MTAS and other NHS websites

[Peter Tomlinson]

vickyvicky@egypt.com wrote:

>> That's very interesting. So they were accustomed to using the directory
>> as a way of distributing non-public information.
>
> Some of it was public - the Competition Ratios (ie number of people  
> applying for each job) were in a subfolder eg  
> www.mtas.nhs.uk/info/ST_2007_1/CRST3.pdf
>
> The main /info folder was used for semi-public information. It wasn't  
> openly advertised, but must have been intended for use by Deaneries  
> and other Interested Parties. The directory could be listed, so it 
> was  easy to see when new fles were uploaded.
>
>>> Someone presumably uploaded some highly confidential data into this  
>>>  folder. A handful of people would have seen it. Unluckily for  
>>> MTAS,  one of those people was Channel 4 News.
>>
>> Oh come on. "Unluckily"? The data was deliberately forwarded to Ch4
>> News by a doctor, in order to embarrass DH.
>
> Er what I meant was ' it was unlucky for MTAS that a doctor saw it so  
> quickly'. It seems likely that the file was put there on a short-term  
> basis so that it could be quickly disseminated. They might have got  
> away with it. For all I knw, they might have even done it on a  
> regularish basis. Unluckily, they got spotted.
>
We really would like to know if the data files with all the applicants' 
data were completely open to anyone who discovered the URLs, i.e. if 
they could be viewed (on-line or after download) without logging in, if 
they could be viewed by everyone who had an account that is password 
protected (i.e. every doctor registered with the scheme), or if the 
files were themselves protected by individual passwords or in any other way.

Putting it another way, if Channel4 was simply given a URL and nothing 
else, could they access the data during its window of availability?

PeterT