HMRC data breach affects 25 million

Two disks lost by HM Revenue and Customs (HMRC) three weeks ago contained personal and banking of 25 million people, the chancellor told parliament today.

The lost disks led to the resignation of Paul Gray, the head of the HMRC, earlier today.

This isn't the first breach suffered by the HMRC. In the past two months, a laptop containing data was stolen from a car, while disks containing 15,000 pensioners' details went missing.

Speaking over jeers from the opposition, Alistair Darling told the House of Commons that there was no evidence that the data had fallen into the "wrong hands."

In March, the National Audit Office (NAO) requested the full data sets of child benefits recipients, which was sent to them via internal post on disk by a junior member of staff, against HMRC guidelines.

The disks held information on 25 individuals and 7.25 million families, including names, addresses, dates of birth, National Insurance Numbers and bank or building society account numbers.

Darling said: "It now appears that following a further request from the NAO in October for information from the Child Benefit Database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered."

Darling continued: "It appears the data has failed to reach the addressee in the NAO."

The disks were originally sent on 18 October. Instead of reporting the missing disks, a new set was simply resent. The breach was not reported until 8 November, and Darling was notified on 10 November. So far, the disks have not been found, and an investigation by the Metropolitan police is underway.

PricewaterhouseCoopers will complete an internal report, due in the spring, with an interim edition expected next month. Darling also expects an inquiry by the Internal Police Complaints Commission, who oversee the HMRC, as well as the Information Commissioner's Office (ICO): "It's highly likely there's a breach of the data protection act, something he will investigate."

Darling defended the government's decision not to make the breach public immediately. "The banks were adamant they wanted as much time as possible to prepare," he said, adding that the ICO agreed with that plan.

Darling said banking institutions have flagged affected accounts to monitor from 18 October. "So far, there is no evidence of unusual activity," Darling said.

Darling stressed that should the data fall into criminal hands and lead to fraud, any victims would be protected under the banking code. He added that the missing data is not enough in itself to access accounts as it doesn't include passwords, but that - as always - people should ensure they do not give out their passwords and should keep an eye on their statements for anything amiss.

As well, from now on, the NAO and others looking for large sets of private data must work from HMRC offices in order to reduce the risk of a breach.

Greg Day, a security analyst at McAfee, said that any organisation should have technology in place which wouldn't allow such private data to be moved to insecure storage. He also questioned whether the disks were encrypted, as most users create easily-cracked passwords.

Day said Darling's speech focused more on bank security than that of individuals, and that the information lost would be enough for someone to create a new account. He warned people to keep a close watch on their own accounts and to be wary of new account notices.

Indeed, he said many people may feel safer simply closing their accounts. "A certain percentage of the public will feel that way," Day said. "How long will they need to monitor for?"

"The public has the right to confidence in how their data is stored and being used... this doesn't instil confidence," Day said.

During the parliamentary session, members of the house called for Darling to follow Gray's lead and resign, while others said this showed the government was incapable of being trusted to securely run the identify cards scheme.

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook