Thousands of farmers' bank account details have been lost by the
Rural Payments Agency (RPA) after the Government body lost two
back-up tapes of confidential data belonging to all English
farmers.
The RPA, which administers the single payment system of EU
subsidy to English farmers, for the Department of Environment Food
and Rural Affairs (DEFRA), was heavily criticesed last week by the
National Audit Office for its handling of the scheme.
Now
Farmers Weekly has learnt that the RPA has lost confidential
data belonging to any farmer who has ever claimed a single farm
payment. Computer tapes containing the bank details, addresses,
passwords and security questions of more than 100,000 farmers were
discovered missing in May, at which point DEFRA was alerted.
The RPA, which is blaming the loss on its contractor IBM,
discovered the problem in September, but at no time has the agency
or DEFRA attempted to inform farmers about the breach. Leaked
information was given to Farmers Weekly this week by frustrated
civil servants working on the single payments system within the RPA
and an external consultant who has been advising the agency.
These whistle-blowers were concerned that the RPA and DEFRA
would remain tight-lipped over the incident and about the risks the
breach posed to farmers. They claimed that 39 back-up tapes
containing confidential details went missing after they were
transferred from RPA offices in Reading to Newcastle. Thirty-seven
of the tapes have since been recovered, but two remain unaccounted
for.
DEFRA has admitted that tapes went missing, but told Farmers
Weekly that the data was not lost in transit and was instead
misplaced within the data centre.
A DEFRA spokeswoman said a thorough search was conducted to find
the missing material and concluded that some tapes were misfiled
and placed "on the wrong shelf". She described this as "bad
book-keeping" by RPA-contracted IT consultants IBM, who run the
data centre.
DEFRA said it assumed that the two tapes that were never found
must have been destroyed. The breach of security is the latest
disaster for the agency, which has faced a catalogue of errors
since the single payment scheme was launched in 2005.
According to the whistleblowers, the error occurred after
back-up tapes containing confidential details were sent between IBM
and another IT consultant, Accenture. The tapes were last accounted
for in June 2008, but it was not until May this year that IBM
realised the data was missing and informed DEFRA.
The sources claim DEFRA tried to cover the error and it was only
realised by the RPA in September when annual data checks were
carried out. One source said the tapes had not been encrypted as
they should have been.
"DEFRA knew about this and did nothing," the source said.
"People should be made aware that their details have gone missing.
"I know people at the middle management level tried to advise
senior civil servants to do the right thing and tell farmers, but
they're not listening."
In further security breaches, the sources claim members of the
senior RPA management team have failed to report the loss of memory
sticks and laptops which could contain farmers' information.
"It's symptomatic of the senior managers. There are a lot of
good people working in the lower levels of the organisation, but we
think the top-level board is rotten to the core."
DEFRA admitted its data was not encrypted, but insisted
information could not be accessed without specialised technical
equipment and knowledge.
DEFRA and the RPA issued the following statement to farmers
Weekly: "Since these incidents, procedures have been further
tightened to prevent a recurrance. IBM have instigated a thorough
review of their procedures to manage removable storage media, such
as these tapes, as well as tightening access control
requirements.
"The tapes are held in a secure IBM data centre and only IBM and
Accenture technicians have access to them. Both IBM and Accenture
were asked to review their security arrangements as a result of
this incident." DEFRA said the risk posed to farmers was very
low.
National Audit Office calls for DEFRA to replace £350m IT
system
Rural Payment Agency £350 million IT system: pouring money into the
digital landfill