Posts

Showing posts from November, 2007

HMRC: CDs should be treated the same as the Server Room

This is rapidly turning into the HMRC data breach blog! I post a lot about this issue at the moment because I have personal vested interest as do many others, there are further developments almost on a daily basis, and for anyone who cares about the security of personal information in the UK, this is still a huge issue which frankly still gives me great cause for concern, and provides much thought about data security in general, which I feel compelled to write about. Anyway, I was in discussion with several people today in regards the missing HMRC CDs, one view was that HMRC regarded the internal mail as "private" postage, a view which doesn't sit with me at all. The way I think about it is like this, if you were to copy the company's entire database, "The" Crown Jewels of the organisation to a piece of media. Shouldn't you be applying the same security measures as to the live database, as held on the Servers? Think about all the physical security as...

HMRC: More Discs Go Missing, Is it Foul Play?

Yet more CD/DVDs have gone missing within HMRC's internal postage system, this time a batch of 6 "discs" have disappeared in transit in between Preston and London. This incident was spotted by HMRC on 30th October and apparently held customer complaint conversations, which I certainly would regards as personal information. This is the third HMRC postage containing sensitive CDs which has gone missing within the same month, October 2007. Don't forget the CD which HMRC sent(lost) to Standard Life, which held 15,000 records, as reported on 2nd November, I can't forget that missing disc, as my personal details were on it! So I have to ask whether there could be foul play? I can't answer that for certain as I don't work for HMRC or know all the facts, however I'm going to have a go at speculating since two of incidents involve my peronal information. Organised criminals have been know to target large intuitions just for their data, going through exte...

HMRC: Emails Confirms Poor CD Password Protection

NAO have released details of their Email correspondence with HMRC leading up to the HMRC data breach, and answers a couple more questions I had with incident. Click Here for NAO Emails From the NAO Emails it is very clear to understand the HMRC data was zipped (compressed to make the data files smaller), likely with an application called Winzip. The so called password protection of CD we are told about is just a Winzip password, which wouldn't be very hard to defeat. See http://www.zipcure.com/ for instance. On analysing what was said in the Emails further and ignoring the political spin about them... NAO rep. states "I do not need address, bank or parent details in the download - are these removable to make the file smaller?" - Clearly NAO were not asking for the removal of the sensitive data for security, it appears the NAO wanted to receive a smaller database on the grounds of it being easier to manage on a single CD, i.e. a single zip file. This is contrary t...

HMRC: Who asked for the data and why?

I have now found out the answer to one of my burning questions in relation to the HMRC data breach. Which was, Why on earth would HMRC have any requirement to send the entire database outside their organisation? The lost HMRC CDs were destined for The National Audit Office (NAO), a body which scrutinises public spending on behalf of Parliament. http://www.nao.org.uk/ “The role of the National Audit Office (NAO) is to audit the financial statements of all government departments and agencies, and many other public bodies. We also report to Parliament on the value for money with which these bodies have spent public money. As well as providing accountability to Parliament, we aim to bring about real improvements in the delivery of public services.” As part of the preparations for the 2007/08 audit of the HMRC by the NAO, the NAO instead of requesting the usual sample of data to audit, requested a full copy of client benefit data. No doubt because the funding and costs of child benef...

HMRC: The Identity Theft Risk

Just to confirm what data was on those missing HMRC CDs (unencrypted): Full Name Full address National Insurance Number Date of Birth Partner's details Names Sex and age of children Bank/savings account details If those CDs fall into the wrong hands then half of the UK population are at increased risk at identity theft. I think the information would be difficult to use break into online bank accounts directly, although it's worth noting some people do use their children’s names as passwords and there are the odd password reset process which ask for your date of birth and mother's maiden name, but the fraudster would need to compromise the account holders Email account or PC. The real risk with this information is with Identity Theft, which is the UK's fastest growing crime. What is Identity Theft? - Simply put, it is when a someone assumes your identity and racks up credit\loans in your name with no intent of paying it, and/or commits to other fraudulent...

HMRC: UK's Biggest Data Breach Ever

The lost of two CDs holding 25 Million personal records by HMRC, is the biggest data breach in UK history, it's almost half the population. The data lost included children's names, full addresses, dates of birth, National Insurance numbers and where relevant bank and building society account details. How did this breach occur? In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can ...

Shambolic HMRC loses yet another CD

It’s well documented on this blog, on how the UK Government department, Her Majesty's Revenue & Customs (HMRC), failed to protect my own and 15,000 others personal information,losing a couriered unencrypted CD a couple of weeks back, and then there was the incident with an unencrypted HMRC laptop going missing a couple weeks before that. Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families. Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating. So yet again the CD was sent unencrypted and yet again I wish to h...

UK WiFi Theft is Rife

A recent UK survey by Sophos revealed 54% of those surveyed had used someone else’s wireless Internet access without permission. Many within the media are calling this practice “WiFi Piggybacking”, and I’ve even seen quotes from liberal academics backing the practice. In my view this is plain and simple WiFi Theft, its wrong and it’s completely illegal in the UK. The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London. I have heard some peo...

Frank Abagnale's advice to me Re:HMRC

I know all about the various methods and processes in which HMRC could of protected my private information, but now my info could be in the wild and in the hands of bad guys, who better to give me some advice than Frank Abagnale. If you haven't heard of Frank, he's the guy the "Catch Me If You Can" movie was based on, after serving his time Frank provided consultancy to several banks, helping them to beat fraudsters, and he went on to be known and respected as a leading expert in Identity Theft. Here is his advice to me... "Sorry that this happened to you. Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuab...

Lack of Data Discloure Laws

Well I lodged a complaint about HMRC with the Information Commissioner today, basically the guys who enforce the Data Protection Act, as I am still far from happy about the bad practice which led to my personal details being lost by HMRC, the time it took for disclosure and then being misled about the data encryption of the CD. I'll post up the response when I get it. Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast , by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous ga...

HMRC Data Breach CD was NOT Encrypted

I phoned HM Revenue & Customers (HMRC) again today to obtain further clarification on whether their missing CD was encrypted or not, as on Monday I was categorically told by a HMRC representative the CD was encrypted, although he couldn't say what type of encryption was used, in fact I repeated the question three times to be sure. After reading conflicting press reports about encryption of the CD, I decided to phoned HMRC again today. This time I was told by HMRC the CD wasn't encrypted after all, so I was completely mislead by them on Monday then. This just goes from bad to worst. And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the ...

HMRC Data Breach Update - I'm vulnerable!

I'm vulnerable to Identity Theft thanks to HMRC Update It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC). I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm. Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot. HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that. And on the data encryption front, HMRC won't say whether the information was enc...

I'm vulnerable to Identity Theft - Thanks a lot HMRC

When I arrived home today and I was greeted with a brown letter from Her Majesty's Revenue & Customs (HMRC). Did I owe them tax? No, much worst than that, HMRC have exposed me to Identity Theft big time, just less than a week after I posted up a guide on "Reducing your risk of ID fraud" too. ITSEeducing_your_Risk_of_Identity_Theft So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter... "At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by som...

Unclever but Lucky People!

I just happen to own the domain “Network-UK.com” which I leased several years back as part of a project I was working on, which really didn’t take off the ground. Anyway for several months now I have been receiving misdirected Email to this domain, almost on a daily basis now, Email which appears to be meant for a London based UK employment agency using a similar domain name, addresses for a variety of individual accounts at the domain rather than one. Which in itself is kind of expected, however it’s the content of these misdirected Email which really concerns me. Due to the way forwarding works to my inbox, I can’t instantly tell if an Email was forwarded or not, and on occasion within my preview panel I can see these Email are about wages claims, and often include Full Name and Addresses, Bank Account numbers with Sort Code and bank name, Full Names and Phone numbers, National Insurance numbers, and even on occasion full colour scanned copies of passports! which as we all know is a ...