Following up the earlier thread - here is what happened as a result....http://news.bbc.co.uk/1/hi/uk_politics/7608155.stm

Has anyone been fired yet?

Interesting PA taking full liability for any damages, probably wasn't a clause in the contract with unlimited damages so they must be bending over and taking it to try and keep their other work.

See statement on PA's website - must be quite a bit of inner turmoil going on to put this on your corporate homepage - anyone from PA like to comment?http://www.paconsulting.com/Home

See statement on PA's website - must be quite a bit of inner turmoil going on to put this on your corporate homepage - anyone from PA like to comment?http://www.paconsulting.com/Home

Bungling, body warmer wearing, polo match attending, Fulham inhabiting, incompetent toffs.

so they're reviewing PA's contracts, alongside those in place with other firms. Do you lot, the non-charlatans, intellectual elite, still think IT security has no value-add? I am LOVING this!

Who ever said IT security had no value?

Its a real disaster - all those paedo's and persistant criminals having their name and address details lost.... lets hope they don't fall into the wrong hands or god knows what will happen

I am happy. As I predicted in my post, the contract with them is no more. And I'm glad the other contracts with PA are being reviewed. It is time consultancies face up to and pay for their continually persistent incompetence. I am glad I took the mickey out of them during an interview, and equally happy that I declined to work with them. What a bunch of A-grade airheads. This news has made my day!

Oh man, the poor sod that lost that memory stick sounds like he's getting a right royal rogering of monster proportions right up the rear end.It does make me wonder, however: why didn't he just keep his gob shut about losing the memory stick (and certainly about disclosing what was on it!) and nobody would have been any the wiser?

Blunt... if you're so happy to be rid of consultants and anything to do with them, then why are you on a Consultant website reading radom threads and posting trivial comments?

Classic. What is better is the attempt by PA to lay the blame at the feet of one person, if they had an established system of checks and balances this wouldn't have been able to happen, even if they do have mickey mouse in the loop.

Anon, It wasn't a guy it was a "female employee" according to press reports. Maybe she's getting a right royal rogering of monster proportions right up the rear end. Why do PA need to say it was a "female employee", does that make it more acceptable? Shouldn't they just say an employee?

It must have been a very small assignment team if only one individual was responsible for this by themselves. Probably working too hard if they themselves were racking up £500k fees per year.And that person must have worked for a very small practice, perhaps with only one employee. And that practice was part of a very small firm, also with only one employee.Therefore it must be right and fair for that one person to take all the blame.Leadership, eh?

Agree with Anon. Any decent consultant would just lie about loosing the memory stick.

Looks like things could get a whole lot worse...http://www.telegraph.co.uk/news/newstopics/politics/2777788/Strip-data-blunder-firm-of-all-its-Government-contracts-Jacqui-Smith-told.html

The snide remarks and gloating quite is quite lamentable. As I understand it the memory stick was left at the government offices - which raises the question that if it had been stolen, what sort of dishonest people do they hire? Normally it's just cleaners and other employees that would have gone scrounging around in a people's drawers. Also - let's not forget that public sector employees can be quite bitter about having consultants it and given previous data loss headliness, may have deliberatetly sought for an opportunity to sabotage PA's (& consulting's) reputation. Despite this, I do acknowledge it was extremly foolish for anyone to not immediately delete the files off the USB where personal data is concerned.I'd be interested in hearing how this wholw affair has been going down within PA? Especially the fact it may lead to a loss of all Uk government contracts (surely an overkill?).Also - I'd heard that PA had been having difficulties prior to this, so is morale very low at the moment?

Mr Smith - It was confirmed that the memory stick was lost or stolen from PA's offices, not from government premises

So which part in the process specifically constituted the procedural security failure: 1 - The use of a data-stick in the first place to store the data.2 - The transfer of that data-stick to the PA offices3 - The storage in an un-secure drawer leading to it being stolenIf 1, then could blame the firm for not locking down USB ports although not very workable as most devices now connect through them. Or could blame management for allowing memory sticks to be used on the project. If 2, then you could of course blame the management for not frisking all employees leaving the office every day. If 3, could blame the management for not checking all drawers in the PA offices daily. Can someone please tell me specifically what processes would have avoided this?I am assuming of course that PA have policies on data security and storage, remind their employees periodically to read these, provide mandatory periodic refresher training (e.g. online) to educate their employees about these policies.

Oh, and two other alternatives: 4 - the government department should never have provided the data unencrypted to the consultant.5 - the government desktop computers should have had their USB ports locked down.And who can we blame for these?

Isn't the point that:A. Sensitive data got onto an unclassified memory stickB. The memory stick was insecurely stored and (so far unexplainably) lostCome on PA - dish the dirt, or we'll only mkae it up! ;)

Hi Bob,You've fallen into the same trap that everyone else has, you've assumed the following (taken from your words):'that PA have policies on data security and storage, remind their employees periodically to read these, provide mandatory periodic refresher training (e.g. online) to educate their employees about these policies' Firstly, never assume, just because they are a household name......and before anyone states that they aren't a household name.......they are now !!Secondly, all you concerns appear to be around the data stick. When will everyone realise that the data stick is only a very small part of the problem. They key problem here is not that it was put on a memory stick or any media for that matter, but that a member of staff was given the privileges to dump an entire database of personal details. There are so many things wrong when a member of staff is allowed to do this and they all stem from the organisations security policies, standards and procedures and the enforcement of these. This is not down to one individual (who didn't help matters), this is down to the organisation.So can everyone please stop blaming an individual and push PA to accept responsibility for their poor enforcement of basic security policies, standards and procedures.

So Security Nerd, you're coming to the point I was after: Who's responsibility was it that someone "...was given the privileges to dump an entire database of personal details." A. PA B. The Govt. dept.And when you say "given the privileges to dump...", how would you NOT give this privilege: a) not give someone access to the data (and who should be restricting this access from whom? What if that person needed access to all the data?)b) instruct someone not to dump all the data (Sounds like you are assuming that PA don't have the policies/training/reminders in place. Any PA'er wish to confirm either way?). And what if they did instruct the individual to not do this? Who is to blame?c) physically restrict the dumping - e.g. through IT restriction (again should this be PA or Govt?)Discussion is of interest as I might run into this scenario myself in the future...

Fair Point Security Nerd, So it's the 'organ grinder' not the 'monkey'; still, if you employ monkeys, they have to be trainable...

"So can everyone please stop blaming an individual and push PA to accept responsibility for their poor enforcement of basic security policies, standards and procedures."You've never been a consultant have you? When clients pay a lot of money they expect the Earth. They tell you to leave no stone unturned, analyse everything and come back with the results. Why? Because there is so many blocks and restrictions to their own staff actually seeing their own data they need a Chief Executive to give an outsider free reign.For the data itself, the dump was not huge - 60,000 odd rows, 10 odd columns by reading it. It's probably a small part of a bigger database. Yes, we could restrict everyone to parts of that, but it would be useless for analysis. The right to give access I have no problem with, how the person then treated it is a problem. What responsibility does the organisation have? To have trained the person appropriately and inform them of any contractual obligations. If they ignore that, it's the person's fault not the organisation. We don't employ people to hold consultant's hands. So, for all the bluster, where is your evidence that PA didn't train and brief the person appropriately? Also, if PA (and indeed other consultancies) were "charlatans" as proposed, why would they come clean within 2 hours of it happening? Hardly suggests they don't give a toss about data security and its implications.As for poor old Blunt, would you have prevented this had you taken the job at PA? Alas, we'll never know. But cases like this will continue to happen, happily the ACTUAL fall out (as opposed to the political table tennis) is often virtually zero. Jeremy Clarkson made the point in The Times a few years back when he printed his own bank details - several million readers and all he he got was one one cheeky scamp sign him up to a quarterly charity donation as a result. The dangers of data in the public domain are so often over stated. It's an emotional issue over a practical issue - just what exactly do you think Joe Public is going to do with 60,000 prisoner names do we think? He'll have a beezer subscription list if he wants to start a mail order p0rn empire, that's about it.

Ah if the loss happened outside government offices then that changes everything. Then it really is even more stupid of the employee to leave anything which has personal details of people on a memory stick.Whenever I've been in a similar position I've always treated such data like dynamite and tried to limit the use and copies of it. One thing I used to do is assign a number to people's names then get rid of the actual names.And I would never have left it on a memory stick for more than is necessary. Not sure too whether the argument that things go missing all the time in a work environment stand, as to me taking things off the client premises is aking to a non-consultant deciding to take something home with them - i.e. you bear full responsibility for ensuring it's security.

Instead of the usual PA whingers from BOP, this chain seems to have been infiltrated by PA apologists. Please can both camps cease and desist. It is very, very boring for the rest of us.

Hi Bob,Firstly let me state to yawn that I am a consultant.......and have been for many years.Not knowing the detail I'll try and answer your questions:1. PA obviously needed this information to perform whatever analysis they were doing. So they would have requested this from the govt department. This data internally would've been classified i.e. 'confidential' etc and this data would've been owned by a relevant data owner, who would ensure that restrictions were applied to the appropriate classification levels. (here we go again with policies, standards, procedures etc) Again as I do not know, I'm assuming classification and data ownership is enforced.In this instance however because PA are employed by the client to perform a function agreed at a high level, so I would expect that these were not enforced by the data owner as he/she was probably advised (by senior official/s) to give the 'consultants' what they want (as the govt probably believed that they have water tight contracts between the two parties). As in this instance PA would've been mistakingly 'trusted' by the client and given free reign.All privileged accounts would've been locked on the production DB so a DBA would have had to request access to gain the privileged account to perform the DB dump on the prod DB. Again, this would've been approved by someone stating 'it's OK, it's for PA' (at this stage the message would've filtered down through the dept give PA what they want) as senior official/s have already agreed that it was OK.The team monitoring the DB would've picked up the dump of data, raised a case against it and this would've been closed as they would've been advised, it's OK as it's for PA.So the long and short of it is this, the govt probably do have effective policies, standards and procedures but when consultancies are hired a level of trust and woeful contracts between the two parties break all defences down. In these instances we can only blame both parties at a senior level for allowing slack management of data, allowing things like this to happen. Regardless of who is requesting data and for what purpose we must ensure that we still follow policies, standards and procedures and the govt need to ensure that they have tighter contracts with consultancies with extreme penalties. Then and only then will 'consultancies' be more careful with clients data.Also......keeps me in a job (Security Consultant)

what's the impact of this fiasco on other practices within PA. Any insights ?

can't imagine it'll be good, especially as you have your own tabloid shorthand name now - "the data loss firm". ouch :-)

The partner managing the programme probably shot a 78 that day........

The partner will be spending a lot of time on the golf course now.

Contracts in PA mostly have the risk carried by the Practice the partner is in and any contractual disputes come directly out of that bonus pot first. However, if the claim is bigger than their bonus pot...

Quick, sack the police...."A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty.West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism" (BBC News 15/09/08)....and the NHS......"Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.Whittington Hospital NHS Trust admitted the discs were lost when they were put in the post by mistake in late July" (BBC News 15/09/08).....how can these people possibly be left in charge of fighting crime and saving lives after this crass institutional incompetence?!!

Isn't it frightening that the comments on The Sun's blog are more pertinent than the ones on here?http://www.thesun.co.uk/mysun/comment/view.page?storyId=1670930&submissionId=447677&nav=jump&pageNo=1There is no doubt that PA is a household name!

Perhaps, but you will find more tits in this forum

Chelsea kid - and no doubt much worse

drama queen, *please* tell me you don’t work in the consulting industry. I hope you do not, otherwise I’d be shocked at the drop in entry standards. I’m even more shocked at the weakness of your argument.Yes the police, the NHS and other public bodies have made significant errors in the management of sensitive information. However, that doesn’t JUSTIFY or explain PA’s incompetence!!!!! What drives you to offer such a ridiculous idea?PA are hired to assist in the implementation of best practice. They’re supposed to show the way – and help public bodies learn how to avoid these mistakes. If they’re equally bad, what is the point in hiring them! (An academic question as PA will soon learn).

I also think blaming the failure on a single employee is flawed. The whole point about having proper security in place is that you have the procedures, checks and balances to prevent a single person/point of weakness from causing such devastation.It's like a security firm blaming a burglary on a "single rogue member of the public" whilst proclaiming that their security procedures/arrangements are just fine.

Time to cancel all of Logica's government contracts now, and those of Deloitte and EDS?

Here's a novel idea. How about moving all those "consultants" on long-term, public sector back-filling contracts into the public sector on TUPE. It'd make no difference to delivery, would save money, and would save all this buck-passing.

i'm up for it - gold plated pensionBTW, let's add ATOS to the list of incompetents