Security community slams HMRC

Security breach saw 15 million child benefit recipients' details 'lost in the post'

HM Revenue and Customs (HMRC) has been slammed by security experts after being responsible for what has been described as ‘one of the world’s biggest ID protection failures’.

As a result of the government faux pas, which involved the loss of computer discs in the post, thought to contain the confidential details of 15 million child benefit recipients along with over seven million people's bank details, HMRC chairman Paul Gray has resigned.

Earlier today the Chancellor of the Exchequer, Alistair Darling was forced to issue a statement which admitted an investigation is still in progress, after attempts to locate the missing CD’s failed. Darling added that an independent review of HMRC’s security procedures is taking place, with the full results being published in Spring 2008.

However Tom de Jongh, product manager at SafeBoot, said: “Basic policies were ignored. It appears that the fundamental policies upon which the National Audit Office and HMRC operate are flawed and it is no wonder that this breach has occurred. The Chancellor freely admits that NAO and HMRC broke clear procedures, but that will not reassure the millions of families that are praying their financial details don’t get into the wrong hands.”

Brian Spector, general manager for content protection group at Workshare, said: “It is staggering that an organisation responsible for the data of over 25 million child benefit claimants is still copying data onto CDs and not ensuring its full protection through encryption techniques. It has never been acceptable for businesses or government departments to lose data, but in today’s information society, the flagrant disregard for the protection and security of this type of data is not acceptable.

“The money invested in IT by the UK government must now be prioritised on security to ensure that the data of those the government serve – the public - is secure and protected.”

Jamie Cowper, director of European marketing at PGP Corporation, said: “Thes e discs should never have been transported in the first place – information of this type should only be transmitted using the strongest security protocols available such as encrypted batch transfer – but more to the point, these details should not have been stored in this medium.

Discs are easy to lose, but difficult to protect. This type of information should only be stored on formats where the data can be encrypted transparently, so that it remains protected wherever it resides, and whether at rest or in motion."

Further Reading:

Tax man loses 25m people’s records
http://www.channelweb.co.uk/computing/news/2203890/25m-records-lost-tax-man