British government in data loss fiasco

Anyone who doesn't follow the British media may have missed the most recent failure of the government to protect its citizen's personal data. On Tuesday Alistair Darling - Chancellor of the Exchequer, announced to the house of commons that a police investigation had been launched after Her Majesty's Revenue and Customs (HMRC) admitted to losing the personal data of twenty-five million British citizens. The data was being transported to the National Audit Office in an unencrypted state via the HMRC's internal mailing system on two compact discs.

The discs disappeared on the 18th of October and Darling is said to have called for an immediate search once he became aware of the loss. Once it became clear that HMRC could not find the missing data, he called in the police to investigate.

What was on these discs? Records for twenty-five million people relating to child benefits payments for more than seven million families. That's pretty much the personal data of all children under 18 and their parents or guardians. The details lost included name, address, national insurance number and relevant bank accounts.

This catastrophic failure to protect people's personal information has shaken people's confidence in the government's ability to successfully run data-focused projects like the planned roll-out of a national identity database. The loss was initially blamed on a junior clerk (sound familiar?) although more probing questions from opposition parties are putting HMRC's security policies under heavy scrutiny. Why would a junior clerk have access to so much sensitive information? Why is data being moved around unencrypted and in such a vulnerable form?

Banks and security experts have been quick to point out the potential implications of this data falling into the wrong hands. Credit reference agency Experian point out potential fraudsters could sit on the data for years, waiting until children turned 18 before using the information to apply for loans and credit cards. Banks have been put on alert and those affected by the leak have been advised to monitor their accounts for unauthorised activity.

Former Scotland Yard fraud officer Tom Craig told Sky News that the black market rate for individual identities is around £2.50 per head. That rate would put a value of over £62-million ($128-million) on the missing discs! With the average victim of fraud losing £15,000 there are potentially hundreds of billions of pounds at stake.

Whether or not the discs have been lost or stolen will probably never be known. Even if the discs are found, there is the potential for someone to have copied the data before allowing the discs to be reclaimed (to reduce media attention and put minds at rest).

This story goes to show just how inept the government and its agencies are when it comes to securing sensitive data held on its citizens. I don't think there's any need for information like this to be physically transported; it could have been securely transferred using encrypted networks or even remotely accessed using an encrypted database session. I can't imagine why anybody would feel the need to copy the data to CD and throw it in the post!