The Department for Work and Pensions (DWP) has admitted that it does not keep a running total of security breaches committed on its sensitive Customer Information System (CIS) database, prompting accusations that it is not taking adequate steps to protect personal data from intruders.
Nine council workers have already been sacked for snooping on the CIS, which contains the personal records of 62million people, including 12million children. The DWP had allowed councils to use the CIS to process benefitsclaims. But abuses by council workers may be the tip of the iceberg. The DWP also allows other government departments, including HMRC and the Courts Service, andthe private sectorto access the CIS.
The DWP said it did not know how many security breaches had been committed by the 200,000 staff across all the organisations who routinely usethe CIS.
"Central records are not maintained of this information and thus it is not possible to answer your request without collecting this information," the DWP told Computer Weekly in answer to a Freedom of Information request. It saidcollecting the information would be too costly.
Security experts said the DWP could not protect personal data on the CIS unless it tracked how often it was abused.
Professor Peter Sommer, a visiting professor of information systems at the London School of Economics, said,"If DWP isnot putting reasonable effort into recording its own security breaches it cannot possibly know what remedies should be put in place or how much to spend on them -that is fundamental."
Professor Jon Walker, a government security consultant, said the DWP's admission of ignorance demonstrated a "scandalous" neglect of process that could put it in breach of the Data Protection Act and ISO security standards mandated in the HMG Security Framework in May.
Even if the DWP did compile a full list of known CIS breaches, it might not encompass all breaches that had occurred. Known breaches are discovered from sample checks and data matching exercises. An estimate of the total CIS breaches could be drawn from this exercise statistically.
CW also asked for this risk assessment, but the DWP refused to give it on the grounds that disclosing how often it estimated CIS security was being breached would help potential intruders.
"Information...concerning breaches of security could facilitate the commission of an offence by rendering the CIS system vulnerable to attack," said the DWP. It said it was in the public interest to conceal the information.
Sommer defended the public interest in knowing how vulnerable personal data was to abuse,"The'it would be dangerous to tell the public about our weaknesses'mantra has been the excuse of poor-quality security managers down the ages," he said.
CW also asked the DWP to provide details of the security precautions it used to protect the CIS. It refused, claiming the information could be used by potential intruders and that this risk outweighed the public interest in knowing what precautions are taken to protect its personal data.