HMRC's missing Child Benefit CDs - what went wrong and lessons for NPfIT and ID cards

The practice of sending across the country unencrypted, CD-based files on millions of child benefit claimants could have continued indefinitely if the discs hadn’t gone missing, we have learned.

Seven months before the CDs went missing, HM Revenue and Customs had already established a practice of transferring onto CD, for despatch by post, insecure, though password-protected, files on millions of child benefit claimants.

The lost discs contained details of all child benefit recipients: records for 25 million individuals and more than seven million families.

The records included parental names, addresses, dates of birth, child benefit and national insurance numbers and where relevant bank or building society details. Paul Gray, the chairman of HM Revenue and Customs, has resigned because of the incident.

The practice of transferring all of the child benefit data onto CDs began in March this year after HMRC’s auditor, the National Audit Office [NAO], ceased to accept sample records for its audit of the department’s accounts.

In the past officials at the Department for Work and Pensions had selected sample child benefit files and passed these to the NAO whose auditors checked for possible fraud and error.

But in March this year, for an audit of HMRC’s 2006/7 Resource Accounts, the NAO, to do a more robustly independent check on the child benefit data, requested a full copy of the details of claimants, not merely a part of the data that had been selected by the department.

Though HMRC has rules on handling sensitive data, it’s unclear whether it had specific, established procedures for handling the request of the NAO.

Aware that the files on child benefit claimants were sensitive, the NAO in March 2007 asked that HMRC filter the information before sending it to the audit office. The NAO asked for the child benefit records to be stripped of details of the parents, addresses and bank information.

HMRC replied that it could not do this – its systems were not sufficiently flexible. It explained it could download only the whole of the information. So it sent to the NAO, by courier-post, all of the details of parents and children, including some bank account details.

That was when the insecure practice began of HMRC sending unencrypted files to the NAO. No alarm bells were raised over the practice in March 2007.

It appears that it was thought easier to send the claimant files on CD than trying to send them electronically. This raises questions about whether government departments are routinely sending CDs with sensitive data around the country, thus avoiding technical challenges and security restrictions on exchanging files electronically.

So in March 2007 HMRC transferred the child benefit data onto CDs and sent them by courier-post from Washington, Tyne and Wear, to the NAO which is near Victoria Station in London. They arrived safely – and the practice became established.

The data was sent to the NAO only partially formatted. It had to be loaded on the NAO’s mainframe systems before it could be manipulated.

In October this year, when the NAO wanted to do an audit of HMRC’s 2007/8 Resource Accounts, it again asked the department for its child benefit data. This is the sequence of events:

2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.

18 October: HMRC tells the NAO that the CDs have been sent

24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.

25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.

5 November: HMRC confirms that the first set of CDs is still missing.

8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.

10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.

11 November: HMRC and the police search the NAO’s offices. Nothing is found.

20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.

21 November: HMRC issues an apology.


The incident shows that whatever IT security procedures are in place there is always a strong possibility that humans will find a way, unwittingly perhaps, to circumvent them.

If we had asked HMRC two months ago whether it was possible for 25 million files on child benefit claimants to be downloaded onto CDs and to go missing in the post, we would doubtless have been told it was impossible. We would doubtless have been told of the Revenue’s robust security practices.

The government is planning bigger databases – the NHS’s database of medical records is expected to hold details on 50 million people in England. The ID cards database will hold details on many more people. We are being told – and will be told repeatedly – that a major security breach cannot happen.

The HMRC incident shows that government assurances about the security of citizen data may mean little or nothing in practice.


HMRC’s apology:

Child Benefit customer update

I am writing to make a personal apology. A copy of some HM Revenue and Customs (HMRC) data about families, including yours, who have received Child Benefit has been lost. The copy of the data is likely to still be on Government property. The police are now conducting a search, and there is no evidence that it is in the possession of anyone else. This will not affect your Child Benefit payments.

This data includes your and your children’s names and dates of birth, your address, your National Insurance number and, where relevant, the details of the bank or building society account into which your Child Benefit is or was paid.

If you are paid through a bank or building society, they are aware of this matter. They are acting on this information, and assure us that they have appropriate safeguards in place to protect you.

As is usual in these circumstances, if you are the innocent victim of banking fraud you will not have to pay, but you may want to take some precautionary steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should contact your bank or building society immediately. In addition, do not give out personal or account details if anyone contacts you unexpectedly. Instead take a note of their name and number, and if you are at all suspicious contact your bank or building society. If your password uses any of your personal data, for example your child’s name or date of birth, you may also wish to consider changing any passwords you use.

The advice of banks is there is no need for customers to ask for a new account or to contact their bank or building society. Your Child Benefit payments will continue to be paid as before and you do not need to contact HMRC. However if you experience any problems, in the receipt of your Child Benefit payments, please contact HMRC on 0845 302 1444 between 8am and 8pm on any day of the week (closed Christmas Day, Boxing Day and new Years Day.

I would like to offer my personal apologies for any worry or concern this data loss may cause you. And I can assure you that all efforts are being made to ensure that such a loss can never happen again.

Dave Hartnett


Paul Gray’s resignation letter to HMRC staff

I am announcing today that I will be standing down as HMRC Chairman as a result of a substantial operational failure in the Department. The Chancellor will be making a statement to Parliament later today.

This is not the way I would have planned to organise my departure from HMRC. I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. But I am extremely proud of what all of you in the organisation have achieved during my time as Deputy Chairman and Chairman.

Our record – for example in achieving sustained increases in tax receipts, in steadily improving the operations of the tax credit system, and in playing our full part in protecting the border – is a good one. At the same time we have made important steps in restructuring the Department to face our future challenges, delivering more with reduced resources. I know we still face some major issues where we need to do better. But I am confident the forthcoming Capability Review report will highlight some major strengths in HMRC, while giving us helpful steers on how we can improve further.

I am extremely sorry that you may have learned about this first from the media. I will provide further details after the Parliamentary statement.



UK government loses data on 25 million citizens

UK families put on fraud alert

Millions of child benefit records lost

Missing data on 25 million people

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Some obvious and fairly simple questions need to be answered by HMRC, such as:

(a) The ability to write a CD on any PC or laptop connected to a civil service network is a security weakness and only certain authorized individuals should have access to a machine where CD writing is enabled in their login security profile. So why was a junior official able to download this information onto CDs and who authorized the creation of the user profile with the relevant security privileges?

(b) The child benefit database presumably has a quite complex structure with data held in multiple tables, and in some cases complex relationships existing between the tables. So why did the NAO need to access/analyse this material on their own mainframe - would it not have been better to audit the information in situ? If it is not possible to do so this identifies a major failure in systems design.

(c) Over the last decade the Government has invested heavily in the creation of a secure national (intranet) infrastructure - the GSI. Why was the data not securely transferred electronically (via FTP) over the GSI? This would have avoided the creation of sensitive media which could go astray.

(d) Given that sensitive financial and personal data was required by the NAO, what procedures are in place to ensure its secure handling and destruction by the NAO once the audit is complete?

Over the past couple of years security breaches have shifted from intrusion to extrusion. There have been many events that have led to data being leaked out of organizations, whether accidentally or maliciously.

Solutions exist that are focused to combat these types of events, solutions that ensure that if data is to be copied to CD, it would be encrypted, the event logged, the correct people notified...

This kind of incident is happening at many companies right now. At least we know about HMRS losing this data, what about all the data that has been lost, and is being lost right now, and nobody knows about it?

It seems amazing, that such a thing has been handled by the government, with all the security & preparation of sending a casual birthday card ;-)

The very least they could have done, was to use signed-for delivery costing £3, but i guess after building domes and ferris wheels, they just didn't have the spare £3 anymore.

The reality of security with electronic data, is that if somebody wants that protected data, they WILL get it, eventually. A simple password system is easy to bypass, encryption is harder, but the best protection of all is generally to keep things to yourself ;)

What has happened here, is a standard example of how badly organised, untrained, and how dis-interested people are generally, in office precedures and security. Not one of those people had stopped and thought "Hang on, shouldn't this be more, well, secured??".

As a computer specialist, i see this in all modern life - at the Dr's, the receptionist has 100% access to my private details, and even gave me an emergency prescription last month :-o, at the bank, i lost my card, and on asking for a new one at the desk, i was also handed £500 cash with no ID, just a signature (which anybody could have copied), at my hospital, they couldn't access a standard website due to a firewall, when they 'needed' medical details for me.....and don't even get me started on the government spending all that ££££ on the famous Millenium Bug, that was just soo funny to those who knew its reality.

Maybe instead of using private limos, they could start posting MP's and other officials around? then we could loose some of them too?


It's sad that one of the world leading economy like Britain could be unsafe for data collection. where is the science, where is the passion to be responsible for our Childrens' future, where is the safety measure in combatting terrorism globally?

Tthis is a security warning to other countries.

Dipo Jolomi


I am amazed that all the blame for these incidents is focusing on HMRC.

Surely the audit office should have not approved the CD-based data

transfer. I mean, they are meant to be auditors and guardians of proper

practice. Who audits the auditors?

Why is everyone going on about who's to blame?

Don't you realize we will live with this hanging over us for the rest of our lives.

Even if they recover the disks who's to say they are the only one done?

This could come back on us, tomorrow, in a week, a year, 10 years, 50 years!!!

What were they thinking??

This is all a smoke screen, Paul Gray is departing before the mounting pile of s**t that relates to Intra community VAT fraud (MTIC) and the reverse charging policy in place in the UK (on interim approval by EU) hits the fan. HMRC have held up 100's of millions of £'s in VAT which they cannot justify; And more to the point the traders cases are starting to reach tribunal stage where HMRC will start losing and be ordered to repay.

Why transfer all 25 million records when only 100 randomly selected records were required by the NAO? Surely for a regular operation, such as this, the NAO could be given their own secure network access to the HMRC servers, to run an application of their own design which would select 100 different randomly selected records every 6 months and then download them to an NAO computer.

The trouble with this whole fiasco is that it is nothing new... Take a look at this story which dates back to 1998, and please leave a comment.

It's atrocious, and it will happen time and time again if we give our personal details over to any large body... in this case the banks and government.

This is nothing less than a national disaster with more impact and significance than the Titanic, and yet media coverage has disappeared.

Is it government media control, or is just plain dis-interest.

Either way we are allowing the Government to move-on without redress, and without being held responsible for recovering the CD's.

And lastly, without being held accountable we can look forward to more of these disasters as increasingly more personal data is centralised by governments with poor or no security measures in place.

God help us

What sort of system have HMRC got that means it cannot remove sensitive data: "HMRC replied that it could not do this – its systems were not sufficiently flexible"

Are they still on punched cards or what? Any database system, which I assume they use, can copy large files removing columns, etc ... I do it every day of the week!