HMRC's missing Child Benefit CDs - what went wrong and lessons for NPfIT and ID cards

The practice of sending across the country unencrypted, CD-based files on millions of child benefit claimants could have continued indefinitely if the discs hadn’t gone missing, we have learned.

Seven months before the CDs went missing, HM Revenue and Customs had already established a practice of transferring onto CD, for despatch by post, insecure, though password-protected, files on millions of child benefit claimants.

The lost discs contained details of all child benefit recipients: records for 25 million individuals and more than seven million families.

The records included parental names, addresses, dates of birth, child benefit and national insurance numbers and where relevant bank or building society details. Paul Gray, the chairman of HM Revenue and Customs, has resigned because of the incident.

The practice of transferring all of the child benefit data onto CDs began in March this year after HMRC’s auditor, the National Audit Office [NAO], ceased to accept sample records for its audit of the department’s accounts.

In the past officials at the Department for Work and Pensions had selected sample child benefit files and passed these to the NAO whose auditors checked for possible fraud and error.

But in March this year, for an audit of HMRC’s 2006/7 Resource Accounts, the NAO, to do a more robustly independent check on the child benefit data, requested a full copy of the details of claimants, not merely a part of the data that had been selected by the department.

Though HMRC has rules on handling sensitive data, it’s unclear whether it had specific, established procedures for handling the request of the NAO.

Aware that the files on child benefit claimants were sensitive, the NAO in March 2007 asked that HMRC filter the information before sending it to the audit office. The NAO asked for the child benefit records to be stripped of details of the parents, addresses and bank information.

HMRC replied that it could not do this – its systems were not sufficiently flexible. It explained it could download only the whole of the information. So it sent to the NAO, by courier-post, all of the details of parents and children, including some bank account details.

That was when the insecure practice began of HMRC sending unencrypted files to the NAO. No alarm bells were raised over the practice in March 2007.

It appears that it was thought easier to send the claimant files on CD than trying to send them electronically. This raises questions about whether government departments are routinely sending CDs with sensitive data around the country, thus avoiding technical challenges and security restrictions on exchanging files electronically.

So in March 2007 HMRC transferred the child benefit data onto CDs and sent them by courier-post from Washington, Tyne and Wear, to the NAO which is near Victoria Station in London. They arrived safely – and the practice became established.

The data was sent to the NAO only partially formatted. It had to be loaded on the NAO’s mainframe systems before it could be manipulated.

In October this year, when the NAO wanted to do an audit of HMRC’s 2007/8 Resource Accounts, it again asked the department for its child benefit data. This is the sequence of events:

2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.

18 October: HMRC tells the NAO that the CDs have been sent

24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.

25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.

5 November: HMRC confirms that the first set of CDs is still missing.

8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.

10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.

11 November: HMRC and the police search the NAO’s offices. Nothing is found.

20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.

21 November: HMRC issues an apology.


The incident shows that whatever IT security procedures are in place there is always a strong possibility that humans will find a way, unwittingly perhaps, to circumvent them.

If we had asked HMRC two months ago whether it was possible for 25 million files on child benefit claimants to be downloaded onto CDs and to go missing in the post, we would doubtless have been told it was impossible. We would doubtless have been told of the Revenue’s robust security practices.

The government is planning bigger databases – the NHS’s database of medical records is expected to hold details on 50 million people in England. The ID cards database will hold details on many more people. We are being told – and will be told repeatedly – that a major security breach cannot happen.

The HMRC incident shows that government assurances about the security of citizen data may mean little or nothing in practice.


HMRC’s apology:

Child Benefit customer update

I am writing to make a personal apology. A copy of some HM Revenue and Customs (HMRC) data about families, including yours, who have received Child Benefit has been lost. The copy of the data is likely to still be on Government property. The police are now conducting a search, and there is no evidence that it is in the possession of anyone else. This will not affect your Child Benefit payments.

This data includes your and your children’s names and dates of birth, your address, your National Insurance number and, where relevant, the details of the bank or building society account into which your Child Benefit is or was paid.

If you are paid through a bank or building society, they are aware of this matter. They are acting on this information, and assure us that they have appropriate safeguards in place to protect you.

As is usual in these circumstances, if you are the innocent victim of banking fraud you will not have to pay, but you may want to take some precautionary steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should contact your bank or building society immediately. In addition, do not give out personal or account details if anyone contacts you unexpectedly. Instead take a note of their name and number, and if you are at all suspicious contact your bank or building society. If your password uses any of your personal data, for example your child’s name or date of birth, you may also wish to consider changing any passwords you use.

The advice of banks is there is no need for customers to ask for a new account or to contact their bank or building society. Your Child Benefit payments will continue to be paid as before and you do not need to contact HMRC. However if you experience any problems, in the receipt of your Child Benefit payments, please contact HMRC on 0845 302 1444 between 8am and 8pm on any day of the week (closed Christmas Day, Boxing Day and new Years Day.

I would like to offer my personal apologies for any worry or concern this data loss may cause you. And I can assure you that all efforts are being made to ensure that such a loss can never happen again.

Dave Hartnett


Paul Gray’s resignation letter to HMRC staff

I am announcing today that I will be standing down as HMRC Chairman as a result of a substantial operational failure in the Department. The Chancellor will be making a statement to Parliament later today.

This is not the way I would have planned to organise my departure from HMRC. I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. But I am extremely proud of what all of you in the organisation have achieved during my time as Deputy Chairman and Chairman.

Our record – for example in achieving sustained increases in tax receipts, in steadily improving the operations of the tax credit system, and in playing our full part in protecting the border – is a good one. At the same time we have made important steps in restructuring the Department to face our future challenges, delivering more with reduced resources. I know we still face some major issues where we need to do better. But I am confident the forthcoming Capability Review report will highlight some major strengths in HMRC, while giving us helpful steers on how we can improve further.

I am extremely sorry that you may have learned about this first from the media. I will provide further details after the Parliamentary statement.



UK government loses data on 25 million citizens

UK families put on fraud alert

Millions of child benefit records lost

Missing data on 25 million people