Another major data breach
Although this time the incompetence and sloppiness wasn't the Veteran's Administration. In each of the stories of this sort that I remember, the data turns up a few weeks later, is blamed on some small and innocent mistake and all kinds of assurances are given that no one actually saw the data. That line of crap is a lot easier to pull when you're talking about a password protected laptop than an unencrypted, password free CD so they may have a little trouble trying to push the line that the data was never viewed by anyone.
This is going to be particularly bad b/c even if the original cd is recovered, who's to say it wasn't copied? Normally, I guess I'm cynical enough to really doubt assurances of the "No one saw anything sensitive" variety but in this case, I couldn't believe such an excuse no matter how hard I tried.
I've been told before that 'common sense' largely depends on where you sit. Certain things for instance might be 'common sense' to a doctor that would never dawn on someone in another profession. And that's pretty much the line of argument I'm hearing from various commenters - to a lay person, encrypting data and password protecting it isn't necessarily common sense. Not working for the English Govt I can't really say I know from personal experience, but my guess is that at some point in the day, when every one of the people involved came into work, they logged onto their computer. So it's hard to fathom them not at least appreciating the value of password protecting things. Even so, I don't think the 'layman' defense will work here. There have been too many high profile data breaches, hacks, screw ups etc to not know that personal data you're working with should be secured.
Again, I don't know what the English political climate is like right now, but if this were the US..... and it was a private company that did this... there'd be a bunch of crotchety old senators dragging the heads of the company up to Capital Hill and making them testify under oath as to what happened. There would be a lot of finger wagging and Monday morning quarterbacking. But when the govt screws up, well, mistakes happen, no one is perfect and no harm no foul. If English politicians are anywhere near the headline whores that their US Counterparts are, then they'd no doubt be flogging the daylights out of a private company if they were responsible. But won't have a lot to say other than the obligatory condemnations. Screw ups of this magnitude, affecting this many people, that could have been prevented so easily really shouldn't happen. You shouldn't have access to that sort of data unless you prove you know how to handle it and follow agreed upon headlines (we can argue about what 'know how to handle it means' all day, but at a minimum, I think we can all agree that it should be encrypted and password protected, that access to even export this information should be restricted to a small and accountable group of people, and that any packaging and delivery be recorded and tracked from start to finish).
Hopefully nothing comes of this and the CD turns up under a stack of papers in the mailroom or something. And hopefully the people responsible will be spending the holidays in the unemployment office.