Personal data on every child in the country and national
insurance numbers and bank account details of parents and carers
claiming child benefit have gone missing after the government sent
two password-protected CDs through the post.
The loss, one of the worst incidents of its kind, has sparked
the sudden resignation of Paul Grey, the chairman of Her Majesty's
Revenue and Customs (HMRC) today.
"HMRC has a responsibility towards the public. It has failed to
meet the standards expected of it," Alastair Darling, the
chancellor, said in the House of Commons today. "I deeply regret
this and apologise for the anxiety that will be caused."
The lost data includes the names, addresses and dates of birth
of every child in Britain, as well as financial information on
adult claimants. A total of 25 million people are affected - more
than two-fifths of the UK's population.
It emerged that HMRC sent the data, on all children, parents and
carers claiming the UK's universal child benefit, from its office
in Washington in the north-east of England, to the National Audit
Office in London, which had requested it for audit purposes.
A junior employee of HMRC sent discs through the UK's standard
postal service on 18 October. When the NAO reported the data had
not been received, the employee resent the discs, although this
time by registered, recorded post. The original discs were reported
lost on 8 November, and the chancellor was informed on 10
November.
Darling told the House of Commons that he delayed reporting the
loss initially to allow a thorough search to take place by Customs
officials, and when this failed to produce results, to involve the
police and to allow the UK's banks and building societies to
establish checks on every affected account to look for suspicious
activity.
"So far, they have found no evidence of such activity," Darling
said. Checks have been back-dated to 18 October: "Again, so far,
they have found no evidence of unusual activity." He added that the
police do not believe the data has fallen into the wrong hands, but
conceded that it was "highly probable" that the Data Protection Act
had been breached.
Darling announced an enquiry into HMRC's data handling
processes, to be carried out by Kieran Poynter, UK chairman of
audit firm PricewaterhouseCoopers. He said HMRC has changed its
procedures, so that the transmission of such data requires sign-off
from a senior manager.
The opposition called for the government to abandon its plans
for a national identity register and identity cards as a result of
the breach. George Osborne, the shadow chancellor, who called the
HMRC's loss a "catastrophic mistake", said it should mark the final
blow for the identity card scheme.
He added that the government had compromised the information
security of every family in Britain. "They simply cannot be trusted
with people's personal information," he said. "Get a grip and
deliver a basic level of competence."
Avivah Litan, a senior Gartner analyst, said she could not think
of any more serious breach of personal information. Although the US
Veterans Administration lost a laptop with a similar number of
names, addresses and social security numbers, this did not include
bank account details, which is the most highly-prized kind of data
for fraudsters.
"Banks will be scrambling to think what to do. They will be
looking for signs of fraud, and the first they see, they will shut
down accounts," she said.
Litan said that, as the government has said the information is
password-protected, "it is obviously not encrypted". She said such
data should be encrypted even when within the organisation, and
should be sent only through encrypted electronic transfer. She
added that although only 1% of data lost on physical media is put
to criminal use, the publicity around this case makes fraud more
likely. In the worst case, a breach of the data could cost the UK
£145m, she said.
In a statement, the information commissioner, Richard Thomas,
said, "This is an extremely serious and disturbing security breach.
This is not the first time that we have been made aware of breaches
at HMRC - we are already investigating two other breaches.
Incidents like these illustrate that any system is only as good as
its weakest link."
"The alarm bells must now ring in every organisation about the
risks of not protecting people's personal information properly. As
I highlighted earlier this year, it is imperative that
organisations earn public trust and confidence by addressing
security and other data protection safeguards with the utmost
vigour," he continued, adding that he welcomed the enquiry by
Kieran Poynter.
On 14 November, the Information Commissioner's Office told a
House of Lords enquiry that the government should introduce
criminal penalties
including prison sentences for severe breaches of personal
data.
This article first appeared on the web-site of Infosecurity
magazine, http://www.infosecurity-magazine.com/