Monday 5 November 2007

HMRC Data Breach Update - I'm vulnerable!

I'm vulnerable to Identity Theft thanks to HMRC Update

It turns out I’m one of 15,000 Standard Life customers to be at risk of fraud after personal details were lost by HM Revenue & Customs (HMRC).

I had confirmation in addition to the letter I received on Friday. The CD holding my info (including National Insurance Number, Date of Birth and info about my pension) was sent from the Revenue office in Newcastle to the Standard Life’s HQ in Edinburgh, however the CD never arrived, apparently lost by the courier firm.

Also I heard a rumour that second CD containing data on some customers from an unnamed second company has also gone missing, which if true might suggest something more sinister is afoot.

HMRC have been quoted in saying the incident happened at the end of September, a whole month before any notification, which isn't good as they should be notifying much quicker than that.

And on the data encryption front, HMRC won't say whether the information was encrypted or not "on security grounds" – to me that statement implies the data wasn't encrypted, however I called them up and spoke with an operator about this issue, and he said the data was encrypted, and can only be read by Standard Life and HMRC. Which begs the question why aren't HMRC providing any assurance in stating this in the letter and on press releases? So I asked what type of encrpytion was used, but the HMRC call operator didn't know. Then I asked to speak with someone senior who could answer my questions, he said they wouldn't know either as they are still investigating the incident.

I’m still gathering further information, and I’ll post more details and my findings when I get more answers.

No comments: