Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

HMRC data loss a failure of policy according to Safeboot.

SafeBoot : 20 November, 2007  (Technical Article)
The loss of the financial information of 7 million families by HM Revenue and Customs highlights the need for strong data protection and a strict adherence to security policies.
At 15:30 today, the Chancellor of the Exchequer released a statement to the House of Commons in reaction to HMRC's data breach and the measures that will be taken to protect the public in future.

In short, the Chancellor summarised the debacle as:.

* The National Audit Office (NAO), in March this year, requested data from HMRC against standard guidelines. This was supplied by a junior employee, but was returned once audited.
* Following this procedural breach, the NAO again requested information from HMRC and it was again downloaded onto disks and sent to the NAO.
* The disks were password protected but not encrypted.
* They were posted via standard post and then lost in transit (18 October).
* When it was discovered the CDs were lost, two more were produced and sent by registered post and subsequently arrived.
* The initial loss was reported on 8 November.
* The Chancellor was informed on 10 November.
* On 12 November, HMRC thought they had discovered a breakthrough to find the CDs but on 14 November it admitted it could not find them and the Metropolitan Police was informed.
* 25 million individual records have been reported as lost, which equates to over 7 million families and the information lost includes sensitive financial data which could be used for ID theft.
* As yet, the CDs have not been found and an investigation is still in progress.
* The Chancellor has also instigated an independent review of HMRC's security procedures by PWC - the full results will be published in Spring 2008.

In response to this, Tom de Jongh, product manager at SafeBoot stated:

"It seems that the issue in this case is far deeper than a simple security oversight. Basic policies were ignored. It appears that the fundamental policies upon which the NAO and HMRC operate are flawed, and it is no wonder that this breach has occurred. The Chancellor freely admits that NAO and HMRC broke clear procedures, but that will not reassure the millions of families that are praying their financial details don't get into the wrong hands.

"This case illustrates exactly how not to enforce security policies. Sensitive information is exactly that - sensitive. Government agencies, and businesses alike, must ensure that stringent security tools are deployed as a matter of course and that any such procedural breaches are mitigated. Senior business heads need to enforce such policies. For example, encryption tools would have ensured that when the data was lost, at least the information would be inaccessible and virtually useless. However, the Chancellor doesn't seem to grasp this.

"Paul Gray [chairman of HMRC] paid a high price and other business leaders should take note. Heads need to make sure that security policies are adhered to strictly or face the penalties, and only time will tell if the Chancellor will take any blame for this. At present, the standard line seems to be that HMRC does not fall under the government's responsibility."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo