Email trail of missing HMRC discs

The National Audit Office has released a set of emails detailing the circumstances leading to the data loss, including one asking Revenue and Customs to "ensure that the CDs are delivered to NAO as safely as possible due to their content".

The National Audit Office has released the email trail showing how two discs containing records of 25 million child benefit recipients has been lost by HM Revenue and Customs.

The collection of emails, letters and other documents - now published on their website - shows that the road to the data breach began in March when the NAO first requested data sets for an audit. It also confirms that cost concerns limited the ability to screen personal details from the data, shows that the discs were password protected, and suggests that senior managers did indeed have oversight.

In a November letter to the HMRC, Caroline Mawhood, the assistant auditor general, explained that the emails regarding the transfers of data in March and again in October were indeed sent by a junior HMRC manager, but said that the message was copied to the Process Owner for Child Benefit - a senior manager.

In March, two discs containing records were sent via internal post, arriving safely. But heavily-redacted emails, marked confidential, have shown that the junior manager sending the data was reluctant to do so in the filtered form requested by the NAO, because of a fear of charges from their data management firm, EDS.

In the first email, dated 13 March, a junior manager wrote: "I must stress we must make use of data we hold and not over-burden the business by asking them to run additional data scans/filters that may incur a cost to the department."

In a reply, the NAO official requests that address, bank and parent details be removed, not for security reasons but in order to make the file smaller. Throughout the emails, the use of CD discs to send the records is assumed.

The first set of discs arrived safely, and the NAO carried out its audit and returned the discs in April. Months later, however, the process was repeated with different results.

On 2 October, a NAO official again requested data sets, and noted: "Last time we had a 100 zipped files on 2 CDs. Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content."

The next message, from the HMRC to the NAO, asked the recipient of the CDs to call when they had arrived, in order to receive the passwords for the discs. This confirms that the discs were indeed guarded by a password, and that contrary to some concerns, were sent separately from the mailed discs.

In a briefing note created for the chancellor, the NAO said they contacted HMRC on 24 October saying the discs had not arrived and requesting a second set be sent. The second set arrived, but the first set was still missing.

Complicating matters, the NAO moved offices over three weekends on 3 November, as did the HMRC audit team.

The HMRC contacted the NAO on 8 November, prompting a search of the expected route of delivery and an email to staff asking if they'd seen the package. Several subsequent searches have happened, but the discs remain missing.

The NAO also released a document explaining that they had requested the data for auditing purposes. A Second Director, whose name has been redacted, said he or she should have better communicated with the HMRC about how the data was to be used, and how the NAO might better be able to "sample" the child benefit data.

The director added: "We do take seriously our data protection responsibilities and I recognise that the security incident that has arisen here has occurred solely as a result of a data request that we initiated; and I accept responsibility for that."

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021