Sheffield Council's Anpr System Left Open To Internet

[Planner1 438]

4 hours ago, Resident said:

If it had been just one of the thirty-two PCs i had taken possesion of, or just one piece of software with an easy password then yes, I'd have called it a mistake. 

 

The fact that all 32 machines: 

 

A: Hadn't been securely wiped before disposal or entered into a secure waste channel

B: Hadn't all but one been "secured" by the easiest passwords in the world, ie password or 12345

 

shows a level of incompetance far beyond a simple mistake. 

 

The ANPR breach is a massively serious one with possible far reaching consequences. Those responsble for the breach should face harsh penalties including at min the loss of their position. It's an act of gross misconduct at minimum, although I'd probably push for criminal negligence. 

 

One isolated incident you say? SCC's woeful and majorly ineptness is well documented over the years. 

So how many years ago did you get these pc’s?

 

You’re entitled to your view on the seriousness of the current incident, but the regulator will have the final say on that, so I’d prefer to reserve judgement until I hear what they say.

 

I really think that there is not enough information to reach any conclusion on whether this case is likely to involve gross misconduct. It might, but we don’t know. Criminal negligence? Really? Care to point out any relevant examples of that happening?
 

I don’t think SCC are proven to be inept at all. We see occasional reports of the odd problem. I’ve seen nothing that I wouldn’t expect to see from  a similar organisation and certainly nothing to suggest systemic ineptitude across the organisation. They are a very big organisation, with a revenue budget of £1.3 billion and 8000 employees delivering a huge range of services to hundreds of thousands of people. Organisations of that size and diversity will get the occasional thing wrong. Name me a similar size organisation that never ever gets it wrong, never falls foul of any regulators, never gets sued.

 

 

[Litotes 63]

On 28/04/2020 at 17:36, Planner1 said:

Experience has taught me to favour cockup over conspiracy and I’d certainly think that is the case here. I’m sure the details will come out when the ICO have looked into it.

And where SCC are involved ****-up is top of the agenda, like; not taking minutes at public meetings, liking online comments to personal data in public forums, exposing personal data ion the internet, allowing private houses to have personalised parking on the public road when not disabled, issuing contracts to remove a certain number of trees irrespective of need - the list goes on and on...

[hsb98c 19]

I've held off commenting again as I'm sure someone will make out like Gross negligence isn't a sackable offence, or that proper design and testing 'somehow' let this out there.

 

It looks like it was designed and signed off this way.  A 'firewall' rule change wouldn't suddenly open it up to the internet.  If it was properly housed on a proper internal network then it would be a hell of an accident to make it exposed, and other server would be as well. 

 

If I was a lawyer and made my option known people would listen - hell you get paid hundreds to hear lawyers opinions.

Yet when it comes to IT people dismiss years/decades of knowledge and experience and blame mistakes.  Yes mistakes in law happen, but they don't get dismissed as a mistake.  There are proper consequences.  but it's IT so no-harm, no-foul.  "Forget about...."

 

This was either crap design and therefore bad management.  Or it was change gone wrong which means it was bad management.  Whether a contractor or not someone at the SCC knows WHY this happened and should take the blame.  Just because it's the council no one should take the wrap?  And yes there should be blame as without it mistakes keep happening.  Root cause analysis.

If I'd done this I'd be sacked through gross negligence/misconduct.  

 

Planner1 - we don't know the facts of HOW this happened.  We DO know it happened and what was exposed and to try and defend it or (like the council and SYP) dismiss it?  Really?

 

And BTW - it looks like all the fears from the earlier thread about letting the council have this data came true so the ICO might not have found fault before it was built, but £1 they do no and 'I told you so' isn't how this should work.

Edited April 30, 2020 by hsb98c

[ormester 11]

7 hours ago, Planner1 said:

So how many years ago did you get these pc’s?

 

You’re entitled to your view on the seriousness of the current incident, but the regulator will have the final say on that, so I’d prefer to reserve judgement until I hear what they say.

 

I really think that there is not enough information to reach any conclusion on whether this case is likely to involve gross misconduct. It might, but we don’t know. Criminal negligence? Really? Care to point out any relevant examples of that happening?
 

I don’t think SCC are proven to be inept at all. We see occasional reports of the odd problem. I’ve seen nothing that I wouldn’t expect to see from  a similar organisation and certainly nothing to suggest systemic ineptitude across the organisation. They are a very big organisation, with a revenue budget of £1.3 billion and 8000 employees delivering a huge range of services to hundreds of thousands of people. Organisations of that size and diversity will get the occasional thing wrong. Name me a similar size organisation that never ever gets it wrong, never falls foul of any regulators, never gets sued.

 

 

Not inept  lol next joke 

[Resident 1,193]

16 hours ago, Planner1 said:

So how many years ago did you get these pc’s?

 

You’re entitled to your view on the seriousness of the current incident, but the regulator will have the final say on that, so I’d prefer to reserve judgement until I hear what they say.

 

I really think that there is not enough information to reach any conclusion on whether this case is likely to involve gross misconduct. It might, but we don’t know. Criminal negligence? Really? Care to point out any relevant examples of that happening?
 

I don’t think SCC are proven to be inept at all. We see occasional reports of the odd problem. I’ve seen nothing that I wouldn’t expect to see from  a similar organisation and certainly nothing to suggest systemic ineptitude across the organisation. They are a very big organisation, with a revenue budget of £1.3 billion and 8000 employees delivering a huge range of services to hundreds of thousands of people. Organisations of that size and diversity will get the occasional thing wrong. Name me a similar size organisation that never ever gets it wrong, never falls foul of any regulators, never gets sued.

 

 

PCs - Recently enough for the PCs to have been bought from the supplier with Win7. 

 

My view is perfectly valid. You keep mentioning the previous ICO review of the system before it was implemented. 

So basically the OK'd a planned system. 

 

I've worked in IT. Planned systems and what actually gets put in place are almost always completely different. The realised system may do what the planned system intended but technical issues almost always means deviation. 

 

There is ABSOLUTELY enough information about the case to infer that an act of  gross misconduct was involved. 

A highly sensitive data system was left wide open without ANY security measures. SOMEONE didn't do their job and make sure it was secure. In the IT sector it's the SINGLE MOST CRITICAL checkpoint. 

Given the seriousness of the breach, breaking laws, there is absolutely the option of criminal negligence. 

 

Brushing off the ineptitude of SCC as 'the odd incident'. Sounds like you're one of the problems within SCC itself. Unable to see the forest for the trees. Not a week goes by without some story of a SCC screw up. 

 

Time to take of the rose tinted specs. 

 

 

Edited May 1, 2020 by Resident

[Zarniwoop 10]

What make were the pc's that you bought from the council?

[Planner1 438]

3 hours ago, Resident said:

Brushing off the ineptitude of SCC as 'the odd incident'. Sounds like you're one of the problems within SCC itself. Unable to see the forest for the trees. Not a week goes by without some story of a SCC screw up. 

 

Time to take of the rose tinted specs. 

 

 

As I’ve mentioned earlier, SCC is a huge organisation, which delivers a significant range of services across a big area, to hundreds of thousands of people.

 

Therefore it can be expected that some people or groups might not be too happy with some decisions made, or actions done. That doesn’t mean that the whole organisation is inept.

 

I’ve worked for several different local government organisations in different towns and cities. You hear exactly the same complaints and comments there too. It’s in the nature of what those organisations do that dissatisfaction will happen.

 

To be clear, I do not work for SCC. I do still have contacts there though.

[Resident 1,193]

4 hours ago, Zarniwoop said:

What make were the pc's that you bought from the council?

I didn't buy them. They were brought to me by a charity to which they had been donated. One of the charity workers knows I have a background in IT and asked if I wouldn't mind checking and clearing them for recipients to use. They were all small form factor Dell Optiplex desktop units IIRC

[Zarniwoop 10]

So you didn't get them directly from the council.

SCC haven't used DELL computers for some years now, so it must have been some time ago. Also quite a lot of dell pc's were used in schools over which the council has no control.

For quite some time all surplus council IT  equipment has been disposed of by a specialised company.

[Planner1 438]

5 hours ago, Resident said:

 You keep mentioning the previous ICO review of the system before it was implemented. 

So basically the OK'd a planned system. 

 

Nope.

 

The system was up and running and collecting data at that time. As I said previously, SCC, SYP and many similar authorities have been collecting ANPR data for many years.

Edited May 1, 2020 by Planner1

[Resident 1,193]

2 hours ago, Zarniwoop said:

So you didn't get them directly from the council.

SCC haven't used DELL computers for some years now, so it must have been some time ago. Also quite a lot of dell pc's were used in schools over which the council has no control.

For quite some time all surplus council IT  equipment has been disposed of by a specialised company.

They had council files and council-centric usernames for login with the systems trying to connect with network resources such as remote drive spaces located on council servers juding by the server IDs. 
As I said they were recent enough to have been loaded with Win7 and the licence stickers were on the units. 

 

I spoke with SCC regarding these units and they thanked me for my information & also for erasing all the data securely. 

Edited May 1, 2020 by Resident

[onewheeldave 22]

21 hours ago, Planner1 said:

As I’ve mentioned earlier, SCC is a huge organisation, which delivers a significant range of services across a big area, to hundreds of thousands of people.

 

Therefore it can be expected that some people or groups might not be too happy with some decisions made, or actions done. That doesn’t mean that the whole organisation is inept.

 

I’ve worked for several different local government organisations in different towns and cities. You hear exactly the same complaints and comments there too. It’s in the nature of what those organisations do that dissatisfaction will happen.

 

To be clear, I do not work for SCC. I do still have contacts there though.

It's not a good argument, is it? SCC is not inept because all the other councils are just as inept

Edited May 2, 2020 by onewheeldave