Tuesday, 20 November 2007

Shambolic HMRC loses yet another CD

It’s well documented on this blog, on how the UK Government department, Her Majesty's Revenue & Customs (HMRC), failed to protect my own and 15,000 others personal information,losing a couriered unencrypted CD a couple of weeks back, and then there was the incident with an unencrypted HMRC laptop going missing a couple weeks before that.

Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.

Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.

So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.

So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."

The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."

And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."

I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.


Anonymous said...

You should have written to BBC Watchdog - you could have been on TV on Monday night (19th) as they were highlighting this case! :-)

Dave Whitelegg CISSP said...

I saw that programme and I have since written to them.

Anonymous said...

The TV reports the CD's as being "password protected" which I therefore took that to mean encrypted and therefore felt a little better! However you mention they're not encrypted. The person who did this must have been an idiot, to use CD's and send via a non-tracked internal post for something so sensitive defies belief.

Dave Whitelegg CISSP said...

Let me confirm the missing HMRC CDs were NOT ENCRYPTED, I'm afraid HMRC are trying to mislead (again), it was confirmed during the parliamentary debate yesterday. As I understand it, it wouldn't take too much effort to defeat the password protection and read the data of the CDs. Again based on comments and passed incidents, it appears HMRC have been sending CDs with our personal data on around unencrypted for some time, I can think of several more cost effective and correctly secure methods.

Yes it certainly does beggars belief this could happen, (a) that someone junior within HMRC has access to download the whole HMRC database, and (b) the complete lack of information security awareness within the organisation. I work with private companies improving information security, I can tell you it does take too long (or much financial investment) to ensure everyone, even the most junior of employees, are fully aware of their responsibility in safeguarding data, especially personal data, which after all is protected by the Data Protection Act.

rob's uncle said...

I, and I'm sure many other readers, would be very interested to know what the 'more cost effective and correctly secure methods' are, in your opinion. What kind of encryption should they have used, for example? It was evident from the questions put to Darling yesterday that neither he nor his questioners had any grasp of these issues. The method chosen was very cheap, so it seems to me that the issue is not expense but security.

Apologies if you have already covered this: I am a new reader, courtesy of Guido and the Woman on the Raft. In that case some links are all we need.

Dave Whitelegg CISSP said...

The first issue to consider is, where was the security controls for the HMRC database? No HMRC employee, let alone a junior employee should have the kind of access to them download the entire HMRC database, and then remove that data from the system. Surely this also means anyone with HMRC could walk out of the building with this information hidden on a tiny USB memory stick.

Secondly, is there a valid business reason and justification to send the entire HMRC database to a third party? If there is, then there needs to be a clear understanding of what information needs to be shared, an appropriate secure method devised, a risk assessment applied and security controls put in place etc.

In answering the encryption question…

Using a tool like PGP (or the free version called GnuPG), will allow the encryption of data to industry standards. Encrypting with PGP/GnuPG means the data can only be read by two parties, the person encrypting it and the intended recipient. It’s what us security professionals call asymmetric encryption, i.e. using public / private keys to encrypt the data between two parties. If the data on CD was encrypted with this method, then the loss of the CD wouldn't be such a major issue. Although I must stress even posting an encrypted CD with the entire HMRC database in the post is just a completely unacceptable practice. For a small amount of data (handful of records at a time), using PGP within Email is a secure and acceptable method.

So what if I had to send / share sensitive databases and information with a third party, how to achieve this in a secure fashion. First I would apply file level encryption (PGP), so you know only the intended recipient/system can read it. Then I would seek to send the encrypted data by a “private” connection to the third party. One cheap method is to setup and use an Internet VPN, which is an encrypted link between two organisations via the internet, again very cheap to setup and operate, yet secure, as the data is actually encrypted twice during transmission over the internet. However if I was approached with a requirement to share the entire HMRC database (25 Million personal records), then I would insist on private circuit, namely a direct network connection between the two organisations.

I can waffle on about encryption until the cows come home, so let me know if you have any more questions. In fact if you want to try out GnuPG yourself, let me know.

rob's uncle said...

Thanks for your very informative response, which all I need for now.

Anonymous said...

"rob's uncle" sounds like he may actually be the former HMRC chairman, Paul Gray or Alistair Darling looking for a little advice....