Friday, 2 November 2007

I'm vulnerable to Identity Theft - Thanks a lot HMRC

When I arrived home today and I was greeted with a brown letter from Her Majesty's Revenue & Customs (HMRC). Did I owe them tax? No, much worst than that, HMRC have exposed me to Identity Theft big time, just less than a week after I posted up a guide on "Reducing your risk of ID fraud" too.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...

"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."

My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)

1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?

Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.

1 comment:

Anonymous said...

Dave, I really feel for you. What a crock!

This is the 2nd HMRC breach in as many months and the 2nd for Standard Life this year (that I know of).

This Breach:
http://breachblog.com/2007/11/05/standard.aspx
HMRCs October Breach:
http://breachblog.com/2007/10/06/hmrc.aspx