HMRC Data Incident

An important point has been missed in the news reports regarding the loss of UK child benefit records. That point is that I don’t believe for a minute that this is the first and only time such important data has been treated in this way. If management processes were so poor this time around then it will definitely have happened on previous occasions. It just happens to be that this time the data went missing and this time we’ve found out about it.

We have no option but to consider the data compromised. As such, every individual whose details were on those disks must be notified of the potential consequences and given the tools they need to ensure that their identities are protected are far as possible.

The investigators need to focus on working out when the data was first compromised – how many copies of that database are there sitting on CD-ROMs and other media? Who else has access? What logs are kept showing the occasions the data is copied off to removable media? How frequently are the logs audited? Is usage of the database actively monitored? What happened to the principles of need-to-know in this instance? Where was the encryption? Any of you whose details are likely to be included should be demanding answers to these questions.

Of course, this is all after the event. The horse has bolted. Investigations and fingers of blame can’t undo the incident. The best we can hope for is that it wont happen again. And we should all better understand that poor practices and inadequate controls will most likely eventually catch-up with us. Anyone who says to me “we haven’t been hacked before” as an excuse for not putting in place the right controls gets the sharp end of my tongue.

So, if you happen to find an envelope with a couple of CDs in it, please don’t return to sender. They clearly shouldn’t be entrusted with the responsibility. My suggestion is to cover them in a clear plastic and use them as decorative coasters.