This is rapidly turning into the HMRC data breach blog! I post a lot about this issue at the moment because I have personal vested interest as do many others, there are further developments almost on a daily basis, and for anyone who cares about the security of personal information in the UK, this is still a huge issue which frankly still gives me great cause for concern, and provides much thought about data security in general, which I feel compelled to write about.
Anyway, I was in discussion with several people today in regards the missing HMRC CDs, one view was that HMRC regarded the internal mail as "private" postage, a view which doesn't sit with me at all.
The way I think about it is like this, if you were to copy the company's entire database, "The" Crown Jewels of the organisation to a piece of media. Shouldn't you be applying the same security measures as to the live database, as held on the Servers? Think about all the physical security aspects of a server/comms room for instance, and the logical security within the IT Systems controlling the database. Would any IT professional ever consider removing the hard disks holding the database and posting them in the mail?
As for the "private" mail, well for a start HMRC use third parties for that, but even if they did it in house, personally I would still regard any internal mail as an untrusted medium, therefore I would insist on encryption of any sensitive or classified data send through it as a matter of course.
A UK view on Cybersecurity & Information Security, Everything Computer Security from the very basics to the advanced. A blog with a focus on the latest Cyber Security developments & issues in the UK, including Hacking, Privacy (GDPR), Data Breaches, security standards such as NIST, PCI DSS, Cyber Essentials & ISO27001, all will be simply explained.
Monday, 26 November 2007
Sunday, 25 November 2007
HMRC: More Discs Go Missing, Is it Foul Play?
Yet more CD/DVDs have gone missing within HMRC's internal postage system, this time a batch of 6 "discs" have disappeared in transit in between Preston and London. This incident was spotted by HMRC on 30th October and apparently held customer complaint conversations, which I certainly would regards as personal information.
This is the third HMRC postage containing sensitive CDs which has gone missing within the same month, October 2007. Don't forget the CD which HMRC sent(lost) to Standard Life, which held 15,000 records, as reported on 2nd November, I can't forget that missing disc, as my personal details were on it!
So I have to ask whether there could be foul play? I can't answer that for certain as I don't work for HMRC or know all the facts, however I'm going to have a go at speculating since two of incidents involve my peronal information.
Organised criminals have been know to target large intuitions just for their data, going through external bins for info, using social engineering techniques, web hacking and even infiltrating organisation internally, there was a Scottish credit card call centre which was found to be deliberately infiltrated by a gang earlier in the year for money laundering purposes. It's too much of co-incidence for three packages containing CDs to have gone missing in the same month, I had period on Ebay where I sold loads of DVDs once, never had any packages go missing within the public postage system. It's not exactly hard to guess by the size and shape of the packaging that it holds a disc.
Interestingly if HMRC actually ships loads of CDs around their organisation all the time (which is bad) then you would have to say the stats wouldn't point to foul play at all. I do understand HMRC is a large and complex organisation, so it could be possible there are shed loads of CD/DVDs flying around HMRC, if there is, then there has to be a better and more secure methods of sharing that information.
To sum up my own conclusion on this, either HMRC sends CDs within the post unprotected as a matter of coarse OR HMRC send only a few CDs around which would indicate possible foul play, OR it's just a big co-incidence!
A lot of fraud, particularly identity theft does start in the mail system, HMRC mainly use TNT to deliver their mail between sites and organisations. In relation to the 25Million record discs, TNT are stating they don't think that missing package has even entered their mailing systems, but as it's unrecorded delivery they can't be certain, and I understand TNT are searching for it. A spokesman for HMRC recently said "All the evidence points to the fact that these discs are still on our premises," - Well if you keep searching and searching (I'm sure no stone is being left unturned) and they don't turn up, I think there is only one likely conclusion to be reached.
This is the third HMRC postage containing sensitive CDs which has gone missing within the same month, October 2007. Don't forget the CD which HMRC sent(lost) to Standard Life, which held 15,000 records, as reported on 2nd November, I can't forget that missing disc, as my personal details were on it!
So I have to ask whether there could be foul play? I can't answer that for certain as I don't work for HMRC or know all the facts, however I'm going to have a go at speculating since two of incidents involve my peronal information.
Organised criminals have been know to target large intuitions just for their data, going through external bins for info, using social engineering techniques, web hacking and even infiltrating organisation internally, there was a Scottish credit card call centre which was found to be deliberately infiltrated by a gang earlier in the year for money laundering purposes. It's too much of co-incidence for three packages containing CDs to have gone missing in the same month, I had period on Ebay where I sold loads of DVDs once, never had any packages go missing within the public postage system. It's not exactly hard to guess by the size and shape of the packaging that it holds a disc.
Interestingly if HMRC actually ships loads of CDs around their organisation all the time (which is bad) then you would have to say the stats wouldn't point to foul play at all. I do understand HMRC is a large and complex organisation, so it could be possible there are shed loads of CD/DVDs flying around HMRC, if there is, then there has to be a better and more secure methods of sharing that information.
To sum up my own conclusion on this, either HMRC sends CDs within the post unprotected as a matter of coarse OR HMRC send only a few CDs around which would indicate possible foul play, OR it's just a big co-incidence!
A lot of fraud, particularly identity theft does start in the mail system, HMRC mainly use TNT to deliver their mail between sites and organisations. In relation to the 25Million record discs, TNT are stating they don't think that missing package has even entered their mailing systems, but as it's unrecorded delivery they can't be certain, and I understand TNT are searching for it. A spokesman for HMRC recently said "All the evidence points to the fact that these discs are still on our premises," - Well if you keep searching and searching (I'm sure no stone is being left unturned) and they don't turn up, I think there is only one likely conclusion to be reached.
Thursday, 22 November 2007
HMRC: Emails Confirms Poor CD Password Protection
NAO have released details of their Email correspondence with HMRC leading up to the HMRC data breach, and answers a couple more questions I had with incident.
Click Here for NAO Emails
From the NAO Emails it is very clear to understand the HMRC data was zipped (compressed to make the data files smaller), likely with an application called Winzip. The so called password protection of CD we are told about is just a Winzip password, which wouldn't be very hard to defeat. See http://www.zipcure.com/ for instance.
On analysing what was said in the Emails further and ignoring the political spin about them...
NAO rep. states "I do not need address, bank or parent details in the download - are these removable to make the file smaller?" - Clearly NAO were not asking for the removal of the sensitive data for security, it appears the NAO wanted to receive a smaller database on the grounds of it being easier to manage on a single CD, i.e. a single zip file. This is contrary to the media reports which state NAO advised HMRC not to send sensitive information on security grounds.
So the NAO wanted the data to fit zipped on a single CD-R, in response this request the HMRC rep. states "I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department."
In my view I think this an attempt to fob off NAO, rather than for a genuine financial reason. As running a report to filter out the unnecessary data doesn't have too much cost associated with it, it just takes a little time to organise. So I am guessing the HMRC rep. knew this and didn't want to go through the hassle of extracting the information out the HMRC IT systems again. Sure I could be wrong in assumption, I'm just going from pass experiences with requesting stuff from busy IT bods.
These are my own views on reading the Emails, please let me know your views, and of course the content of these Emails makes absolutely no excuse for HMRC failing millions of people in not protecting our private information.
Click Here for NAO Emails
From the NAO Emails it is very clear to understand the HMRC data was zipped (compressed to make the data files smaller), likely with an application called Winzip. The so called password protection of CD we are told about is just a Winzip password, which wouldn't be very hard to defeat. See http://www.zipcure.com/ for instance.
On analysing what was said in the Emails further and ignoring the political spin about them...
NAO rep. states "I do not need address, bank or parent details in the download - are these removable to make the file smaller?" - Clearly NAO were not asking for the removal of the sensitive data for security, it appears the NAO wanted to receive a smaller database on the grounds of it being easier to manage on a single CD, i.e. a single zip file. This is contrary to the media reports which state NAO advised HMRC not to send sensitive information on security grounds.
So the NAO wanted the data to fit zipped on a single CD-R, in response this request the HMRC rep. states "I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department."
In my view I think this an attempt to fob off NAO, rather than for a genuine financial reason. As running a report to filter out the unnecessary data doesn't have too much cost associated with it, it just takes a little time to organise. So I am guessing the HMRC rep. knew this and didn't want to go through the hassle of extracting the information out the HMRC IT systems again. Sure I could be wrong in assumption, I'm just going from pass experiences with requesting stuff from busy IT bods.
These are my own views on reading the Emails, please let me know your views, and of course the content of these Emails makes absolutely no excuse for HMRC failing millions of people in not protecting our private information.
Wednesday, 21 November 2007
HMRC: Who asked for the data and why?
I have now found out the answer to one of my burning questions in relation to the HMRC data breach. Which was, Why on earth would HMRC have any requirement to send the entire database outside their organisation?
The lost HMRC CDs were destined for The National Audit Office (NAO), a body which scrutinises public spending on behalf of Parliament.
http://www.nao.org.uk/
“The role of the National Audit Office (NAO) is to audit the financial statements of all government departments and agencies, and many other public bodies. We also report to Parliament on the value for money with which these bodies have spent public money. As well as providing accountability to Parliament, we aim to bring about real improvements in the delivery of public services.”
As part of the preparations for the 2007/08 audit of the HMRC by the NAO, the NAO instead of requesting the usual sample of data to audit, requested a full copy of client benefit data. No doubt because the funding and costs of child benefits has been a political hot potato in recent months.
However the NAO requested HMRC filter the information before sending it, removing details of parents, addresses and bank information. At this stage I was able to find out whether NAO requested the data to be shipped on CDs unencrypted or not, but nether-the-less HMRC are still 100% responsible for sending the data in that fashion, and thus fully responsible for the breach.
But I can't help but wonder if someone within government instructed NAO to carry out a comprehensive audit of the HMRC. HMRC's own rules on data protection were bypassed, proper channels were not used, it's no excuse but could government pressure been a factor?
Timeline of events
2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.
18 October: HMRC tells the NAO that the CDs have been sent
24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.
25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.
5 November: HMRC confirms that the first set of CDs is still missing.
8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.
10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.
11 November: HMRC and the police search the NAO’s offices. Nothing is found.
20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.
21 November: HMRC issues an apology.
The lost HMRC CDs were destined for The National Audit Office (NAO), a body which scrutinises public spending on behalf of Parliament.
http://www.nao.org.uk/
“The role of the National Audit Office (NAO) is to audit the financial statements of all government departments and agencies, and many other public bodies. We also report to Parliament on the value for money with which these bodies have spent public money. As well as providing accountability to Parliament, we aim to bring about real improvements in the delivery of public services.”
As part of the preparations for the 2007/08 audit of the HMRC by the NAO, the NAO instead of requesting the usual sample of data to audit, requested a full copy of client benefit data. No doubt because the funding and costs of child benefits has been a political hot potato in recent months.
However the NAO requested HMRC filter the information before sending it, removing details of parents, addresses and bank information. At this stage I was able to find out whether NAO requested the data to be shipped on CDs unencrypted or not, but nether-the-less HMRC are still 100% responsible for sending the data in that fashion, and thus fully responsible for the breach.
But I can't help but wonder if someone within government instructed NAO to carry out a comprehensive audit of the HMRC. HMRC's own rules on data protection were bypassed, proper channels were not used, it's no excuse but could government pressure been a factor?
Timeline of events
2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.
18 October: HMRC tells the NAO that the CDs have been sent
24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.
25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.
5 November: HMRC confirms that the first set of CDs is still missing.
8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.
10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.
11 November: HMRC and the police search the NAO’s offices. Nothing is found.
20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.
21 November: HMRC issues an apology.
HMRC: The Identity Theft Risk
Just to confirm what data was on those missing HMRC CDs (unencrypted):
Full Name
Full address
National Insurance Number
Date of Birth
Partner's details Names
Sex and age of children
Bank/savings account details
If those CDs fall into the wrong hands then half of the UK population are at increased risk at identity theft.
I think the information would be difficult to use break into online bank accounts directly, although it's worth noting some people do use their children’s names as passwords and there are the odd password reset process which ask for your date of birth and mother's maiden name, but the fraudster would need to compromise the account holders Email account or PC.
The real risk with this information is with Identity Theft, which is the UK's fastest growing crime.
What is Identity Theft? - Simply put, it is when a someone assumes your identity and racks up credit\loans in your name with no intent of paying it, and/or commits to other fraudulent and criminal activity in your name.
For instance a fraudster could easily use the HMRC information to purchase an expensive mobile phone on contract, with the victim being billed long after the purchase event. Fraudsters could use the information to setup credit and financial agreements without your knowledge too. There have even been ID Theft cases with fraudsters assuming children’s identities which can go unnoticed for years.
I would expect fraudsters to use such information in targeted attacks, for instance phoning you or Emailing you, and impersonating a representative from your bank, in an attempt steal access to your bank account online. Example being, "Hi, it's X bank here, just to confirm you are MrsX, your post code is X and Date of Birth is X, we need to reset your online banking password to protect against fraud with HMRC breach, it will only take a minute of your time..." It wouldn't be hard to find your phone number, knowing your full name and address, while the HMRC CD would provide bank name, your name, post code and Date of Birth.
In some cases the fraudster could even guess your online verbal password, as more often than not, it's the name of the son/daughter, and even if it's not, it's possible to fool someone into forgetting they had set it as such. This information is all held on the HMRC CD.
So what can we (yes I'm a victim too) do to protect ourselves?
The most important thing to do right now is to be extra vigilant, lifting advice from my recent ITSEeducing_your_Risk_of_Identity_Theft Guide
Q. What are the tell-tale signs that I’m might be a victim of Identity Theft?
A. There are several signs to look out for:
• You are unexpectedly rejected with loan or credit card applications, even though you have a good credit history
• If you receive debt collecting mail from companies and solicitors for debts you know nothing about • Missing post, expected bank and credit card statements, and especially replacement credit cards and cheque books do not arrive
• You receive bank and credit card statements that you haven’t setup or hire purchase agreements or mobile phone contracts you know nothing about
• You receive bills, invoices or receipts addressed to you for goods or services you haven’t used or asked for.
Also I would like to add, if you use one of childrens names as password for your online bank account, change it.
Personally, I know which bank details HMRC hold in my case, so I'm going to close down that account and open another account with a different bank. I am not saying everyone needs to take such action, as to be honest it's a major hassle to do, but it's my own personal action to reduce my own risks, as I'm particularly careful about my own personal information security.
Also take note of the following advice by the UK government
• Mr Darling said people should check their bank accounts for any "irregular activity"
• He said there was no need for people to close accounts as the details would not be sufficient to allow fraudsters to access them
• But people should not give out personal or account details "requested unexpectedly" by phone or by email
• Banking industry body Apacs advised people who bank online to monitor accounts and change passwords if they are a child's name or date of birth
Contact your bank immediately, but only if you spot something suspicious as banks are expecting to be overwhelmed with calls
• Banks also warn customers to be on the lookout for signs of ID theft and fraud - such as regular post like bank statements going missing, bills for items you have not bought, or letters approving or denying you credit you know nothing about
Full Name
Full address
National Insurance Number
Date of Birth
Partner's details Names
Sex and age of children
Bank/savings account details
If those CDs fall into the wrong hands then half of the UK population are at increased risk at identity theft.
I think the information would be difficult to use break into online bank accounts directly, although it's worth noting some people do use their children’s names as passwords and there are the odd password reset process which ask for your date of birth and mother's maiden name, but the fraudster would need to compromise the account holders Email account or PC.
The real risk with this information is with Identity Theft, which is the UK's fastest growing crime.
What is Identity Theft? - Simply put, it is when a someone assumes your identity and racks up credit\loans in your name with no intent of paying it, and/or commits to other fraudulent and criminal activity in your name.
For instance a fraudster could easily use the HMRC information to purchase an expensive mobile phone on contract, with the victim being billed long after the purchase event. Fraudsters could use the information to setup credit and financial agreements without your knowledge too. There have even been ID Theft cases with fraudsters assuming children’s identities which can go unnoticed for years.
I would expect fraudsters to use such information in targeted attacks, for instance phoning you or Emailing you, and impersonating a representative from your bank, in an attempt steal access to your bank account online. Example being, "Hi, it's X bank here, just to confirm you are MrsX, your post code is X and Date of Birth is X, we need to reset your online banking password to protect against fraud with HMRC breach, it will only take a minute of your time..." It wouldn't be hard to find your phone number, knowing your full name and address, while the HMRC CD would provide bank name, your name, post code and Date of Birth.
In some cases the fraudster could even guess your online verbal password, as more often than not, it's the name of the son/daughter, and even if it's not, it's possible to fool someone into forgetting they had set it as such. This information is all held on the HMRC CD.
So what can we (yes I'm a victim too) do to protect ourselves?
The most important thing to do right now is to be extra vigilant, lifting advice from my recent ITSEeducing_your_Risk_of_Identity_Theft Guide
Q. What are the tell-tale signs that I’m might be a victim of Identity Theft?
A. There are several signs to look out for:
• You are unexpectedly rejected with loan or credit card applications, even though you have a good credit history
• If you receive debt collecting mail from companies and solicitors for debts you know nothing about • Missing post, expected bank and credit card statements, and especially replacement credit cards and cheque books do not arrive
• You receive bank and credit card statements that you haven’t setup or hire purchase agreements or mobile phone contracts you know nothing about
• You receive bills, invoices or receipts addressed to you for goods or services you haven’t used or asked for.
Also I would like to add, if you use one of childrens names as password for your online bank account, change it.
Personally, I know which bank details HMRC hold in my case, so I'm going to close down that account and open another account with a different bank. I am not saying everyone needs to take such action, as to be honest it's a major hassle to do, but it's my own personal action to reduce my own risks, as I'm particularly careful about my own personal information security.
Also take note of the following advice by the UK government
• Mr Darling said people should check their bank accounts for any "irregular activity"
• He said there was no need for people to close accounts as the details would not be sufficient to allow fraudsters to access them
• But people should not give out personal or account details "requested unexpectedly" by phone or by email
• Banking industry body Apacs advised people who bank online to monitor accounts and change passwords if they are a child's name or date of birth
Contact your bank immediately, but only if you spot something suspicious as banks are expecting to be overwhelmed with calls
• Banks also warn customers to be on the lookout for signs of ID theft and fraud - such as regular post like bank statements going missing, bills for items you have not bought, or letters approving or denying you credit you know nothing about
Tuesday, 20 November 2007
HMRC: UK's Biggest Data Breach Ever
The lost of two CDs holding 25 Million personal records by HMRC, is the biggest data breach in UK history, it's almost half the population. The data lost included children's names, full addresses, dates of birth, National Insurance numbers and where relevant bank and building society account details.
How did this breach occur?
In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can be easily defeated.
My first question I have here, is it shouldn't even be possible for any junior employee (or senior employee for that matter) to extract all of the data from the HMRC system, clearly there are no controls in place within the databases and IT Systems at HMRC. I have also heard from a source that the IT systems at HMRC are a bit of mess, which the lack of basic security controls for me confirms as fact.
My second question is over how the data of transferred, clearly in this data and age there are many secure and more cost effective methods of sending sensitive data to third parties, it's a completely unacceptable practice to send any sensitive information on unencrypted media, never mind 25 Million records. Clearly the junior employee doesn't even have a basic information security awareness, therefore this points to a lack of a security culture within the HMRC, which I would of thought would of been a priority considering the sensitive of data with HMRC.
Thirdly, HMRC are in clear breach of the Data Protection Act, will they get punished? Is it even worth it considering fining them, as they are public operated, it would basically fining yourself. So just where is the drive to improve information security within HMRC going to come from?
Finally, this isn't the first incident involving HMRC in recent times, are they investigating incidents and learning from the mistakes? Clearly I think not.
So typical records on the missing CD include a full name, full address, Date of Birth, National Insurance number, children's names and even full bank account details. In the wrong hands this information could literally ruin lives. I'll blog more about the risks and consequences of this information being used for identity theft tomorrow.
How does this incident affect me personally? Well two weeks ago I got comprised with the missing CD sent by HMRC to Standard Life, today I find that my Wife's bank account and my children's details are compromised two, so a real clean sweep by HMRC in my house hold.
How did this breach occur?
In October, a junior HMRC employee downloaded the entire HMRC database and placed all the data onto two CDs, and then put the CDs in Jiffa bag and stuck it in the internal post for the attention of NAO, who requested it. This package never arrived at the destination NAO, so on finding out the same junior HMRC employee downloaded the entire database and placed the data on CDs again, but this time sent it by recorded mail, this did arrive. The lost CD is described as password protected by HMRC, however I would like to make it very clear the data on the CD is NOT encrypted, therefore is far from secure being read, and I understand the password system can be easily defeated.
My first question I have here, is it shouldn't even be possible for any junior employee (or senior employee for that matter) to extract all of the data from the HMRC system, clearly there are no controls in place within the databases and IT Systems at HMRC. I have also heard from a source that the IT systems at HMRC are a bit of mess, which the lack of basic security controls for me confirms as fact.
My second question is over how the data of transferred, clearly in this data and age there are many secure and more cost effective methods of sending sensitive data to third parties, it's a completely unacceptable practice to send any sensitive information on unencrypted media, never mind 25 Million records. Clearly the junior employee doesn't even have a basic information security awareness, therefore this points to a lack of a security culture within the HMRC, which I would of thought would of been a priority considering the sensitive of data with HMRC.
Thirdly, HMRC are in clear breach of the Data Protection Act, will they get punished? Is it even worth it considering fining them, as they are public operated, it would basically fining yourself. So just where is the drive to improve information security within HMRC going to come from?
Finally, this isn't the first incident involving HMRC in recent times, are they investigating incidents and learning from the mistakes? Clearly I think not.
So typical records on the missing CD include a full name, full address, Date of Birth, National Insurance number, children's names and even full bank account details. In the wrong hands this information could literally ruin lives. I'll blog more about the risks and consequences of this information being used for identity theft tomorrow.
How does this incident affect me personally? Well two weeks ago I got comprised with the missing CD sent by HMRC to Standard Life, today I find that my Wife's bank account and my children's details are compromised two, so a real clean sweep by HMRC in my house hold.
Shambolic HMRC loses yet another CD
It’s well documented on this blog, on how the UK Government department, Her Majesty's Revenue & Customs (HMRC), failed to protect my own and 15,000 others personal information,losing a couriered unencrypted CD a couple of weeks back, and then there was the incident with an unencrypted HMRC laptop going missing a couple weeks before that.
Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.
Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.
So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.
So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."
The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."
And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."
I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.
Now they have completed the hat-trick big time, this time losing a bunch of CDs holding 15 Million children benefit records, which I understand held names, address, date of birth and bank account details for around 7 million British families.
Apparently the CD went missing after being couriered between HMRC headquarters in Washington, Tyne and Wear and London, when exactly how this happened isn’t clear yet, however ministers have known about the problem for 9 to 10 days. I understand another HMRC internal investigation is underway, while the police are still investigating.
So yet again the CD was sent unencrypted and yet again I wish to highlight there are more efficient, cheaper and secure ways of sending personal data, as well as the totally unacceptable and irresponsible practice employed HMRC.
So this time the HMRC chairman, Paul Gray, has resigned over this issue, and to quote him directly “I had hoped to be around for a while longer, and to have had the continuing privilege of leading HMRC towards the vision we have been developing. I am extremely proud of what all of you in the organisation have achieved during my time as deputy chairman and chairman."
The issue is being raised in parliament as I type, with Tory MP Nigel Evans saying "He should have told the public straight away in order that they could have taken precautions against anyone's information being used by ID fraudsters."
And for the Liberal Democrats, Chris Huhne told the BBC: "It is a horrendous problem; it's one of the biggest failures in a major government department that I can remember. It's an enormous delivery problem and I think that clearly that's been recognised by the head of HMRC when he resigned... I would be surprised if we did not see ministerial heads rolling as well."
I wouldn’t be surprised either, meanwhile with my own case with HMRC, I have written letters to my local MP, the Information Commissioner and the Minister responsible for data protection, I’ll report back any responses and further development. Although I expect from this point on, my issue will be completely over shadowed by this very significant incident, involving millions of peoples records.
Monday, 19 November 2007
UK WiFi Theft is Rife
A recent UK survey by Sophos revealed 54% of those surveyed had used someone else’s wireless Internet access without permission. Many within the media are calling this practice “WiFi Piggybacking”, and I’ve even seen quotes from liberal academics backing the practice. In my view this is plain and simple WiFi Theft, its wrong and it’s completely illegal in the UK.
The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.
I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.
How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,
The offence is under section 125 of the Communications Act 2003, which states that "a person who (a) dishonestly obtains an electronic communication service, and (b) does so with intent to avoid payment of a charge applicable to the provision of that service, is guilty of an offence”. The maximum penalty is six months in jail and/or a fine of up to £5,000. There have been several prosecutions under this act. In fact I'm aware of the arrest of a 39 man in August, who was spotted using on his laptop in the street, accessing an unsecured WiFi connection within someone’s home in Chiswick, London.
I have heard some people say, they don’t care if their neighbours use their WiFi for Internet access. Well first of all, every UK ISP I have encountered has a clause within the contract, which clearly states you aren’t allowed to share your WiFi Internet connection with your neighbours. Secondly if you leave your WiFi broadband open, it allows the potential for anyone (even your neighbours) the ability to browse illegal and unsavoury websites, commit online fraud, download illegal movies, and even host illegal movies and unsavoury material. All of this activity is done in the name of the WiFi owner, some people still don’t realise the Internet is far from being anonymous usage, everything can be easily traced back via your ISP, back to you. So if someone uses your Internet bandwidth illegally, it will be your doorstep the authorities will darken. Thirdly, someone connecting to your WiFi connection can eavesdrop on your Internet activity, reading your Emails, building up a profile for identity theft and gathering any non-encrypted website username and passwords. Fourthly, many ISPs provide bandwidth limits, especially the cheaper deals out there, so your Internet usage is quite literally a limited resource, so you certainly shouldn’t want others stealing and using it.
How many unsecured home WiFi connections are they in the UK? Well the answer is about 1 in 4 residential wireless routers are unsecured, according to Moneysupermarket.com, who commissioned an amateur hacker to test the quality of wireless security in the streets of Liverpool, Manchester and Chester earlier this year. About 88% people secure their home PCs from the Internet with Anti-Virus and Firewalls, but it seems significant numbers are neglecting to secure the WiFi Routers. It’s possible for bad guys to compromise an unsecured WiFi router and bypass the security on home PC. Particularly if you think about the consequences of changing DNS settings and routing on the WiFi Router, so keeping the default WiFi Router name and password and leaving your WiFi unsecured isn’t such a great idea,
Friday, 9 November 2007
Frank Abagnale's advice to me Re:HMRC
I know all about the various methods and processes in which HMRC could of protected my private information, but now my info could be in the wild and in the hands of bad guys, who better to give me some advice than Frank Abagnale. If you haven't heard of Frank, he's the guy the "Catch Me If You Can" movie was based on, after serving his time Frank provided consultancy to several banks, helping them to beat fraudsters, and he went on to be known and respected as a leading expert in Identity Theft. Here is his advice to me...
"Sorry that this happened to you.
Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.
I would recommend a service that is now available in Great Britain called PrivacyGuard (http://www.privacyguard.co.uk/). Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."
Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?
"Sorry that this happened to you.
Most of the time when identities are lost/stolen in this method, the people who steal the information sell it to a buyer who sits on it normally for about 2 -3 years. Unlike stealing credit card data where the credit card issuer can cancel the cards, you can't change your name, date of birth, National Insurance Number/Social Security Number, etc. So the longer they sit on the information the more valuable it becomes to the buyer when he decides to become the seller.
I would recommend a service that is now available in Great Britain called PrivacyGuard (http://www.privacyguard.co.uk/). Over 6 million Americans use PrivacyGuard including myself. PrivacyGuard monitors all three credit bureaus and notifies their customers in real time by e-mail or text message (not by a letter) if someone is attempting to get credit or open an account in their name. Typically over here, when information has been lost by the fault of a company or government agency, they provide the potential victims the monitoring service for free for one year. I would demand three years to protect oneself thoroughly."
Interesting point about how bad guys sit on the info and sell it on down the line, I'm going to take his advice and check out PrivacyGuard and post what I find out next week. Still there's going to be a charge to use this service, I wonder if I should try and get HMRC to foot the bill?
Thursday, 8 November 2007
Lack of Data Discloure Laws
Well I lodged a complaint about HMRC with the Information Commissioner today, basically the guys who enforce the Data Protection Act, as I am still far from happy about the bad practice which led to my personal details being lost by HMRC, the time it took for disclosure and then being misled about the data encryption of the CD. I'll post up the response when I get it.
Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.
So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.
"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".
It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.
http://petitions.pm.gov.uk/fulldisclosure/
Meanwhile I noticed my involvement with this was discussed on Martin McKeay's (and Rich Mogull's) excellent Network Security Podcast, by the way I heartily recommend this podcast for anyone who is interested in learning more about Information Security and the latest topics within the field. One interesting point was made about our lack of disclosure laws we have in the UK compared to the US, which I have to say is true, we don't have any clear laws on breach disclosure within the public and private sectors, we rely and trust companies and organisation ethics. I think it would of been a very dangerous game for HMRC to sweep such a data breach under the carpet, due to the important of transparency placed on government and the UK media reaction etc.
So, we need to have clear breach disclosure laws in the UK, so I checked the Prime Minister's website to see if there was an online partition, and there was one, but it had closed at the end October 2007, so I couldn't sign it.
"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors".
It was signed by 339 people. So perhaps I'll look into setting up and promoting another petition further down the line, well not unless this one proves successful! Actually perhaps I should try it the old fashioned way and lobby my local MP or the Minister responsible for Information Technology.
http://petitions.pm.gov.uk/fulldisclosure/
Wednesday, 7 November 2007
HMRC Data Breach CD was NOT Encrypted
I phoned HM Revenue & Customers (HMRC) again today to obtain further clarification on whether their missing CD was encrypted or not, as on Monday I was categorically told by a HMRC representative the CD was encrypted, although he couldn't say what type of encryption was used, in fact I repeated the question three times to be sure. After reading conflicting press reports about encryption of the CD, I decided to phoned HMRC again today. This time I was told by HMRC the CD wasn't encrypted after all, so I was completely mislead by them on Monday then.
This just goes from bad to worst.
And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.
Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.
If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.
I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.
This just goes from bad to worst.
And get this, I was then told not to worry as although the names were readable within the files in the CD, my National Insurance, Date of birth and pension reference details would be "difficult" read! In other words the data was in an unformated state. I explained to the HMRC rep. that is was actually something to worry about, as it probably wouldn't take too long to render the "Unformated" data into a nice neat table of 15,000 records.
Just to recap the main point, this means NO ENCRYPTION was used on the CD (otherwise the names wouldn't be readable), this is a cardinal sin (and a crime?) to send people's personal data on a CD completely unprotected through public channels i.e. the courier/post system. In this day and age there are many more secure (and cheaper) ways than posting people details unprotected on CD media.
If HMRC think the data being a little hard to read is the equivalent of it being encrypted, well I'm afraid to say they really are in a bad state of affairs information security wise.
I went on to asked whether anyone had issues with ID theft & unusual access to National Insurance records and was told none as yet, but since the victims (including me) are stuck with the same NI number, name and DoB for the rest of our lives, I guess there is plenty of time for that.
Monday, 5 November 2007
HMRC Data Breach Update - I'm vulnerable!
I'm vulnerable to Identity Theft thanks to HMRC Update
It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).
I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.
Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.
HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.
And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.
I’m still gathering further information, and I’ll post more details and my findings when I get more answers.
It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).
I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.
Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.
HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.
And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.
I’m still gathering further information, and I’ll post more details and my findings when I get more answers.
Friday, 2 November 2007
I'm vulnerable to Identity Theft - Thanks a lot HMRC
When I arrived home today and I was greeted with a brown letter from Her Majesty's Revenue & Customs (HMRC). Did I owe them tax? No, much worst than that, HMRC have exposed me to Identity Theft big time, just less than a week after I posted up a guide on "Reducing your risk of ID fraud" too.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...
"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."
My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)
1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?
Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.
ITSEeducing_your_Risk_of_Identity_Theft
So here we have a top UK Government department which has dropped yours truly, into serious risk of Identity Theft, at no fault of my own. To quote from the HMRC letter...
"At the end of September HMRC sent a CD to your pension provider, X (I've X them out as there not the ones at fault) with your surname, national insurance number, date of birth and plan reference number included on it. We are very sorry to tell you that the CD was lost after it had been collected from HMRC by HMRC's external courier and before it was delivered to X. This means that there is a possibility that your personal data could be accessed by someone other than HMRC or X."
My blood is really boiling!
(I've had to go through this post and delete out all the swearing!)
1. It might be just a coincident, but it’s little bit convenient sending me such a letter to arrive on a Friday or Saturday, when the HMRC offices are closed over the weekend. I’m concerned and I want answers now!
2. ENCRYPTION - This is the biggy - Why the hell did they not encrypt the data on the CD?
3. In this day and age, there are plenty of better ways of sending such sensitive data in a completely secure manor, rather than couriering media around the place, have they ever heard of PGP and VPNs?
4. The Data Protection Act, have they broken the law?
5. How many other peoples details were on that CD, I've not read anything about it in the press. Or how many other CDs have gone missing?
6. This breach occurred in September, its November now…When exactly in September did it happen? How long before they knew CD was missing? Why has it taken between 1 and 2 months to notify me?
7. Has it the incident been investigated? What's the result of the investigation? Do HMRC recognise they have a security hole within their business processes? Has it been corrected?
8. Now my personal details could be in hands of bad guys, how are they going to protect me?
9. What steps should I be taking to protect myself now?
Answers to these question and more when the HMRC offices open again on Monday morning, and I try to get some answers. I invite you all to join me in trying to hold the UK Government to account, for this heinous breach of my (and possibly many others) personal data.
Thursday, 1 November 2007
Unclever but Lucky People!
I just happen to own the domain “Network-UK.com” which I leased several years back as part of a project I was working on, which really didn’t take off the ground. Anyway for several months now I have been receiving misdirected Email to this domain, almost on a daily basis now, Email which appears to be meant for a London based UK employment agency using a similar domain name, addresses for a variety of individual accounts at the domain rather than one. Which in itself is kind of expected, however it’s the content of these misdirected Email which really concerns me. Due to the way forwarding works to my inbox, I can’t instantly tell if an Email was forwarded or not, and on occasion within my preview panel I can see these Email are about wages claims, and often include Full Name and Addresses, Bank Account numbers with Sort Code and bank name, Full Names and Phone numbers, National Insurance numbers, and even on occasion full colour scanned copies of passports! which as we all know is a really unclever to send to anyone over Email.
Out of courtesy and concern I made several efforts to contact the intended email destination company in question, however so far I had no replies. I can’t help but wonder whether they are encouraging their punters to send such sensitive details by Email in the first place, however lucky for those punters it’s me that receives their sensitive details and deletes on receipt. It really goes to show that there are plenty regular people out there who don't know how to be secure using the Internet.
It looks like I am going to have to put an Email auto-reply to all email received to this domain, as I really want to avoid receiving such sensitive details in the first place, however I would be interested if anyone had any advice to offer to me on this one!
Out of courtesy and concern I made several efforts to contact the intended email destination company in question, however so far I had no replies. I can’t help but wonder whether they are encouraging their punters to send such sensitive details by Email in the first place, however lucky for those punters it’s me that receives their sensitive details and deletes on receipt. It really goes to show that there are plenty regular people out there who don't know how to be secure using the Internet.
It looks like I am going to have to put an Email auto-reply to all email received to this domain, as I really want to avoid receiving such sensitive details in the first place, however I would be interested if anyone had any advice to offer to me on this one!