Timeline: HM Revenue & Customs data blunder

Timeline of the HM Revenue & Customs (HMRC) data losses

The loss of 25 million records from HMRC's Child Benefit Computer System was declared "deplorable" and "entirely avoidable" in two reports into the data blunder released this week.

The data loss was preceded by plethora of warning signs and mishaps. An earlier audit by the National Audit Office (NAO) in March 2007 identified many of the issues that would contribute to the loss of the discs, and in October four copies of the data discs were produced before a set managed to get through to the NAO. The timeline below documents the series of blunders leading up to the data breach…

2006 - 2007
The NAO begins its first discrete external audit of the Child Benefit Computer System (CBCS).

March 2007
Two CDs containing data from the CBCS are sent to the NAO. The transfer sets a precedent for procedure that would be followed ahead of the October data loss with data sent in full, without adequate encryption protection and without senior authorisation.

2 - 3 October 2007
An NAO employee asks for a copy of the full CBCS scan data for the second audit. In subsequent emails, NAO employees emphasise the CDs must be "delivered to the NAO as safely as possible due to their content". Some of these communications are not copied to the required single point of contact (Spoc), which leads to the Spoc being unaware when the first set of discs are sent out. Therefore no senior official is able to make a decision on the information's release.

4 October 2007
An EDS employee burns the files, containing the full records of all child benefit claimants at that time, onto two 700MB CD-ROMs. The files are compressed as zip files, providing low-grade encryption. Each file is protected by a low-level seven-digit alphanumeric password.

These discs are then handed to the HMRC and EDS sends passwords for each of the discs via email.

Data from the discs is then uploaded to a standalone computer at the HMRC offices in Washington (WVP) for analysis and the original CDs are placed in a locked room.

14 - 18 October 2007
An HMRC employee is unable to create a copy of the full CBCS data that had been copied onto the computer, so instead hands over the two original discs provided by EDS to a colleague inside the HMRC.

This HMRC employee then puts the discs in a jiffy bag, addressed to the NAO in London and leaves them in an out-tray at WVP to be sent out via the tax post system via courier TNT on 18 October.

The tax post system is undocumented and untraceable, despite a fully IT-enabled track-and-trace service being available from the offices.

22 October 2007
An NAO employee searches for the discs in the post room at head office but is unable to find them.

23 October 2007
An angry NAO employee contacts one of the Spocs at the HMRC demanding an explanation for why the discs had failed to arrive.

The Spoc then reveals he is unaware the discs had been posted to the NAO on 18 October and arranges for duplicate discs to be sent.

24 October 2007
Two further copies of the scan discs are made, one as a back-up copy and one to be sent to the NAO. It then emerges the data on the replacement discs to be sent out is not password protected.

A fourth set of CDs is then burnt with a copy of the data scans, this time both password-protected and zipped.

This fourth set of discs are sent by registered track courier and the NAO are notified of their dispatch by telephone.

25 October 2007
An HMRC employee emails an NAO employee to tell them the password for the fourth set of data discs.

The NAO worker confirms by email that the discs have been received later in the day and expresses his concern over the missing discs.