Daily Archives: Thursday, April 6, 2023

  • Seriously

    Steve WoodsLanguage, Security, Tech

    The language used in official responses to news stories seems to have been rigid and formulaic in recent times, particularly amongst those organisations within or linked to the public sector.

    Today’s edition of The Register reports that ACRO, the UK’s Criminal Records Office was taken offline due to a security breach. The site currently displays a holding page blaming ‘technical issues‘, a fine example of misleading bureaucratic language.

    This is the site’s holding page as this post is published.

    Text reads Thank you for your patience as we work through our technical issues. To obtain an application form for a POLICE CERTIFICATE, send the applicant name and date of birth to: Policecertificateapp@acro.police.uk. To obtain an application form for INTERNATIONAL CHILD PROTECTION CERTIFICATE, send the applicant name and date of birth to: icpcapplication@acro.police.uk. Please do not send an email to the above addresses if you have already submitted a form. Someone will contact you to take payment. For future updates on this matter please see our customer services Twitter account: https://twitter.com/ACRO_Police_CST

    El Reg notes that manages ACRO people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or current prosecutions. It with British police and businesses, as well as exchanging this data with other countries, particularly where people wish to move or emigrate to another country and a certificate of good behaviour is required from the British police. ACRO has access to data from the Police National Computer via an information sharing agreement with the Cabinet Office.

    The data typically handled by ARCO includes name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

    Earlier this week, ACRO emailed users to inform them that it had “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023“, adding that “we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter.”

    Anonymous generic hacker complete with hoodie

    The message went on to say that “robust measures” had been taken as soon as the breach was discovered. It won’t be the first time that pulling the plug on a website has been described by a public sector organisation spokesperson as “robust”, If your systems were truly “robust”, taking the site offline would not have been necessary.

    After intoning the “robust” mantra, ARCO then goes on to say: “We take data security very seriously and will ensure that the matter is fully investigated…. Translating this into plain English, this means “Oh dear! We’ve been caught out!”

    The fact that ARCO had not taken data security “very seriously” is clearly highlighted by two facts:

    • Firstly, ARCO did not notice crooks were gaining access to its computer systems for more than two months; and
    • Secondly, it has now freely admitted that it is going to take steps to find out how the breach happened and prevent its reoccurrence. A clear case of that old adage of shutting the stable door after the horse has bolted.

    The public sector relies heavily on public trust to do its work. If it really does want to be taken seriously, tough measures need to be taken and implemented, not just for IT security, but in connection a very ancient and fundamental idea: that of honesty.