Security firms condemn HMRC for breach
By Nicole Kobie,
Security experts from around the UK have come out in full force to criticise the massive data breach at HM Revenue and Customs - and to offer advice on how other organisations can avoid a similar fate.
Chancellor Alistair Darling admitted the breach yesterday afternoon, telling parliament that records of 25 million child benefit recipients were lost after they were put on two password-protected discs and sent through an internal mail system - contrary to HMRC's own procedures.
Prime Minster Gordon Brown said today that all government agencies will undergo a data security check. The HMRC is set to be investigated by the Information Commissioner's Office, PricewaterhouseCoopers, and the Independent Police Complaints Commission, alongside the Metropolitan Police's search for the missing discs.
Security analysts criticised the HMRC's data notification policy, and said the lack of encryption, use of discs as opposed to electronic transfer, and poor information management contributed to the fiasco.
Symantec's director of technical services Richard Archdeacon said the data breach would lead to a change in how consumers view data security. "It's a tipping point of data leakage... it's the accidental loss as opposed to an external hacker," said Archdeacon. "It's so large an event that we'll see a change amongst consumers."
Archdeacon said organisations will need to be more transparent about their data policies. "This is the big one, which will change consumers' levels of trust," he said.
Companies should also be prepared to notify costumers in the event of a breach, as its likely legislation will eventually force that, said Archdeacon.
Data can be protected even if discs are lost, said some industry leaders, who expressed dismay that the discs were so poorly secured, with just a password.
Joseph Hoban, vice president at GuardianEdge, said: "Securing two disks with only a password is not sufficient... To put an end to this catalogue of errors, the government needs to encrypt any removable devices like USBs or CDs that are to be transported - otherwise people should go to that data not the other way around. This way, if a removable device falls into the wrong hands - which it well might - it cannot be accessed and compromised."
"The cost of data breaches can run into millions, but the cost of encryption is relatively low," he added.
But it's possible to avoid the pain of lost discs and laptops by sending data over networks, said others.
Gayna Hart, managing director of Quicksilva, said that the data should have been sent electronically - in the way the NHS is planning. "In the 21st century to be sending confidential information through the post is inexcusable and completely unnecessary given the technology available," she said, adding that electronic records systems are working well for Connecting for Health's (CfH) Spine database, which allows patient records to be transmitted to medical organisations.
"This delivers role-based security, audit trails and a straightforward way of enforcing information governance standards rather than relying on the vagaries of the internal post. I know there is a trend toward CfH-bashing but there are valuable lessons to be learned from the NHS which can be applied across the whole of government IT," Hart said.
Other industry leaders suggested the key to securing data sets is managing access.
Gerald Sommariva, data storage specialist and managing director of ONStor UK, said: "By centralising data storage you must look more closely at your security policies. If permission settings are set up correctly, then access can be restricted to key personnel."
That sentiment was shared by Paul Davie, founder of data security firm Secerno. "You look at the way people are accessing that database... and be able to tell the difference between someone downloading for proper purposes or hacking," said Davie, adding that at $20 (£10) a record, there's a big incentive for authorised users to steal thousands of records.
In the end, all these elements and more are essential to keeping people's data private, Symantec's Archdeacon said. "There's no silver bullet," said Archdeacon. "All organisations need to look at this from a risk-based point of view... it's an issue IT managers should be looking at now."
advertisement
Latest Internet Features
The saga of Scrabulous
The popular scrabble imitation is no more, the third-party web app being forced off Facebook by legal action. We chart how a simple word game became one of the biggest IT stories of the year…
- Q&A: Motorola's enterprise VP John Coon
- IT around the world: Russia
- Q&A: Orange's devices chief Francois Mahieu
- Q&A: Plusnet's Neil Armstrong
- Chinese web control an Olympic challenge for tech firms
- Hitting a home run with IM
- Q&A: Mozilla's Tristan Nitot
- Where will IT be in 2015?
- Keynote's Umang Gupta on the health of the Net
Latest Internet Reviews
Google Chrome - Beta
Rating: 
advertisement
Latest News Videos in Internet
Video: Q&A with Easynet Connect's Chris Stening
PlayIT PRO spoke to Chris Stening, managing director of Easynet’s SME division, about whether ISPs are giving businesses the service they deserve.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?