Security firms condemn HMRC for breach

Security experts from around the UK have come out in full force to criticise the massive data breach at HM Revenue and Customs - and to offer advice on how other organisations can avoid a similar fate.

Chancellor Alistair Darling admitted the breach yesterday afternoon, telling parliament that records of 25 million child benefit recipients were lost after they were put on two password-protected discs and sent through an internal mail system - contrary to HMRC's own procedures.

Prime Minster Gordon Brown said today that all government agencies will undergo a data security check. The HMRC is set to be investigated by the Information Commissioner's Office, PricewaterhouseCoopers, and the Independent Police Complaints Commission, alongside the Metropolitan Police's search for the missing discs.

Security analysts criticised the HMRC's data notification policy, and said the lack of encryption, use of discs as opposed to electronic transfer, and poor information management contributed to the fiasco.

Symantec's director of technical services Richard Archdeacon said the data breach would lead to a change in how consumers view data security. "It's a tipping point of data leakage... it's the accidental loss as opposed to an external hacker," said Archdeacon. "It's so large an event that we'll see a change amongst consumers."

Archdeacon said organisations will need to be more transparent about their data policies. "This is the big one, which will change consumers' levels of trust," he said.

Companies should also be prepared to notify costumers in the event of a breach, as its likely legislation will eventually force that, said Archdeacon.

Data can be protected even if discs are lost, said some industry leaders, who expressed dismay that the discs were so poorly secured, with just a password.

Joseph Hoban, vice president at GuardianEdge, said: "Securing two disks with only a password is not sufficient... To put an end to this catalogue of errors, the government needs to encrypt any removable devices like USBs or CDs that are to be transported - otherwise people should go to that data not the other way around. This way, if a removable device falls into the wrong hands - which it well might - it cannot be accessed and compromised."

"The cost of data breaches can run into millions, but the cost of encryption is relatively low," he added.

But it's possible to avoid the pain of lost discs and laptops by sending data over networks, said others.

Gayna Hart, managing director of Quicksilva, said that the data should have been sent electronically - in the way the NHS is planning. "In the 21st century to be sending confidential information through the post is inexcusable and completely unnecessary given the technology available," she said, adding that electronic records systems are working well for Connecting for Health's (CfH) Spine database, which allows patient records to be transmitted to medical organisations.

"This delivers role-based security, audit trails and a straightforward way of enforcing information governance standards rather than relying on the vagaries of the internal post. I know there is a trend toward CfH-bashing but there are valuable lessons to be learned from the NHS which can be applied across the whole of government IT," Hart said.

Other industry leaders suggested the key to securing data sets is managing access.

Gerald Sommariva, data storage specialist and managing director of ONStor UK, said: "By centralising data storage you must look more closely at your security policies. If permission settings are set up correctly, then access can be restricted to key personnel."

That sentiment was shared by Paul Davie, founder of data security firm Secerno. "You look at the way people are accessing that database... and be able to tell the difference between someone downloading for proper purposes or hacking," said Davie, adding that at $20 (£10) a record, there's a big incentive for authorised users to steal thousands of records.

In the end, all these elements and more are essential to keeping people's data private, Symantec's Archdeacon said. "There's no silver bullet," said Archdeacon. "All organisations need to look at this from a risk-based point of view... it's an issue IT managers should be looking at now."