HMRC data breach affects 25 million

Two disks lost by HM Revenue and Customs (HMRC) three weeks ago contained personal and banking of 25 million people, the chancellor told parliament today.

The lost disks led to the resignation of Paul Gray, the head of the HMRC, earlier today.

This isn't the first breach suffered by the HMRC. In the past two months, a laptop containing data was stolen from a car, while disks containing 15,000 pensioners' details went missing.

Speaking over jeers from the opposition, Alistair Darling told the House of Commons that there was no evidence that the data had fallen into the "wrong hands."

In March, the National Audit Office (NAO) requested the full data sets of child benefits recipients, which was sent to them via internal post on disk by a junior member of staff, against HMRC guidelines.

The disks held information on 25 individuals and 7.25 million families, including names, addresses, dates of birth, National Insurance Numbers and bank or building society account numbers.

Darling said: "It now appears that following a further request from the NAO in October for information from the Child Benefit Database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered."

Darling continued: "It appears the data has failed to reach the addressee in the NAO."

The disks were originally sent on 18 October. Instead of reporting the missing disks, a new set was simply resent. The breach was not reported until 8 November, and Darling was notified on 10 November. So far, the disks have not been found, and an investigation by the Metropolitan police is underway.

PricewaterhouseCoopers will complete an internal report, due in the spring, with an interim edition expected next month. Darling also expects an inquiry by the Internal Police Complaints Commission, who oversee the HMRC, as well as the Information Commissioner's Office (ICO): "It's highly likely there's a breach of the data protection act, something he will investigate."

Darling defended the government's decision not to make the breach public immediately. "The banks were adamant they wanted as much time as possible to prepare," he said, adding that the ICO agreed with that plan.

Darling said banking institutions have flagged affected accounts to monitor from 18 October. "So far, there is no evidence of unusual activity," Darling said.

Darling stressed that should the data fall into criminal hands and lead to fraud, any victims would be protected under the banking code. He added that the missing data is not enough in itself to access accounts as it doesn't include passwords, but that - as always - people should ensure they do not give out their passwords and should keep an eye on their statements for anything amiss.

Email to a friend

Print this page