children and families affected are received marketing solicitations from the companies that bought the data,” said Renz Nichols, president of Capita, in a written statement. “We have no reason to believe that the theft resulted in any paedophiles getting hold of children, and we are taking the necessary steps to see that any further use of the data stops.”
Capita noted its researchers believe that about 2.3 million children have been compromised, with approximately 2.2 million containing health information and 990,000 containing other sensitive information on the parents. They’re still investigating when the alleged theft occurred.
The database administrator who worked on ContactPoint had access to the information as part of his job responsibilities but did not have the authority to actually remove any of the information, according to Capita. The administrator has been fired and Capita filed a civil complaint in the High Court against him and the marketing companies that bought the information. Capita reported that it is seeking the return of all the consumer information, as well as an injunction against its use.
The company also said in the release that it is pushing authorities to file criminal charges.
Capita, which runs many government IT services, including the London Congestion Charge, maintains bank account information to help merchants decide whether to accept checks as payment. The company also maintains check and credit card information in connection with its other operations that are designed to help businesses provide customers with access to funds.
Capita said a parent reported suspicious solicitations and marketing materials. An investigation found that the company’s security systems had not been breached, so they called in the U.S. Secret Service, since the British Government has no expertise in this area, who often investigate financial crimes. The Secret Service, according to Capita, then traced the leak back to the database administrator.
And there you have it.
There are some interesting lines in this story:
“…we are taking the necessary steps to see that any further use of the data stops.”
Just how are they going to know if the data was not sold on again? They cannot know this, and if the data is partitioned into small stripped parcels, whoever bought a stripped parcel will have plausible deniability. There are many data brokers out there who sell data aggregated from many sources. All they have to do is strip out all the data that makes the stolen database identifiable as ContactPoint data (the unique numbers and everything else, leaving just the names and addresses) and then they can add this data to their current databases and claim that what they have is simply what they were using previously. Lets say you choose to buy only the subset of ContactPoint where the children are exactly seven years old. You would be able to send a mailout to these families without raising too much suspicion.
The bottom line is, data in a huge database is like pandora’s box; once you open it and let it out, its out there forever.
“The administrator has been fired and Capita filed a civil complaint in the High Court against him and the marketing companies that bought the information.”
Firing the administrator, hanging drawing and quartering him and then feeding the remains to pigs will not put humpty dumpty together again. No penalty, not matter how severe can erase all the illegal copies taken from a database. That sort of magic is just that, magic and not part of the real world.
The only way to prevent theft like this is to not put the sensitive information of private people in a database in the first place.
“Capita reported that it is seeking the return of all the consumer information, as well as an injunction against its use.”
This is so absurd it beggars belief that they have the gall to say it in public, let alone in writing.
If ContactPoint is rolled out, it will be the single greatest threat ever foisted upon the children of a country. Never before will a government have deliberately put so many children in danger in a single stroke. It is an act of monstrous stupidity and evil. Period.