Tuesday 20 November 2007

HMRC: UK's Biggest Data Breach Ever

The lost of two CDs holding 25 Million personal records by HMRC, is the biggest data breach in UK history, it's almost half the population. The data lost included children's names, full addresses, dates of birth, National Insurance numbers and where relevant bank and building society account details.

How did this breach occur?
In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can be easily defeated.

My first question I have here, is it shouldn't even be possible for any junior employee (or senior employee for that matter) to extract all of the data from the HMRC system, clearly there are no controls in place within the databases and IT Systems at HMRC. I have also heard from a source that the IT systems at HMRC are a bit of mess, which the lack of basic security controls for me confirms as fact.

My second question is over how the data of transferred, clearly in this data and age there are many secure and more cost effective methods of sending sensitive data to third parties, it's a completely unacceptable practice to send any sensitive information on unencrypted media, never mind 25 Million records. Clearly the junior employee doesn't even have a basic information security awareness, therefore this points to a lack of a security culture within the HMRC, which I would of thought would of been a priority considering the sensitive of data with HMRC.

Thirdly, HMRC are in clear breach of the Data Protection Act, will they get punished? Is it even worth it considering fining them, as they are public operated, it would basically fining yourself. So just where is the drive to improve information security within HMRC going to come from?

Finally, this isn't the first incident involving HMRC in recent times, are they investigating incidents and learning from the mistakes? Clearly I think not.

So typical records on the missing CD include a full name, full address, Date of Birth, National Insurance number, children's names and even full bank account details. In the wrong hands this information could literally ruin lives. I'll blog more about the risks and consequences of this information being used for identity theft tomorrow.

How does this incident affect me personally? Well two weeks ago I got comprised with the missing CD sent by HMRC to Standard Life, today I find that my Wife's bank account and my children's details are compromised two, so a real clean sweep by HMRC in my house hold.

1 comment:

Anonymous said...

Hi, I work within an FSA regulated business & we are required to deny the ability to write to CD, DVD, stick or in fact, anything removable. You cannot trust users to behave, so we achieved this by removing CD/DCD writers & using GPO bolt-ons to restrict removable writing. It wasn't hard. Anything that requires writing to removable media is requested via our helpdesk and, when full authority is received, is cut to one of a handful of writers, with agreed & heavy encryption - and without the key written on the disk !!! -
And we're just a commercial business!
What is wrong with these people?