UK government loses data on 25 million Britons

Personal data on every child in the country and national insurance numbers and bank account details of parents and carers claiming child benefit have gone missing after the government sent two password-protected CDs through the post.

Personal data on every child in the country and national insurance numbers and bank account details of parents and carers claiming child benefit have gone missing after the government sent two password-protected CDs through the post.

The loss, one of the worst incidents of its kind, has sparked the sudden resignation of Paul Grey, the chairman of Her Majesty's Revenue and Customs (HMRC) today.

"HMRC has a responsibility towards the public. It has failed to meet the standards expected of it," Alastair Darling, the chancellor, said in the House of Commons today. "I deeply regret this and apologise for the anxiety that will be caused."

The lost data includes the names, addresses and dates of birth of every child in Britain, as well as financial information on adult claimants. A total of 25 million people are affected - more than two-fifths of the UK's population.

It emerged that HMRC sent the data, on all children, parents and carers claiming the UK's universal child benefit, from its office in Washington in the north-east of England, to the National Audit Office in London, which had requested it for audit purposes.

A junior employee of HMRC sent discs through the UK's standard postal service on 18 October. When the NAO reported the data had not been received, the employee resent the discs, although this time by registered, recorded post. The original discs were reported lost on 8 November, and the chancellor was informed on 10 November.

Darling told the House of Commons that he delayed reporting the loss initially to allow a thorough search to take place by Customs officials, and when this failed to produce results, to involve the police and to allow the UK's banks and building societies to establish checks on every affected account to look for suspicious activity.

"So far, they have found no evidence of such activity," Darling said. Checks have been back-dated to 18 October: "Again, so far, they have found no evidence of unusual activity." He added that the police do not believe the data has fallen into the wrong hands, but conceded that it was "highly probable" that the Data Protection Act had been breached.

Darling announced an enquiry into HMRC's data handling processes, to be carried out by Kieran Poynter, UK chairman of audit firm PricewaterhouseCoopers. He said HMRC has changed its procedures, so that the transmission of such data requires sign-off from a senior manager.

The opposition called for the government to abandon its plans for a national identity register and identity cards as a result of the breach. George Osborne, the shadow chancellor, who called the HMRC's loss a "catastrophic mistake", said it should mark the final blow for the identity card scheme.

He added that the government had compromised the information security of every family in Britain. "They simply cannot be trusted with people's personal information," he said. "Get a grip and deliver a basic level of competence."

Avivah Litan, a senior Gartner analyst, said she could not think of any more serious breach of personal information. Although the US Veterans Administration lost a laptop with a similar number of names, addresses and social security numbers, this did not include bank account details, which is the most highly-prized kind of data for fraudsters.

"Banks will be scrambling to think what to do. They will be looking for signs of fraud, and the first they see, they will shut down accounts," she said.

Litan said that, as the government has said the information is password-protected, "it is obviously not encrypted". She said such data should be encrypted even when within the organisation, and should be sent only through encrypted electronic transfer. She added that although only 1% of data lost on physical media is put to criminal use, the publicity around this case makes fraud more likely. In the worst case, a breach of the data could cost the UK £145m, she said.

In a statement, the information commissioner, Richard Thomas, said, "This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at HMRC - we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link."

"The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly. As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour," he continued, adding that he welcomed the enquiry by Kieran Poynter.

On 14 November, the Information Commissioner's Office told a House of Lords enquiry that the government should introduce criminal penalties including prison sentences for severe breaches of personal data.

This article first appeared on the web-site of Infosecurity magazine,

Read more on IT risk management