HM Revenue and Customs loses computer discs containing the confidential details of 25 million child benefit recipients

(20/11/2007)

Paul Gray, chairman of HM Revenue and Customs, has resigned following the loss of computer discs thought to contain the confidential details of 25 million child benefit recipients along with people's bank details. The resignation of Mr Gray was accepted because the discs had been transported in breach of rules governing data protection.

The Chancellor of the Exchequer released today [20 Novembre 2007] a statement to the House of Commons in reaction to HMRC’s data breach and the measures that will be taken to protect the public in future. The Chancellor summarised the debacle as:
* The National Audit Office (NAO), in March this year, requested data from HMRC against standard guidelines. This will supplied by a junior employee, but was returned once audited
* Following this procedure breach, NAO again requested information from HMRC and it was again downloaded onto disks and sent to NAO
* The disks were password protected and not encrypted
* They were posted via standard post and then lost in transit (18 October)
* When it was discovered the CDs were lost, two more were produced and sent by registered post. They arrived.
* The initial loss was reported on 8 November
* The Chancellor was informed on 10 November
* On 12 November, HMRC thought they had discovered a breakthrough to find the CDs but on 14 November it admitted it could not find them and the Metropolitan Police was informed
* 25 million individual records have been reported as lost, which equates to over 7 million families and the information lost includes sensitive financial data which could be used for ID theft
* As yet, the CDs have not been found and an investigation is still in progress
* The Chancellor has also instigated an independent review of HMRC’s security procedures by PWC – the full results will be published in Spring 2008

In response to this, Tom de Jongh, product manager at SafeBoot stated: “It seems that the issue in this case is far deeper than a simple security oversight. Basic policies were ignored. It appears that the fundamental policies upon which the NAO and HMRC operate are flawed, and it is no wonder that this breach has occurred. The Chancellor freely admits that NAO and HMRC broke clear procedures, but that will not reassure the millions of families that are praying their financial details don’t get into the wrong hands."

“This case illustrates exactly how not to enforce security policies. Sensitive information is exactly that – sensitive. Government agencies, and businesses alike, must ensure that stringent security tools are deployed as a matter of course and that any such procedural breaches are mitigated. Senior business heads need to enforce such policies. For example, encryption tools would have ensured that when the data was lost, at least the information would be inaccessible and virtually useless. However, the Chancellor doesn’t seem to grasp this."

“Paul Gray [chairman of HMRC] paid the ultimate price and other business leaders should take note. Heads need to make sure that security policies are adhered to strictly or face the ultimate penalty, and only time will tell if the Chancellor will take any blame for this. At present, the standard line seems to be that HMRC does not fall under the government’s responsibility.”

Jamie Cowper, Director of European Marketing at PGP Corporation, made the following comments: "The UK's understanding of the threats around data breaches has certainly come a long way if the Chairman of HMRC has to resign over this incident - potentially the UK's biggest data breach to date - but you have to ask whether this is really going to help solve the operational risk issues that the orgnaisation clearly faces."

"These discs should never have been transported in the first place - information of this type should only be transmitted using the strongest security protocols available such as encrypted batch transfer - but more to the point, these details should not have been stored in this medium.

"Discs are easy to lose, but difficult to protect. This type of information should only be stored on formats where the data can be encrypted transparently, so that it remains protected wherever it resides, and whether at rest or in motion."

Chris Mayers, chief security architect at Citrix, commented: “Despite early assurances from the government that this data won’t have fallen into the wrong hands, that may owe more to good luck than judgment. It sounds like a fundamental failure of proper data protection planning that such a large volume of sensitive data would ever be moved in any format without the strictest digital and physical security in place."

“But why did this information even need to be transported at all? In these days of secure remote access there is rarely any need for data to be written onto a CD and transported anywhere. All organisations handling sensitive data need to realise there is nothing more important than their responsibility to keep that data secure. That means ensuring data is properly encrypted, and travels only when necessary: not on ordinary CDs, print-outs, or even on laptops - all of which appear to go missing with appalling regularity. It's not enough to react to loss of data. Organisations need to have robust security at all times."

Brian Spector, General Manager for Content Protection Group, Workshare, concluded: "It is staggering that an organisation responsible for the data of over 25 million child benefit claimants is still copying data onto CDs and not ensuring its full protection through encryption techniques. It has never been acceptable for businesses or government departments to lose data but in today's information society, the flagrant disregard for the protection and security of this type of data is not acceptable. The money invested in IT by the UK government must now be prioritised on security to ensure that the data of those the Government serve - the public - is secure and protected."

Related topics:  Data management and data security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources