HMRC Data Incident

An important point has been missed in the news reports regarding the loss of UK child benefit records. That point is that I don’t believe for a minute that this is the first and only time such important data has been treated in this way. If management processes were so poor this time around then it will definitely have happened on previous occasions. It just happens to be that this time the data went missing and this time we’ve found out about it.

We have no option but to consider the data compromised. As such, every individual whose details were on those disks must be notified of the potential consequences and given the tools they need to ensure that their identities are protected are far as possible.

The investigators need to focus on working out when the data was first compromised – how many copies of that database are there sitting on CD-ROMs and other media? Who else has access? What logs are kept showing the occasions the data is copied off to removable media? How frequently are the logs audited? Is usage of the database actively monitored? What happened to the principles of need-to-know in this instance? Where was the encryption? Any of you whose details are likely to be included should be demanding answers to these questions.

Of course, this is all after the event. The horse has bolted. Investigations and fingers of blame can’t undo the incident. The best we can hope for is that it wont happen again. And we should all better understand that poor practices and inadequate controls will most likely eventually catch-up with us. Anyone who says to me “we haven’t been hacked before” as an excuse for not putting in place the right controls gets the sharp end of my tongue.

So, if you happen to find an envelope with a couple of CDs in it, please don’t return to sender. They clearly shouldn’t be entrusted with the responsibility. My suggestion is to cover them in a clear plastic and use them as decorative coasters.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"It's like toothpaste.... Once you squeeze it out of the tube you can't get it back in". Or in this particular case a mountain of toothpaste has left the tube. However we want to look at this, this is a catastrophe. The underlying management system has systemically failed and behemoth risks ignored or not acted upon. It will be interesting to see if there is a backlash against the risk based approach to information security, in favour of more prescriptive rule based approach. Whatever now happens maybe more stringent breach disclosure and penalty legislation will come about. A very 'Black Wednesday' for some.
The more I think about this, the more I think that we need to use Capability Maturity Modelling (CMM) in order to measure the maturity of our business processes and help us to understand how well embedded these processes are within our organisations. Might also make a useful security metric too!
Government departments are supposed to follow the processes outlined in BS7799. If they had been then section 10.7 (Media Handling) should have been revised. "Objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. Media should be controlled and physically protected."
Stuart, Of course you're spot on with your comments re Media Handling. What would be much more interesting is to go and do an audit on HMRC's Information Security Management System (ISMS). If anything this incident reinforces the need to use tried and trusted standards. "Do not rely on a slice of luck to protect your IS or hook into bad procedures. Use best practice standards for an assured result."