Jaqui Smith terminates PA Consulting's multi-million government contract following the loss of details of 84,000 prisoners.
We have received a message from PA Consulting from which we quote: "As is appropriate in these circumstances, PA Consulting has avoided making any comment on this incident until publication of the report of the Home Office to the Information Commissioner. This report has been published today.
We have not yet had the opportunity to review the report in detail. However, we accept PA's responsibilities in this incident. As indicated in the notification, PA has a comprehensive system of security procedures and practices in place in order to protect, in addition to government information, sensitive information from commercial clients. The loss of data on this project was caused by human failure, a single employee was in breach of PA's well established information security processes. We deeply regret this human failure and apologise unreservedly to the Home Office..."
[Jaqui Smith's department has taken the correct action in this case, and similar actions should be taken against other contractors that fail to protect data in their care. Furthermore, as recommended in this column on several occasions, the government should carry out a competent revision of the security measures, policies and procedures surrounding all sensitive information entrusted to outside entities, as well as internally in government organisations. It would be well to use the SABSA method as the framework for this task.
The fate of PA Consulting may seem harsh, especially since the loss of more contracts are likely to follow in the wake of this one, but it is justified. The company well and truly provides the rope and hangs themselves in the sentence above: "The loss of data on this project was caused by human failure, a single employee was in breach of PA's well established information security processes." This sentence demonstrates conclusively that the management of PA Consulting has utterly and completely failed to grasp the most basic concepts of information security and should not be entrusted with any kind of sensitive data!
Does one dare hope that this is finally the dawn of a responsible attitude to information security in government? After all, we have been preaching about it for 16 years, so a practical result would be really nice --Ed].
Related links: (Open in a new window.)
www.paconsulting.com
View printable version (opens in new window)
Back