UK Government Suffers Major Storage Snafu
HMRC joins growing list of removable media miscreants
November 21, 2007
The UK government has suffered a massive data breach after two disks containing personal details of 25 million people were lost by the country's equivalent of the IRS.
You read that right: 25 million. The disks, which contain welfare information on almost half of the U.K. population, went missing last month when Her Majesty's Revenue and Customs (HMRC) sent the disks to the National Audit Office (NAO).
With a major police investigation already underway, details of the breach started to emerge today.
A junior HMRC official sent the password-protected disks, containing child benefit payment information on 7 million families, to the NAO via courier firm TNT, but failed to register or record the package.
The package never arrived at its destination.The records include the details of millions of benefits recipients, as well as the names, addresses, and dates of birth of virtually all the children in the U.K., according to the BBC.
The disks also contain bank account details of parents and guardians, as well as U.K. national insurance numbers, which are similar to Social Security numbers.
Such is the scale of the snafu that U.K. chancellor of the exchequer Alistair Darling, who oversees HMRC, issued a public apology for the breach earlier today.
"This is an extremely serious matter," he told Members of Parliament in the House of Commons. "HMRC has a responsibility towards the general public who entrust it with highly sensitive personal information [and] it has failed to meet the high standards that should be expected of it."
The Chancellor's statement followed the resignation of HMRC chairman Paul Gray earlier today, amidst a growing public furor over the way the breach has been handled."There is no mention that the 'discs' were encrypted, just that they were password protected," wrote Paul Howard, CEO of U.K.-based security consulting and encryption firm DISUK, in an email to Byte and Switch today.
The government, which found out about the breach on November 10, needs to seriously rethink its data protection strategy, according to Howard.
"The failure to notify people that their personal data and identity has been compromised clearly shows the contempt certain members of government have for the people of this country," he wrote. "The delayed announcement by the government clearly indicates the need for a bill similar to that passed in California to ensure the loss of personal records are notified within the shortest possible time."
HMRC refused to reveal any details about the disks, or its procedures, when Byte and Switch contacted the department earlier today. "Because there's a police investigation taking place, we can't go into any further details with regard to the data loss," said a spokesman.
In the House of Commons today, the embattled chancellor nonetheless attempted to downplay the potential risks for the millions of affected families."The police tell me that they have no reason to believe that this data has found its way into the wrong hands," said Darling. "They are not aware of any evidence that it has been used for fraudulent purposes or criminal activity."
With today's news, the U.K. government joins a growing list of data protection miscreants, which includes the Department of Veterans' Affairs, Los Alamos National Lab, and the state of Ohio.
This is not the first time that HMRC has suffered an embarrassing data loss. In September, a courier lost the records of around 15,000 people, and in the same month, the department lost a laptop containing personal details of its customers.
Read more about:
2007You May Also Like