UK Taxman Loses 25 Million Citizen Records
Britain's Revenue and Customs department is scrambling to find two discs that contained data on 25 million people. The lost data stored on two password-protected but unencrypted CDs was sent through an internal government post system; however, it was never received by the National Audit Office. So far, there is no evidence that the data are being used for any criminal activity, the government stressed.
11/21/07 12:05 PM PT
Personal data on roughly 25 million individuals and 7.25 million families in the United Kingdom have been lost, Chancellor Alistair Darling of Her Majesty's Revenue and Customs (HMRC) office announced Tuesday.
The lost data includes the names, addresses, dates of birth, national insurance numbers and bank account details of all people who receive a government child benefit. It was stored on two password-protected but unencrypted CDs and sent through an internal government post system to the National Audit Office (NAO). The package was neither recorded nor registered, and it was never received by the NAO, Darling said.
As a result of the loss, HMRC Chairman Paul Gray has resigned, Darling said.
"This is an extremely serious matter," Darling said. "HMRC has a responsibility towards the general public, who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it. I recognize that millions of people across the country will be very concerned about what has happened. I deeply regret that and apologize for the anxiety that will undoubtedly be caused."
The CDs were sent on Oct. 18 by a junior member of the HMRC staff, but it wasn't until Nov. 8 that the loss was reported to the HMRC, Darling explained. A police investigation is under way, and so far, there is no evidence that the data are being used for any criminal activity, he stressed.
Government policies regarding data security, access and transit were clearly not followed in the mailing of the data, Darling noted. Ironically, a similar lapse occurred in March, but that time the data were received by the NAO and successfully returned, he noted.
There were likely also breaches of the UK's Data Protection Act, Darling said.
"HMRC has initiated changes to security processes and procedures, so they will now take place only with written authorization from a senior manager and with appropriate protection for any transfer," Darling said. A review of the government's security policies and procedures is also under way, he added.
String of Losses
In September the HMRC lost the records of about 15,000 people, along with a laptop and other material containing personal details of HMRC customers. As a result, Darling has asked PricewaterhouseCoopers to investigate HMRC's security processes and procedures for data handling, he said.
"Can the Chancellor also explain why, in this day and age, information is being transmitted through CDs, rather than electronically?" Cable asked. "Is that not just a reflection on the ancient IT systems employed by HMRC?"
Officials within HMRC have been told to "disregard elementary precautions such as dual running of old and new IT systems" to save money, he added.
Cutting 25,000 jobs at the HMRC, meanwhile, likely also played a role, he said. "Clearly, if officials are being asked to do more and more with fewer staff, mistakes will be made."
Darling, however, underscored the fact that rules were broken. "The key problem here is that HMRC has clear instructions, rules and procedures in relation to requesting, downloading and transmitting information, and that the individuals concerned ignored those instructions," he asserted. "That is the difficulty, and that is what we need to make sure does not happen again."
British financial institutions have been notified, and affected families have been put on alert and told to watch for evidence of fraudulent activity. HMRC also has set up a helpline for those affected.
'The Most Valuable Asset'
"I'm flabbergasted that such important data would be used in such a careless manner," cybersecurity expert and lawyer Parry Aftab told TechNewsWorld.
"People, whether within government or in corporations, need to recognize that data is the most valuable asset we have," Aftab said. "If we don't protect it at the same level as money and other critical assets, we're all lost."
Technological measures can be implemented to provide a safety mechanism that helps ensures rules are followed, Aftab noted.
"We're seeing too much of this kind of thing these days, and when they happen, it's something you can't really fix," she said. "The time to think about data breaches is before they happen, not after."
Indeed, UK officials may stress the fact that there's been no evidence of fraudulent activity so far, but following the massive data breach at AOL last year, that data was quickly shared and dispersed across the Internet, Greg Sterling, founder of Sterling Market Intelligence, told TechNewsWorld.
"With data now so easily transferable, this underscores the need for extra protections," Sterling said. "Data is a precious commodity, and it's easily stolen if not jealously guarded. Unfortunately, these kinds of catastrophic losses have to occur before people take measures to prevent them from happening again."