Farmers bank account details lost by Rural Payments Agency

Thousands of farmers' bank account details have been lost by the Rural Payments Agency (RPA) after the Government body lost two back-up tapes of confidential data belonging to all English farmers.

Thousands of farmers' bank account details have been lost by the Rural Payments Agency (RPA) after the Government body lost two back-up tapes of confidential data belonging to all English farmers.

The RPA, which administers the single payment system of EU subsidy to English farmers, for the Department of Environment Food and Rural Affairs (DEFRA), was heavily criticesed last week by the National Audit Office for its handling of the scheme.

Now Farmers Weekly has learnt that the RPA has lost confidential data belonging to any farmer who has ever claimed a single farm payment. Computer tapes containing the bank details, addresses, passwords and security questions of more than 100,000 farmers were discovered missing in May, at which point DEFRA was alerted.

The RPA, which is blaming the loss on its contractor IBM, discovered the problem in September, but at no time has the agency or DEFRA attempted to inform farmers about the breach. Leaked information was given to Farmers Weekly this week by frustrated civil servants working on the single payments system within the RPA and an external consultant who has been advising the agency.

These whistle-blowers were concerned that the RPA and DEFRA would remain tight-lipped over the incident and about the risks the breach posed to farmers. They claimed that 39 back-up tapes containing confidential details went missing after they were transferred from RPA offices in Reading to Newcastle. Thirty-seven of the tapes have since been recovered, but two remain unaccounted for.

DEFRA has admitted that tapes went missing, but told Farmers Weekly that the data was not lost in transit and was instead misplaced within the data centre.

A DEFRA spokeswoman said a thorough search was conducted to find the missing material and concluded that some tapes were misfiled and placed "on the wrong shelf". She described this as "bad book-keeping" by RPA-contracted IT consultants IBM, who run the data centre.

DEFRA said it assumed that the two tapes that were never found must have been destroyed. The breach of security is the latest disaster for the agency, which has faced a catalogue of errors since the single payment scheme was launched in 2005.

According to the whistleblowers, the error occurred after back-up tapes containing confidential details were sent between IBM and another IT consultant, Accenture. The tapes were last accounted for in June 2008, but it was not until May this year that IBM realised the data was missing and informed DEFRA.

The sources claim DEFRA tried to cover the error and it was only realised by the RPA in September when annual data checks were carried out. One source said the tapes had not been encrypted as they should have been.

"DEFRA knew about this and did nothing," the source said. "People should be made aware that their details have gone missing. "I know people at the middle management level tried to advise senior civil servants to do the right thing and tell farmers, but they're not listening."

In further security breaches, the sources claim members of the senior RPA management team have failed to report the loss of memory sticks and laptops which could contain farmers' information.

"It's symptomatic of the senior managers. There are a lot of good people working in the lower levels of the organisation, but we think the top-level board is rotten to the core."

DEFRA admitted its data was not encrypted, but insisted information could not be accessed without specialised technical equipment and knowledge.

DEFRA and the RPA issued the following statement to farmers Weekly: "Since these incidents, procedures have been further tightened to prevent a recurrance. IBM have instigated a thorough review of their procedures to manage removable storage media, such as these tapes, as well as tightening access control requirements.

"The tapes are held in a secure IBM data centre and only IBM and Accenture technicians have access to them. Both IBM and Accenture were asked to review their security arrangements as a result of this incident." DEFRA said the risk posed to farmers was very low.

National Audit Office calls for DEFRA to replace £350m IT system

Rural Payment Agency £350 million IT system: pouring money into the digital landfill


Read more on IT risk management