Poynter report uncovers culture of insecurity at HMRC

The data breach involving the loss of 25 million personal records by HM Revenue & Customs (HMRC) last October, which prompted a national security audit, was the result of poorly implemented security policies according to the Poynter report.

The inquiry ... concluded that "information security simply wasn't a management priority as it should have been."
The loss of 25 million personal records by HM Revenue & Customs (HMRC) last October was the result of "major institutional deficiencies," says a formal inquiry on the events, published today.

The Poynter Review takes 103 pages to describe in detail how the HMRC operated before the data breach, and how the loss of two CDs holding personal and financial information about recipients of Child Benefit happened.

The inquiry, led by Kieran Poynter of management consultants PricewaterhouseCoopers (PwC), concluded that "information security simply wasn't a management priority as it should have been, and HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability."

Poynter's team found that although HMRC had plenty of policies governing security, they were poorly implemented. "If these policies had been adhered to, it is likely that the data loss could have been prevented," he said. "In the event, very few of the HMRC staff involved in this case was actually aware of the existence of such policies and guidance. Clearly, therefore they were not adequately communicated across the organisation. Furthermore, staff found the policy difficult to access via HMRC's intranet."

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

The emails show that the UK National Audit Office (NAO) wanted sample data for auditing purposes, and requested that the financial data be stripped out (mainly to cut down the size of the file). But some HMRC staff thought the cost of extracting the records could have been as much as £15,000 using EDS, and that it was therefore not worth doing. Poynter queries that figure, and suggests there were in-house expertise capable of doing the file conversion.

For more information
Following HRMC, data breach laws are coming.

How important are patches to keeping data safe?
He identifies that a bad precedent had been set in March when files had been sent by HMRC to NAO in this way, although they had arrived safely.

In October, however, although HMRC had a contract with its courier company TNT for a secure transfer of packages, the CDs were sent using TNT's untraceable Tax Post system. When the disks failed to arrive after a few days, an angry phone call from the NAO forced officials to create a second set of CDs, which arrived safely.

It was only two weeks later that the alarm was raised when the first set of CDs could not be found.

Poynter thinks the incident was symptomatic of wider problems. He says security was not a management priority. "Even had it been a priority, HMRC's organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such," he said.

Poynter points out that the 2005 merger of Inland Revenue and Customs & Excise put HMRC staff under strain, and created a demoralized workforce. "HMRC's information security policies were inadequate, and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them," he concludes.

The report says that 13 of its 45 recommendations have already been implemented at HMRC, and a further 26 have started to be implemented. For instance, HMRC has issued a simple guide to security which gives examples of what information can be sent, by what mechanism it should be sent, and in what circumstances. It has already distributed 111,000 copies to staff.

HMRC also developed and piloted a half-day mandatory information security workshop, which everyone from the chairman down must attend by the end of July. It is also redesigning and re-launching its induction training to include mandatory data security elements, and developing mandatory online information security refresher tests for all staff. Once rolled out, this will need to be completed annually.

Poynter says the changes could represent "a great opportunity. Modernising work practices and the systems which support them should lead to significant efficiency gains as well as the restoration of the reputation of HMRC." But he also warns that the behaviour uncovered in this incident is not confined just to the HMRC.

Read more on Privacy and data protection