The official positions of Governments is counter to the actual behaviour in many many circumstances.
moreati · 4h ago
I wasn't trying to suggest they wil. I emphasised Gossi's If because I missed it on my first read. I didn't want others making the same mistake.
No comments yet
blitzar · 2h ago
> Looks like they were doing everything on AWS for about 6 years.
Ransomed by Jeff Bezos.
celticninja · 4h ago
They are not going to pay anything I guarantee it. There is no randomware. They shut their services down before the attacker could deploy ransomware although the attacker likely accessed data.
alias_neo · 4h ago
> likely accessed data
There's nothing "likely" about it.
> On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.
> We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
> This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
> she understood the news "will be shocking and upsetting for people".
And that's about it. No repercussions will take place.
buserror · 2h ago
It is entirely possible the IT was outsourced to the highest bidder, probably with limited liability clauses etc etc. See Post Office for reference, they are still reaping contract money out of the government, years after having been proven as responsible for ruining people's lives for decades, and coverups.
taffynay · 35m ago
Governments outsource to the lowest bidder. Whoever can do the job for the cheapest.
tgv · 5h ago
Your comment is against the site rules on first sight, but it’s at the core of the problem: strong regulation, surveillance and punishment are sorely lacking.
celticninja · 4h ago
Who do you want to punish exactly?
aaronmdjones · 3h ago
Cases like this usually boil down to one of three things:
1) Someone left an unpatched server exposed to the Internet for months with a known critical vulnerability.
2) Someone uploaded the data to a world-readable S3 bucket or similar, or left it in an Internet-accessible database server with no authentication.
3) Someone with administrative credentials was using the password "password1!" or similar with no two-factor authentication.
In an ideal world (not the world we live in), in these cases, that someone would be prosecuted for gross negligence.
drexlspivey · 1h ago
Prosecuting someone for not having a strong enough password is beyond ridiculous. Your ideal world sounds like a black mirror episode.
caulkboots · 1h ago
How would you feel if a bank used a screen door to access their vault? Protecting other people's info comes with responsibility.
drexlspivey · 38m ago
How about enforcing strong passwords or non-password authentication at the org level instead of puting rank and file employees to jail?
pjc50 · 3h ago
Perhaps. So you prosecute your £30k low rank administrative assistant in charge of the thing. All the other unionized low-paid civil servants immediately go "we didn't sign up for this liability" and refuse to touch anything that could be deemed computer administration. Government grinds to a halt.
Something similar happened to the British Museum a couple of years ago. Almost certainly an even worse pay/qualifications employer.
harvey9 · 2h ago
If someone puts a low rank admin assistant in charge then the boss needs prosecuting. It would be the public sector version of getting the boss's nephew to do it.
jaoane · 3h ago
You prosecute whoever set the system up. The same way you’d prosecute a surgeon for malpractice.
These are professionals. It’s their responsibility to build a solid, secure system. If they can’t or don’t want to then they should find another job.
egorfine · 3h ago
They are professionals. They cannot upgrade this particular windows server, because the software they're running on it requires visual basic 6.0 support. The vendor cannot provide any upgrade for their system, because certifying anything newer than Windows 2003 for this software is prohibitively expensive for the vendor. You cannot switch vendor due to obscure clauses in contract.
Real situation btw.
oaththrowaway · 3h ago
Then you're going to have to start paying entry level IT like surgeons. Nobody is going to take that kind of risk for $30K.
AlotOfReading · 1h ago
More likely, they'd just start carrying errors and omissions insurance for a bit extra.
netdevphoenix · 1h ago
If the pay difference doesn't reflect that additional responsibility, it probably is not expected
jaoane · 30m ago
I am not convinced by this attitude of “I am being paid peanuts so I’m not going to do my job”. If you don’t like the salary then find some other job.
egorfine · 3h ago
Sounds about right.
So, shall we not protect people's data?
egorfine · 3h ago
It seems to me that 1) is the norm, not an exception in large enough corporations and especially government orgs.
Personally, I do not see any other way out of this other than somehow criminalizing running outdated software.
egorfine · 3h ago
Me personally I would like to set on fire the very people who begin to consider an upgrade to a major Windows version not earlier than it goes out of extended support.
anonymars · 1h ago
Could you rephrase this with fewer negations? I cannot parse what you are trying to hate and therefore what point you are trying to make -- "those who begin to consider not earlier than it is not fully supported"
kmlx · 3h ago
just in case people are not aware what "legal aid" or what "Legal Aid Agency" are:
> Legal aid is the provision of assistance to people who are unable to afford legal representation and access to the court system. Legal aid is regarded as central in providing access to justice by ensuring equality before the law, the right to counsel and the right to a fair trial.
> The Legal Aid Agency is an executive agency of the Ministry of Justice (MoJ) in the United Kingdom. It provides both civil and criminal legal aid and advice in England and Wales.
Note Gossi's "If". There's no indication so far wrt possible payment.
No comments yet
Ransomed by Jeff Bezos.
There's nothing "likely" about it.
> On Friday 16 May we discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.
> We believe the group has accessed and downloaded a significant amount of personal data from those who applied for legal aid through our digital service since 2010.
> This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments.
source: https://www.gov.uk/government/news/legal-aid-agency-data-bre...
And that's about it. No repercussions will take place.
1) Someone left an unpatched server exposed to the Internet for months with a known critical vulnerability.
2) Someone uploaded the data to a world-readable S3 bucket or similar, or left it in an Internet-accessible database server with no authentication.
3) Someone with administrative credentials was using the password "password1!" or similar with no two-factor authentication.
In an ideal world (not the world we live in), in these cases, that someone would be prosecuted for gross negligence.
Something similar happened to the British Museum a couple of years ago. Almost certainly an even worse pay/qualifications employer.
These are professionals. It’s their responsibility to build a solid, secure system. If they can’t or don’t want to then they should find another job.
Real situation btw.
So, shall we not protect people's data?
Personally, I do not see any other way out of this other than somehow criminalizing running outdated software.
> Legal aid is the provision of assistance to people who are unable to afford legal representation and access to the court system. Legal aid is regarded as central in providing access to justice by ensuring equality before the law, the right to counsel and the right to a fair trial.
> The Legal Aid Agency is an executive agency of the Ministry of Justice (MoJ) in the United Kingdom. It provides both civil and criminal legal aid and advice in England and Wales.
from https://en.wikipedia.org/wiki/Legal_Aid_Agency