MTAS and other NHS websites

[Matthew Byng-Maddick]

On Sat, May 05, 2007 at 04:22:23AM -0400, vickyvicky@egypt.com wrote:
> I've only just stumbled across the list. I am a doctor and a  
> shortlister/interviewer in the present MTAS recruitment round.
> 
> The /info folder on MTAS had previously contained a series of useful  
> files, including some of the rules for carrying out interviews,  
> competition ratios etc. It was a virtual directory listing, and new  
> files were added to it periodically. It was clearly intended as a way  
> for Deanery and other staff to keep up to date with current  
> information. Someone presumably uploaded some highly confidential data  
> into this folder. A handful of people would have seen it. Unluckily  
> for MTAS, one of those people was Channel 4 News.

This is appalling, really. If security by obscurity (of URL) was all
that protected, then whether or not Channel 4 News got involved, all
it would take is one person looking at the site with Google Toolbar
or some other such Google tool, and Google knows to go indexing that
because it doesn't already have it.

Either a contractor or a webmaster is seriously incompetent under these
circumstances.

> This was really only a minor breach of security, an act of stupidity,  
> although maybe symptomatic of a general attitude.

Please feel free to tell that to someone whose sexual orientation (not
well-known to colleagues) had their data revealed to Channel 4 News. I'm
sure they'll agree with you that it was only a "minor breach of security".

The question in my mind is now, "if this is only a minor breach of security
what do you class as a major breach?".

Cheers

MBM

-- 
Matthew Byng-Maddick          <mbm@colondot.net>           http://colondot.net/
                      (Please use this address to reply)