Up to 25 million UK citizens are at risk of becoming identity fraud victims after HM Revenue and Customs lost two discs containing personal details of families with a child under 16. While the UK chancellor said that the data in itself was not enough for miscreants to access bank accounts, he has conveniently chosen to overlook the fact that data theft has been committed using far fewer details.
The data included name, address, and date of birth information, alongside National Insurance (NI) numbers and personal bank details. The loss of the discs means that up to around 25 million people are now potentially future identity fraud victims. However, according to the UK’s chancellor, Alistair Darling, we should not get too concerned as there is no evidence that the data has gone to criminals.
Mr Darling went on to state that the missing data in itself was not enough for miscreants to access other people’s bank accounts as passwords and other information would be needed, but admitted that there was an increased risk and said that people should keep an eye on their accounts and not give out personal details requested unexpectedly by phone. Indirectly, all that Mr Darling says may be true, but what he has conveniently chosen to overlook is the fact that data theft has already been successfully committed from other organizations using far fewer details than were potentially being exposed by HM Revenue and Customs (HMRC).
The need to address data loss was already a high-profile issue prior to the announcement from the government that the child benefit agency records had been lost on their way between HMRC offices and the National Audit Office (NAO). To have your systems breached by hacker attacks or information stolen as a result of other malicious activity is one thing, but to put yourself in the position where you simply give away sensitive data is scandalous. The head of HMRC services has fallen on his sword and resigned, Mr Darling is under pressure as the minister responsible, and the prime minister, Gordon Brown, until a few months ago a former chancellor, has looked very uncomfortable indeed in news broadcasts.
Nevertheless, this should not be about individual personalities, although opposition politicians will inevitably take the opportunity to make this situation very personal, especially when you consider that most of the rules and regulations that HMRC is currently operating under were put in place by the prime minister in his former role. It is really about the competence of government technology, its supporting systems, and the procedures that are put in place to ensure that individual employees know what they should and should not do with sensitive information.
Mr Darling should not for one second believe that he or his government colleagues can get away with blaming junior members of the revenue services for a breach of procedures when the fundamental controls for dealing with sensitive information appear not to have been in place. The chancellor is reported to have said that the lost discs were password protected – but this is not anywhere near good enough protection for highly sensitive personal information. The data does not appear to have been encrypted, which it clearly should have been, and the package itself was not recorded, so there is not even a basic audit trail. Then, having accepted that the original set of data had been lost due to the wholly unacceptable methods used, a further package was sent out, this time by recorded post. To make matters worse, this was data that was requested by the NAO – a body that itself bears some responsibility for security matters.
Everyone that is serious about information security knows that sensitive personal and financial data must be handled correctly. If it is being moved between different sites it must be delivered using secure channels. Even at a basic level the use of passwords are not considered as secure protection, and finally all sensitive and financial data should be held in an encrypted form. HMRC, and the UK government as its master, scores zero out of three on this specific incident and, given its recent wholesale rejection of House of Lords proposals on IT security, it does not appear to have anything sensible to say on information security matters.
Source: OpinionWire by Butler Group (www.butlergroup.com)