Wednesday, 7 November 2007

HMRC Data Breach CD was NOT Encrypted

I phoned HM Revenue & Customers (HMRC) again today to obtain further clarification on whether their missing CD was encrypted or not, as on Monday I was categorically told by a HMRC representative the CD was encrypted, although he couldn't say what type of encryption was used, in fact I repeated the question three times to be sure. After reading conflicting press reports about encryption of the CD, I decided to phoned HMRC again today. This time I was told by HMRC the CD wasn't encrypted after all, so I was completely mislead by them on Monday then.

This just goes from bad to worst.

And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.

Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.

If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.

I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.

1 comment:

Alfred of Wessex said...

The tragedy for this country is that in the Civil Service 'staff' (AO and AA clerical grades) are forced to behave like a cross between Forest Gump and a lobotomized C3PO: they can only do what the rules made by their own ITSD (IT Services Department) security people allow them to, and only use the software that their ITSD permit to be installed on their PCs. And woe betide them if they disobey even one little rule, even if their rules prevent them from using their own intelligence to arrive at a better solution.

Even in junior management grades (EO, HEO), where people are allowed to use their brains without written permission from their line manager, the culture is one of 'don't say anything your superior(s) don't want to hear', for the simple reason that a single individual, your line manager, has the power of life-or-death over your prospects, just as his or her LM has the same power over their prospects, and so on up the line.

Added to which, most management grades are filled with non-technical people who simply do not know how to design an IT system, cannot specify them correctly, and cannot see when they are being had for a fool. Thus the consultants and contractors they employ take the taxpayer for a ride again and again.

The other thing that kills good decision-making within the Civil Service is management by committee. This manages to cause a group of intelligent individuals to arrive at 'lowest common denominator' compromise decisions that they would have rejected out of hand as individuals. It also comes down to everyone agreeing with whatever the most senior grade(s) at the meeting want to have happen.

In short:

Civil Servants + IT Systems = Criminally Expensive Waste of Taxpayers' Money