Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

HM Revenue and Customs loses 25 million child benefit payment records.

20 November, 2007
Disks containing confidential financial records have been lost in the post by a Government agency indicating the need for stronger enforcement of policy and a clearer culture of data security in public service agencies.
Today, the Chancellor of the Exchequer, who is regarded as being the second in command of the UK Government after the Prime Minister, has blamed junior tax employees for yielding under pressure from the National Audit Office to send the unencrypted sensitive financial data of millions of citizens on disks by unregistered mail which were subsequently lost in the post. Nobody knows whether thieves have got their hands on the disks or whether they're simply sat in a mountain of undelivered post but 25 million financial records are missing.

He then went on to offer comfort to the nation by explaining there wasn't enough information for potential thieves to gain access to bank accounts and extract money.

I wouldn't expect that the Chancellor has personal expertise in data protection or IT security in general, but I would certainly expect that his advisers are adequately equipped with the latest knowledge but in both the statements he made in the House of Commons today, it is clear that he has been grossly misadvised.

The Government itself has been campaigning on the issue of identity theft by issuing leaflets and warning the population not to leave scraps of information lying around that might prove useful to identity thieves. This would include information such as names, addresses, dates of birth, NI numbers and child benefit numbers â€" exactly the kind of information that was on the lost disks. It's therefore irrelevant that thieves couldn't access hard cash, they don't need to if they have the building blocks of identity.

As for the junior tax officials who have so deftly been made the scapegoats of this debacle, they were operating within a process which would operate smoothly and without management intervention if it wasn't full of holes. We all operate shaky processes from time to time but safeguarding the nation's financial information isn't usually one of them and should be absolutely water-tight. So what are the obvious holes in this process that allowed the tax officials to lose the data?

1 The data was loaded to disks â€" Removable media is the most unsafe way to store data, it gets forgotten about or gets lost and its hard to control the distribution. Even some small enterprises with a dozen employees disable disk writers in the office to prevent people from walking out of the door with sensitive data.

2 The disks were sent by unregistered mail â€" This is possibly the strangest aspect of this story. Who sends data through the mail? The fact that a large public service organisation actually posts disks of data is almost unfathomable.

3 The data was unencrypted â€" There is a large pile of vendors falling over themselves to offer data encryption and flooding the press with information about how passwords are not enough and that encryption is needed to prevent unauthorised users from being able to read the data. HMRC must have heard of encryption and can presumably afford it.

Businesses are investing a lot of time, expertise and money into protecting their proprietary information, conforming to data protection legislation and complying with various standards and regulations. They're doing this because the threat level is high and cyber-crime has reached a level that nobody can ignore. Everybody who uses a computer considers the risks and takes appropriate actions to avoid or mitigate them and so they naturally expect public service and government organisations to exercise their duty of care over our sensitive information by taking appropriate protective measures. When one public service agency suffers two large scale data breaches in a short space of time, there is a clear need for substantial reform and a restoration of confidence that the data it holds, and which the population has no choice concerning its provision, is adequately protected.
Bookmark and Share