Friday, 9 November 2007

Frank Abagnale's advice to me Re:HMRC

I know all about the various methods and processes in which HMRC could of protected my private information, but now my info could be in the wild and in the hands of bad guys, who better to give me some advice than Frank Abagnale. If you haven't heard of Frank, he's the guy the "Catch Me If You Can" movie was based on, after serving his time Frank provided consultancy to several banks, helping them to beat fraudsters, and he went on to be known and respected as a leading expert in Identity Theft. Here is his advice to me...

"Sorry that this happened to you.

Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.

I would recommend a service that is now available in Great Britain called PrivacyGuard ( Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."

Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?


Anonymous said...

I have just completed the worlds largest single domain encryption implementation with one of the UK's largest banks.

Earlier in the year we were faced with the same challenge that Standard Life now has, how to get information to HMRC encrypted. Initially HMRC were not very helpful as they were dead set on the data being sent to them on CD unencrypted. Of course the problem we had is that all of the vendors we had looked at for our project did not offer "native" CD encryption, and HMRC didnt want to use encrypted memory sticks!

Thankfully, cooler heads prevailed and HMRC now accept encrypted memory sticks.

I think with this issue the blame rests with both HMRC (who no doubt insisted on unencrypted CD's) and Standard Life (who probably didnt push the issue as hard as we did!).

Standard Life should be slapped hard by the FSA and HMRC themselves should also be slapped hard (now they can thanks to a recent court ruling that HMRC should be held accountable for their actions).

[I would like to talk to you more on this if you like. Can you point me to your contact details so we can chat?]

Dave Whitelegg CISSP said...
This comment has been removed by the author.
Dave Whitelegg CISSP said...

Very interesting comments, I have no plans to let this issue rest.

The way I understand it as Security pro, is HMRC sent the CD media (the data) to Standard Life, so HMRC are the party fully responsible for the process and protection of data until it arrives within Standard Life custardy. Really all Standard Life can do is advice it isn't an acceptable method etc, it's not their fault HMRC sent the CD unencrypted and it got lost, it's 100% HMRC.

I've had no response from the Information Commissioner as yet with my complaint. My next steps is to contact my local MP and Michael Mills, (the Minister of State), who is responsible for "Data sharing and data protection" amongst things.