http://news.bbc.co.uk/1/hi/uk/7575766.stmOoops!

Good on PA. I couldn't care less if criminals' personal details get lost - someone might use them to steal their identities and mess with their lives? Great, give the crims a taste of their own medicine.

Not quite a taste of their own medicine if it nets them a tasty payout. See quote at end of article:"The British taxpayer will be absolutely outraged if they are made to pick up the bill for compensation to serious criminals."

At least the ID card scheme is in safe hands

Don't worry they will deploy their process experts from their super practice "BOP" to make sure this never happens again....wouldn't hold your breath.

Some hardline views here:http://www.timesonline.co.uk/tol/news/uk/crime/article4583747.eceMore seriously I would imagine this will have a big impact on PA who do a lot of work for high security government agencies. At least there is the private sector work to fall back on.....

They have done their client a great disservice.Accidents happen, but whatever happened to people using common sense?

It's not just compensation claims for criminals; witnesses and informants will need protecting, cases will fail, and confidence in a supposedly secure criminal justice system will be undermined at huge public cost. And all because an 'expert' adviser can't look after a memory stick - or more importantly his client's data. Bad enough that numpties in Govt departments make this mistake, but horrendous when the 'expert assistance' starts doing it. This is seriously bad news for PA's credibility in the secure space, and is beyond a bit of damage limitation...

How will this effect this year's bonuses then?

It will only affect bonuses if people can prove damages against them, indeed one article hints there may be no liability against PA in the contract.In PA's favour, everyone is given encrypted memory sticks and it seems like this one was lost in the PA offices itself, I think a tabloid mountain is being made out of an absent-minded molehill.

I'd doubt there be no liability in a government contract - more likely unlimited or a couple of million. But professional indemnity insurance should cover most of any compensation - its going to be more of a reputational than monetary hit. No doubt some heads will roll

It is a real shame that the actions of one muppet will cause so much damage to PA. As a previous poster stated, everyone at PA is issued with encrypted data sticks and there are clear guidelines for the management of sensitive information. This is not representative of an endemic culture within PA, merely the actions of a complete fool!

This has sent out one message:Admitting a memory stick or CD has gone astray (even if probably into a waste paper bin along with some desk rubbish) to client will lead to consequences comparable to it being actually found and used... This will only encourage other companies not to admit to lost data in the knowledge that it's extremely unlikely to turn up.

I doubt it is the actions of a single muppet. This happens every day at every consultancy - and an accident waiting to happen every day. But most of these kind of incidents are undiscovered, and unreported if discovered. And probably won't involve quite as sensitive information as this case.Firing a few irresponsible juniors won't solve the problem and is representative of the blame game culture which does exist in the firm.Responsibility lies everywhere in all firms, especially much higher up. Anyway, PA's profile has risen. Taking responsibility and rectifying the situation could turn out to be a PR boon.There will be monetary hit even if the compensation is small if contracts get cancelled and/or future bids don't sell.

'PA's profile has risen'...Dermot, you say this like it's a good thing!?!

That PA's profile has risen could be a good thing. It depends how they handle the situation. The happiest clients are those who have a compliant but get the matter resolved to their satisifaction. Admittedly it would take something extraordinary to turn this situation around. Looks like rabbits in the headlights so far though.

It was the Krays wot did it?http://www.thisislondon.co.uk/news/article-23543707-details/Lost+prisoner+secrets+'thrown+in+waste+bin'+and+unlikely+ever+to+be+found/article.do

Dermot - just for clarity losing your client's confidential data and getting the story spread across the national media can NEVER be a good thing; just take a look at the repair jobs that are blocking out other work in similarly embarassed govt departments!

Surprised? No. Astonished? Probably. Predictable? Oh yes. The upshot to this, and with most things these days, is that they will turn around and cite feeble apologies and say they "will improve their current processes to ensure this will event never happens." The crux of the matter is they are a dibstick firm who pride themselves on work that is substandard. How government agencies allow PA to be still used is beyond me, perhaps backhand dealings, funny handshakes and ritual beatings with a plastic ruler are done. Whatever it is, I do thing it is time the government revoke all contracts from PA, and for PA to learn from this shambolic incident. There should be zero tolerance on losing confidential data, irrespective if it was criminals' personal details. Question is were are the governing bodies? Hang on, like the FSA, they are clueless, whoever they are, infested with people at the top who are golfing pals with the companies they are supposed to be regulating. At the end of the day, we pay more tax so others can benefit from it. Benefit in this case is incompetence.

Surprised? No. Astonished? Probably. Predictable? Oh yes. The upshot to this, and with most things these days, is that they will turn around and cite feeble apologies and say they "will improve their current processes to ensure this will event never happens." The crux of the matter is they are a dibstick firm who pride themselves on work that is substandard. How government agencies allow PA to be still used is beyond me, perhaps backhand dealings, funny handshakes and ritual beatings with a plastic ruler are done. Whatever it is, I do thing it is time the government revoke all contracts from PA, and for PA to learn from this shambolic incident. There should be zero tolerance on losing confidential data, irrespective if it was criminals' personal details. Question is were are the governing bodies? Hang on, like the FSA, they are clueless, whoever they are, infested with people at the top who are golfing pals with the companies they are supposed to be regulating. At the end of the day, we pay more tax so others can benefit from it. Benefit in this case is incompetence.

i've no sympathy for PA, but just because a fool of an employee broke data protection rules it doesn't mean you should ban them from government work, on this criteria there would be no one left

Blunt, pray tell us how you a company should mitigate against an honest mistake? Or are Daily Mail readers like yourself exempt from offering anything but blustering opinion devoid from reality?

"Question is were are the governing bodies?"With insights like this it's a real wonder that Government clients aren't queueing up for your services....

dear "daily mail readers are james blunts",erm.....security awareness trainingenforcement of ISO 27001or enforcement of COBITengagement with Government Data Owners…..etc..etc…..the fact is that this use of the "individual error" excuse is a red herring. Polices should exist (and be enforced) and backed up by procedures which make the commission of "individual" errors as damn well near to impossible as they can be. I strongly suspect that the management of critical client data is haphazard and no such procedures/polcies exist. Btw, me be no Daily Mail reader. me be Information Security Guru.

Do you think this will affect bonuses then?

"Polices should exist "You're perfectly qualified to advise PA - albeit you don't seem to even know the difference between Policies and Polices.

http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/08/18/ccprivate118.xmlThere is a lot more to PA than many think.

"the fact is that this use of the "individual error" excuse is a red herring. Polices should exist (and be enforced) and backed up by procedures which make the commission of "individual" errors as damn well near to impossible as they can"What, you mean like the fact all PA staff are issued with memory sticks that are encrypted pretty much as high as it goes? As are the laptops and any other data storage device. They have policies coming out of our ears on everything. PA takes its security very seriously, so that when human error occurs the risk exposure is minimal. So, unless the CIA are hoking around rubbish tips looking for this memory stick ready to decode it, I think it's fair to say nothing will come of this. Human error will always occur in any walk of life. PA has mitigated the risk. Yet people like you then say they should have all government contracts revoked? Please let me know the next time you lose your bank or credit card, I'll be sure to phone your bank and ask them to call in your mortgage. It's only fair isn't it?

but wasn't the point it was un-encrypted? Hence the issue

Dear real world - you may well have “policies coming out of (y)our ears on everything” – that’s the easy bit. My point is that they are seemingly not enforced, and publicised. And how, precisely, have you mitigated the risk? You cannot even yet *calculate* the risk to your reputation.Jo – apologies for the typo in the word policies. Earth-shatteringly significant, I’m sure we all agree.I think the responses defending PA on this thread – presumably from current PAers – say a lot about the company. They seem to fall into the “maybe it will boost our profile”/”will my bonus be affected”/”don’t blame us all for the actions of a single muppet” camps.A real lack of introspection, humility or an ability to admit to a mistake. Pretty shoddy all round folks. Your market share and results will ultimately judge you on this.

doh - you must work somewhere pretty crummy to be this bitter. I feel sorry for you, but more so for your colleagues.Disclosure: I don't work for PA or any direct competitor

Every firm employs muppets and making mistakes is human so in some respects feel sorry for PA.However the management at other firms would have the sense and/or discretion not to make political donations to one party only / buy a big home in Chelsea while collecting large public sector fees. I am not saying Jon doesn't deserve his rewards for banning biscuits in meetings / rescuing PA etc... it is just that I recall the PA code of conduct had something about "...avoiding the appearance of wrongdoing ..."

I liked the quotation in the Mail on Sunday referring to "flamboyant" Jon Moynihan. Such euphemisms in the tabloids are usually reserved for members of boy bands they seek to out but lack the legal proof to do so. PAers would see Jon as a clever but ultimately dour person. To be fair to JM, he's always separated business and private life. It's PA's get out for not donating to charity - we pay you the full bonus we can, you decide where it goes. If he donated to Labour when he owns half of Chelsea then good luck to the hypocrite. Just be clear his fortune was made when he rescued PA for 10p a share, small donations to Labour these days don't make any difference to his income with the PA share price pushing 8 quid or something. Anyway, I'll stop defending him. He's served his purpose at PA and the best decision the company could make is to sever all ties with him at this stage. Just a shame he still owns a bucketload of shares to stop that though.

Wouldn't it be great if we literally employed The Muppets?

I'm with Doh on this one.Far too often at companies, such policies are used as an backside covering excercise when the training and culture are insufficient to mitigate the problem."Sorry we fukced up and released all your data because of our incompetent cluelessness, but we the employee whose fault it was is no longer with us. We fired his a55."Honour is saved!It's far harder to go through the tedious process of actually doing something useful rather than merely to write a single policy document, file it away, trust to luck and say "job done!"Such failures are almost NEVER the fault of an individual, but are the result of a set of overlapping failures of supervision and precondition avoidance. Go read up on James Reason's "Swiss cheese" model of failure causation.EC

The person lost a memory stick which is what, 2 inches long and less than an inch wide.The only reasons I can think of for such outrageous incompetence is a rotten culture and poor processes and documents. Case closed m'lud. Search the PA threads of the past, you'll find the one thing you can't accuse PA of is a lack of bureaucracy, processes and controls. You can't move for them.

***sighs*******reaches for dunce’s hat******calms down, decides to take pity and persevere with the free training session for the uninitiated***Two questions - - why, if PA is so festooned with policies, standards, procedures, compulsory security awareness training courses, bells and whistles did the single, lone, acting totally on their own without any come back on us guv, employee not know that the use of an unencrypted data key was a bad idea and against policy and common sense?- And how did said employee even have the access to this information? Is it freely available to all single, lone, acting totally on their own without any come back on us guv, employees?

Yup.

The emphasis so far appears to be blaming an individual for an orgnisational problem. We need to follow the actual issues from start to finish:1. A user was granted the privileges to dump 80,000 'personal' records from a database? Given the classification this data should have, no user should have the privileges to do this (least privilege)...unless it was approved? So who approved this? and any DBA would not do this unless requested to do so by someone in authority (privilege accounts should be controlled and as such requests like this would have to utilise a privilege account and should follow formal procedures. The use of such accounts should be logged, monitored and investigated), again appropriate approval must have been received.2. This data was then taken off-site. With this classification enforced, no user with a clear understanding of policies, standards procedures etc would want to risk taking this off-site as it would be clearly labelled with it's classification level.There are so many organisational security problems with this type of incident that anyone who tries to blame the employee involved has to be a complete moron. These problems are down to the organisation and how the organisation manages security............period. In this case very badly.

I used to think the BOP and FS threads were boring. This is the pits

"2. This data was then taken off-site"I think if you read carefully the comments of the Home Secretary the inference has been that the data is hosted by PA in the first place. If this is the case then it hasn't been taken "off site" although has been moved "on site."

Dear God, this is typical of IT geeks vs. the rest of the real world.If you guys had your way, the world would be full of perfect databases. Nobody would be able to actually be able do anything with the data, but we'd all be happy and safe and be able to rest easy as we watch Star Trek omnibuses in our beds at night. Consultants need data to turn it in to proper, valuable information. That's our job. Right now, memory sticks and laptops of consultants all around the world are rammed full of confidential information. Because we're not idiots, we take care of this and treat it properly. It seems as if the IT/ security crowd barely trust us to power up our laptops without getting prior authorisation, training and 100 standard procedures in place first. Data was lost it seems on an encrypted stick. Nothing has happened. Nobody got hurt. The end.

"Because we're not idiots, we take care of this and treat it properly".........probably what PA told their client....or maybe......."you can trust us" or maybe even...."you can rely on us"...."we're consultants for god sake".'Yes' you are right the IT security crowd don't trust you for very good reason.....the same reasons this thread started in the first place.

Data goes missing all the time for every company, only public services do you have to declare it. Given it's size I'm suprised there's than 1 every 6 months.Other big companies I'm sure must have something going missing every other month.

This has happened, and has happened, because consultants at PA and every other firm you care to mention are not professionals.Whether its loss of information or misuse of information it is rife is the snake oil firms. Most consultants have only every heard of one Chinese wall. When you can find client confidential information on the intranet you know how serious security is taken!If this happened at a firm of lawyers or accountants then the firm and the individual would be reprimanded and most likely fined and kicked out of the profession. But the difference really is that lawyers and accountants (and doctors etc) are trained in professional standards, ethics and integrity. No doubt there are loads who breach those standards...but at least they are aware of standards. Consultants are oblivious.PRINCE2, ITIL, PowerPoint and bullsh*t only gets you so far.

Can anyone tell me what the actual loss is here?All the data - name of persons convicted, their crimes, their addresses and expected release dates - are all in the public domain anyway. Read a newspaper or go to the court and ask. Finding client information on intranets can be a bad thing, but in many cases they'll have signed a contract allowing the consultant firm (not the individual) the right to retain IP from the project.

So Dermot, with all this 'heat' on one blog, let alone in the Home Office itself, do you still think any PR is a good thing?!

"If this happened at a firm of lawyers or accountants then the firm and the individual would be reprimanded and most likely fined and kicked out of the profession. But the difference really is that lawyers and accountants (and doctors etc) are trained in professional standards, ethics and integrity. No doubt there are loads who breach those standards...but at least they are aware of standards. Consultants are oblivious. "The only difference is that PA coughed up to a theoretical loss that many less scrupulous organisations wouldn't have admitted in the first place.You also don't have to look too hard to see accountants, lawyers or medics breaking ethics rules, and in some cases getting help from colleagues who are happy to turn a blind eye to help avoid any professional embarrassment for the firm / organisation.

Amateurs

Enron. Arthur Andersen. Shredders. Nuff said.

Enron's business model set up by energy consultants http://www.guardian.co.uk/business/2002/mar/24/enron.theobserver

UnbelievableThe heat on this blog is ice cold. After all, who cares what a couple of dozen on the bench consultants think?

Nuff saidThe point was that accountants and lawyers have professional standards regarding client confidential information. Andersen's demise over Enron was due to their lack of independence (and that they had unlimited liability...everyone sues the auditors whether they are to blame or not because the compensation is so juicy). At least, when they shredded their Enron documents they new where to find them!Let's not get into whether consultants are independent or not. If anything, PA is the most independent of the lot being employee-owned and not tied to a single software vendor or outsourcer. But in terms of professionalism, in general, and specifically with regard to client confidential information, consultants are laggards.

Laggards? surely you mean blackguards? or maybe blaggers?or maybe tw!ts or maybe twitsbut surely not purveyors of the famed "value add"

The whole question really is "what is confidential information"? IT "gurus" seem to preach every bit of company information is "confidential" and we all should bow in reverence to them. In reality, 99% of information is at best irrelevant and at worst mildly of interest to those outside the organisation boundaries.A big question actually, are consultants laggards or are companies overly protective about things which of are of little or no value? The 1% is worth protecting, but protecting the 99% may bring an organisation to its knees unnecessarily.

Well, jeez, sure IT security is boring. Granted. So what? The topic of classifying data is prosaic. That doesn’t make it is not significant. If it goes wrong, it really goes wrong.just ask the govt. And PA once the contracts go belly up.I love the dismissive response from the Management Consultant on this thread. It underlines my opinion of them. Theo Paphitis summed it up in the Den tonight. Two muppets presented a recruitment website with little potential. Theo’s final question: “What did you do before this?” “Management consultant” Theo: “Oh my god. That’s it. I’m out. Get out!”Sums it up, universal contempt for you bunch of chumps.

The bad news for you is that people who work in IT are below consultants on the social acceptance ladder!

I find the vitriol directed towards IT Consultants by “Business focussed” Management Consultants interesting for two reasons:1) It betrays a real sense of bitterness and inadequacy – in some ways it reminds me of the attitudes taken by the Aussies when they are beaten by the Poms – namely an obsession with belittling a group who are notionally inferior, but in so doing, dedicating a inordinate amount of your time, focus and energy. Oddly obsessive behaviour.2) The denial is overpowering. Denial about the fact that IT has become, and will remain, crucial to the stratgeic development of all business and markets. You cannot escape it! What would you prefer – a return to quills and ink??

Oh dear, as Picard said in an episode of Star Trek we should learn to love our differencesbesides I thought this thread was just for PA bashing ?

So Dermot, This story is both 'great PR for PA' and already 'icecold'. Perhaps you could enlighten us on:a) Which consultancy has the benefit of your weighty and dountless invaluable insights, andb) What colour the sky is on your planet?

Unbeievable"Great PR for PA" are your words. Go and read the chain back - you're either guilty of gross simplification and wilful misrepresentation. But of course, you are a consultant.But nevertheless even taking your simplification as fair - this is not contradicted by whatever is expressed on this site being considered as ice cold. The readership of this site is insignificant and has nothing to do with the wider PR implications - good or bad - of this matter.I certainly hope I don't work at the same firm as you as we've surely got no hope. And blue, of course.Invest in a dictionary as well, pal.

"Denial about the fact that IT has become, and will remain, crucial to the stratgeic development of all business and markets. You cannot escape it! What would you prefer – a return to quills and ink??"You unwittingly said it yourself. IT is only an enabler, a tool to make business more efficient. Over the centuries, the printing press, typewriter, combustion engine, telephone etc. have all served to make businesses work more efficiently. Businesses need good people to run them, you can have the best tools in the world but it won't make any money unless you have the ideas and management.You know, I sometimes wonder what life would have been like if I'd underachieved at university and had to go in to IT...

Do a search on Google Trends

You did underachieve, you moronIf you achieved you would not be posting on this forum.

So Dermong (sic!), or EMF as you now like to style yourself,What say your next post contains a valid point - because you sure as hell haven't made one yet!

Phew! Good old EDS!