Nine members of staff at local authorities have been sacked for looking at the personal records of friends and celebrities on the government's National Identity Scheme.
A report by Computer Weekly claimed that the nine were among 34 staff who had illegally accessed the Customer Information System (CIS) database that holds the biographical data of the population, and will underpin the government's multi-billion-pound ID card programme.
Brian Cleary, vice president of products and marketing at Aveska, claimed that the sackings were a clear example of the natural curiosity of employees.
Cleary said: “Most of these workplace incidents are not tied to bad intentions, they may just simply be employees taking advantage of a lack of access policy controls at the companies they work at without realising the privacy laws they are breaking and the risk to which they are exposing their organisations.
“Employees at these organisations need to realise the danger that even sneaking a peek at these records can cause to them and their employers. The real fault for these problems is not with the natural curiosity of employees however but rather with the poor controls for how user access is governed at these organisations. To be effective and consistently applied, policies need to be instantiated as a set of automated controls not just in the corporate security policy ring binder.”
Meanwhile Ross Brewer, managing director and vice president of LogRhythm, said: “These findings are not entirely unsurprising. As more inter-connected initiatives such as the Government Connect Secure Extranet (GCSx) emerge, the government has recognised the potential risk of unauthorised access of information and has mandated that protective monitoring solutions are put in place.”
He claimed that local authorities have implemented, or are in the process of implementing, log and event management solutions to allow them to track user and system activity.
“These solutions will mean that organisations are no longer reliant on ‘sample checks' to identify illegal access of information, but instead, will be flagged immediately when inappropriate access has occurred,” said Brewer.