MI6 Terror Photos, Data Accidentally Sold On Ebay

Barence writes "In what's turning out to be a bad week for security in the UK, confidential MI6 documents, fingerprints and photos relating to suspected Al-Qaeda terrorists have been found in the memory of the second-hand Nikon Coolpix camera, which was bought on eBay for only £17. The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC. Remember, this is the same MI6 which plans to recruit new members via Facebook, a userbase not exactly famous for its dedication to privacy, security and discretion. The news comes on the back of yesterday's embarrassment over a local council whose VPN device ended up on eBay with confidential login details left on it."

Fuck the police

The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.

This is why you never talk to the police.

Re:Fuck the police

I still have a hard time believing the people who decide such things are really that stupid. What message does that send to the next finder of classified information or material? "just post it on Flickr via anonymous proxy?" They could have just asked for the camera, and offered a replacement for it, and a new computer with a copy of their data.

Re:Fuck the police

The buyer immediately went to the police, who initially treated it as a joke

I'll just type it up on my invisible typewriter.

Re:Fuck the police

He should leave negative feedback. That will teach them a lesson.

Re:Fuck the police

Uh, if they needed to minimise the risk of a copy of the files being left behind, what exactly should the police have done? If I reported something like this to the police, the next thing I'd do is open the doors and put on a pot of tea for the special ops chaps who'd likely be calling by momentarily. Just because they came by and siezed the relevent equipment doesn't mean they treated him like a criminal - they simply did the best they could in a bad situation, and were probably rather apologetic to him and his family. They could well have returned the computer within 48 hours - we really don't have enough information to be passing judgement about this.

Re:Fuck the police

You're right, the police probably had little choice other than to confiscate his equipment. It was a completely predictable reaction, and that is why the person in question shouldn't have gone to the police.

Even if they did return the equipment,I hope he's comfortable with some thug poring over his personal and private data. You know, searching through his email to see who he might have spoken with about these records. Looking at every single image file on the drive, etc.

Re:Fuck the police

This is why you never talk to the police.

Better off to do as the person who found the stuff on the train did. Go to the press ensure that any handover is as public as it can possibly be.

Re:Fuck the police

This is why you never talk to the police.

Sadly you may be right, although for all the wrong reasons. In civilised parts of the world we recognise that society exists because of cooperation, and that includes cooperation with the police.

Unfortunately in cases like these, the police are undermining that cooperation. As another example, it's rumoured that if you report child porn on the internet to the relevant authorities in the UK, you should expect a visit from the coppers and all your computer equipment to be taken away. Which is why I wouldn't report this, even though child abuse is a terrible thing and it should be reported.

Now, if I found "terror photos" (whatever they are) on a second hand laptop or camera, I won't be reporting that either. Just scrubbing any info off the device and get on with my life.

Rich.

Re:Fuck the police

4th paragraph:

"However, the police subsequently descended on the man's home, seizing his computer and camera equipment."

Re:Fuck the police

Sounds like a good place to work. Clearly, they're full of incompetents, leaving lots of room to slack off and still shine brighter than everyone else. Course, after a few years of doing so, you train yourself to be as useless as the rest of em, but then you can just suck up a government cheque and pass the buck until it's time to retire.

Re:Fuck the police

His computer was seized as he downloaded the files, The Register [theregister.co.uk] has more info.

Re:Fuck the police

1) They took his computer.

2) They replaced the equipment, at a cost of a grand. Whether or not this was a like-for-like replacement or better is unanswered.

Whether or not he got his personal data back is another question, as anyone knows it is the time invested in generating your own data that is the real value in your PC. I hope he had a backup.

Knowing the British police I expect he'll be arrested for some non-related data on the hard drive like some MP3s.

Re:Fuck the police

Whether or not he got his personal data back is another question, as anyone knows it is the time invested in generating your own data that is the real value in your PC. I hope he had a backup.

It's OK, he can just buy them back when they turn up on ebay ...

Rich.

Re:Fuck the police

A clarification: the cost of replacement equipment was £1,000, not $1,000.

So I just have to wonder.

Just how many people buy hard drives just to mine them for data?
1. Buy the drives on Ebay
2. Scan drives for valuable data.
3. Sell cleaned drives on Ebay and sell data to the highest bidder.
4. Profit.

Re:So I just have to wonder.

With just 2 people doing this, there would be a whole lot of clean drives going back and forth between them. You need something like a TTL to prevent a complete DoS.

Re:So I just have to wonder.

Slashdot articles may give the impression that every piece of 2nd hand electronics contains nuclear silo passcodes or celebrity porno tapes but I don't think that's actually the case

Same thing? Really?

I think an intelligence service selling a camera with highly sensitive classified data on it is just a little more serious than some local council leaving the password to their VPN on a router.

I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.

Re:Same thing? Really?

I would expect small local agencies to either not have or ignore proper data scrubbing policies prior to selling old equipment, but national intelligence agencies? That's a whole different kettle of fish.

It is curious. It would be a safe bet that proper procedures exist to handle equipment like this. Obviously they weren't followed.

I would even hazard to guess that not only were safe disposal procedures not followed, but a whole slew of other procedures covering proper equipment were also ignored. It wouldn't surprise me that this was a personal device used on-the-job due to convenience or necessity despite regulations against such use.

Of course, that's just a wild guess. It could also be as mundane as lost / stolen equipment. Or mis-managed inventory that ended up in some government surplus lot. The scenarios are endless.

It also highlights a personal pet peve of mine; policies are not protection. Too often they are given the air of risk mitigation when they are simply documents. Sure - they're good things to have around. You can't expect people to do things right if you can't tell them the right way of doing things. But so much infosec within the belly of such bureaucratic beasts seems to focus on merely generating and checking those policies. There is too little effort in actually implementing them - or improving the environment to limit actual risk.

If this was, in fact, personal gear I would hazard to guess simply making it easier to get official government kit (with all the tracking and control such kit gets) would have eliminated this eventual leak.

Note to self...

The buyer immediately went to the police, who initially treated it as a joke; when they realised he was serious, they swooped on his home and seized his camera and PC.

... never do the police a favor in the UK.

But then again, in the US they would have tasered him for no reason.

Re:Note to self...

... never do the police a favor in the UK.

But then again, in the US they would have tasered him for no reason.

You are badly misinformed. American police do NOT ever, under any circumstances taser people for no reason.

They taser them because it is funny.

Talking to the Police is a bad Idea

I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.

In response to MI6's ineptitude, the authorities have attacked the innocent person attempting to help them.

Remember kids, talking to police is not usually in your best interest. Be polite and complicit within your rights, but don't volunteer information.

Re:Talking to the Police is a bad Idea

I think the individual would have been better off (as in, not having his home raided and property taken) to have just given the data to wikileaks.

"Hey, our national security data turned up on Wikileaks! I wonder how it got there. Oh look, a serial number in the EXIF data. What'd we do with that camera anyway?"

Basically, the poor guy was screwed. He reported the problem and suffered for it. If he didn't report it at all, an audit at MI6 might have turned up the problem and they would have confiscated everything he owned capable of storing the data, possibly including himself.

If he'd followed your harebrained advice, he would probably be dead. Seriously, what part of "taunt the TLA" seems like a good idea to you?

I feel badly for him. My sig is normally meant to be humorous.

No Good Deed...

ever goes unpunished.

If someone comes to you, DO NOT attack them! Be nice, assist in getting any secret data purged, and sign a confidentiality agreement, and give the guy a nominal reward.

Raiding the house of someone who does the right thing is a pretty strong incentive to never help out again, and a strong incentive for others to do so as well. It also feeds the radical opponents' propaganda machine with fresh fodder and lets them become the "persecuted good guys".

So don't do it. Know who your friends are, and don't mess with them. Or they may stop being your friend.

Western societies and governments have enough enemies already, and there is no need to create any more.

Incidents

17 September 2008 The Insolvency Service. Laptop containing personal details of 385 former directors of insolvent companies has been stolen. Greater Manchester Police are investigating the burglary, which happened on 28 August. The Insolvency Service said 385 ex-company directors had been affected and also about 150 people with a connection to the firms. Information on the company directors included name, address, date of birth and occupation. No bank account details were held. In relation to the creditors, complainants and employees, the data included name, address, and bank account details in a small number of cases.

16 September 2008.
NHS memory stick found in street. An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street. It stored a summary of medical histories and patients' national insurance numbers and addresses.

Monday, 15 September 2008 18:19 UK.
Police admit to lost data blunder. A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty.

Monday, 15 September 2008 18:12 UK. Trust loses 18,000 staff records. Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital. Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.

10 September 2008 11:34 UK
Up to 15,000 patients' data taken
Computer back-up tapes containing personal information on up to 15,396 patients at a surgery have been stolen. "There are 15,396 patients registered at the surgery and potentially information on all of them could be on the tapes.

27 August 2008 12:38 UK,
Health board lost patients' data
A health board has tightened its security measures after the loss of two memory sticks containing patient data.

27 August 2008 12:05 UK Taxpayers' details found on eBay. A Leicestershire council is investigating a report that a computer containing taxpayers' personal details was sold on auction website eBay. Bank account numbers and sort codes of people in the Charnwood Borough Council area were reportedly found after the equipment was sold for £6.99. Information including bank account numbers, telephone numbers, mothers' maiden names and signatures of customers of American Express, NatWest and the Royal Bank of Scotland (RBS) were reportedly found on the computer.

Thursday, 21 August 2008 22:56 UK
Company loses data on criminals

A contractor working for the Home Office has lost a computer memory stick containing personal details about tens of thousands of criminals. The lost data includes details about 10,000 prolific offenders as well as information on all 84,000 prisoners in England and Wales.

9 August 2008 13:06 UK
BBC sorry after TV data is stolen
The BBC has apologised after a memory stick containing the personal details of hundreds of children who had applied to take part in a TV show was stolen. Deverell also informed parents they could call a free helpline if they had concerns about the lost data - which included names, addresses, dates of birth and phone numbers.

29 July 2008 09:42 UK
Missing laptop data not 'at risk'
A laptop computer from the Citizens Advice Bureau in Coleraine has gone missing. The details of about 7,000 people were on the computer of an outreach worker from the voluntary group which was mislaid in transit.

Wednesday, 23 July 2008 14:17 UK
Surgery patients' data is stolen
Information on more than 3,500 patients at a surgery in Greater Manchester has been stolen, health bosses have said.

22 July 2008 20:56 UK
'Spying' requests exceed 500,000
More than 500,000 official "spying" requests for private communications data such as telephone records were made last year, a report says. Police, security services and other p