Introduction About Site Map

XML
RSS 2 Feed RSS 2 Feed
Navigation

Main Page | Blog Index

Sunday, July 16th, 2023, 2:51 pm

On the Greater London Authority Data Breach With Sex Abuse Victims’ Personal Details

Video download link | md5sum 65e2f74fa8f4c609f78e27dd7bf22983
Greater London Authority (GLA) Breaches Not Surprising
Creative Commons Attribution-No Derivative Works 4.0

Summary: The biggest clients of Sirius ‘Open Source’ included Greater London Authority, or GLA for short; GLA is making some shy and bashful faces right now, as there’s negative publicity after a damning incident

THE account sharing (mal)practices at GLA were noted here before. We often shared usernames and passwords (one colleague even sent passwords in plain text by GMail) and last year I cautioned GLA that LastPass had been breached and that Sirius kept GLA passwords in there. The vault was never safe and I protested against the use of LastPass repeatedly for several years (the liar would not listen). I habitually complained about bad security practices and only in 2022 or thereabouts we finally had individual UNIX accounts on the gateway machine rather than a shared account. Imagine the company bragging about ISO compliance while doing all that.

The video above focuses less on account sharing and instead talks about the site, including Drupal. In the distant past we already had severe permission issues (these were pointed out internally), but it remains rather baffling if not flabbergasting that names of sex crimes victims somehow ended on the public Web site. They should not be on any site at all. I explain the Microsoft-centric workflows and how they contribute to the risk. Poor security practices and a lack of proper protocols made the current blunder more or less inevitable. Cowboys shooting from the hip is no way to run a site of a city as important as London.

Technical Notes About Comments

Comments may include corrections, additions, citations, expressions of consent or even disagreements. They should preferably remain on topic.

Moderation: All genuine comments will be added. If your comment does not appear immediately (a rarity), it awaits moderation as it contained a sensitive word or a URI.

Trackbacks: The URI to TrackBack this entry is:

https://schestowitz.com/Weblog/archives/2023/07/16/greater-london-authority-data-breach/trackback/

Syndication: RSS feed for comments on this post RSS 2

    See also: What are feeds?, Local Feeds

Comments format: Line and paragraph breaks are automatic, E-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Back to top

Retrieval statistics: 21 queries taking a total of 0.124 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|