Missing: 25 million child benefit records

CDs containing the confidential personal details of 25 million child benefit recipients have been lost by HM Revenue & Customs (HMRC).

The records contain the names, addresses, dates of birth and National Insurance numbers of the entire HMRC child benefit database, which also includes the bank account details of more than seven million parents, guardians and carers.

Two password-protected CDs containing the child benefit information were sent unrecorded and unregistered by a junior HMRC official through courier TNT to the National Audit Office on 18 October but never arrived and have not been found.

The missing CDs were not reported to senior HMRC management until 8 November and the Chancellor of the Exchequer Alistair Darling was then notified on 10 November.

In a statement to Parliament, Darling said the delay in notifying the public of the security breach was necessary to allow the banks time to flag up affected bank accounts and monitor them for any unusual activity.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

A Metropolitan Police investigation into the missing discs is ongoing and Darling said police have no reason to believe the information has fallen into the "wrong hands".

He said: "The missing data in itself is not enough to access bank accounts… but we have to recognise the increased risk."

Privacy watchdog the Information Commissioner's Office, the Financial Services Authority and the Serious and Organised Crime Agency have also been notified.

Although the banks have so far reported no unusual activity on the affected accounts, child benefit recipients have been told to monitor their bank statements closely for anything suspicious and not give out any personal details requested unexpectedly by phone.

Darling said no individual will suffer any financial loss if they are innocent victims of fraud as a result of this security breach.

He said: "I deeply regret this and apologise for the anxiety caused."

Darling admitted it is "highly likely" the Data Protection Act has been broken and said an inquiry into the missing data will be conducted by the Independent Police Complaints Commission. The government has also appointed Kieran Poynter, chairman of PricewaterhouseCoopers to investigate HMRC's security procedures.

HMRC chairman Paul Gray resigned today as a result of what he called a "substantial operational failure" in the department.

Shadow Chancellor George Osborne called the security breach "catastrophic" and said the government has "compromised the security and safety of every family in the land". He also called on the government to abandon its ID card plans because of the data security risk.

Angry MPs also questioned HMRC procedures that allowed a junior official to download the entire child benefit database onto a CD in the first place.

This is the third serious security breach at HMRC in just over a month.

In November 15,000 Standard Life customers were warned after a CD containing the names, National Insurance numbers, dates of birth and pension data was lost in transit from HMRC to Standard Life's offices in Edinburgh. In October HMRC admitted a laptop containing details of 2,000 people with investment ISAs had been stolen.