Public Sector Cyber Break-Ins: Our Money, Our Right To Know
Arthur T Knackerbracket has processed the following story:
At the start of September, Transport for London was hit by a major cyber attack. TfL is the public body that moves many of London's human bodies to and from work and play in the capital, and as the attack didn't hit power, signaling, or communications systems, most of the effects went unnoticed by commuters. The organization downplayed the damage done to back office ticketing, billing, and other systems. Everything was in hand.
Not for long. TfL (Transport for London) quickly rowed back on claims that no customer data had been exposed as evidence appeared to the contrary. Customers complained that various ticketing discount schemes and group privileges for students and retirees weren't accessible, and TfL made vague promises to perhaps compensate for this some time in the future if receipts were kept. The official line was, however, that things were basically fine.
Recent reports say otherwise, claiming that the scope of the problem is much wider and the situation more serious than previously understood. A vintage friend of The Register confirmed that he couldn't get his old age travel permit, while TfL's Oyster contactless ticketing system was putting erroneous entries on passenger accounts that could not easily be fixed.
[...] This is not unique to TfL. If you've read The Register for more than a week, you'll know how it goes. Nobody likes to broadcast bad news, and from the British Library to public health services to government organizations, the initial instinct to manage the information about a breach seems stronger than the instinct to manage the systems in the first place. Commercial entities have the same instincts, but can be quite the poster children for regulatory disgorgement. Public sector outfits have the institutional instinct to clam up and ride things out, which their political overseers understand all too well.
This is exactly wrong. There is a case to be made to exact more disclosure from companies that get hit by cybercrime, but also the argument that their responsibilities are limited to themselves, and their customers can leave or lawyer up depending on levels of horror and hurt. Public sector outfits not only have much broader responsibilities to citizens, not customers, but consume state resources that directly affect all our lives. A million spent rebuilding an IT system blown apart by bit burglars is a million not spent keeping people safe, healthy, and free.
Read more of this story at SoylentNews.