Security experts slam HMRC over data loss

The loss by HM Revenue & Customs of 25 million child benefit claimant records has understandably sparked a host of reactions from security and legal experts.

Ovum principal analyst Graham Titterington encapsulated the scale of the event by saying: "This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from HMRC in just three months."

He continued: "If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations. The UK government and the nation is reduced to hoping that these two CDs are languishing in a rubbish bin somewhere."

At the moment, it's difficult to predict the full implications of this disaster. Jonathon Armstrong, principal partner at law firm Eversheds drew parallels with a similar security breaches in the US last year, when 26 million armed forces veterans' personal data was lost and when retailer TJX lost more than 90 million customers' bank data.

Security A to Z

From antivirus to zero-day, click here for silicon.com's alphabetical guide to security.

Armstrong predicted a likely outcome of this week's revelations will be a rash of phishing scams, where fraudsters will try to trick bank details out of people already worried about the data breach.

He said: "Even if the data on the CDs [sent by an HMRC official to the National Audit Office] does not get into the hands of fraudsters, it is likely that even now a large email campaign is being planned to prey on the British public. A similar scam in Scandinavia recently led to a bank losing £800,000."

It seems one of the few organisations under-reacting to the crisis is the government itself. The best advice it can come up with is citizens likely to be affected should keep a close eye on their bank accounts. However, credit checking service Experian says this may not be good enough.

Compliance director at Experian, Helen Lord, said: "Fraudsters are more likely to attempt to use the data to apply for new credit in their victims' names. Monitoring your bank account is no defence against this crime. Children who are between 15 and 17 years old are especially at risk. Fraudsters will wait until they turn 18 to apply for credit products in their names. That could have a catastrophic effect on their ability to get on the housing ladder, obtain a loan or even open a bank account."

It is likely banks will suffer as a result of the breach, according to Gartner analyst Aviva Litan, as they are forced to go into emergency response mode.

She said: "UK banks may be forced to shut the 15 million accounts [affected] down and reissue new ones at an enormous cost to them and major inconvenience to customers, especially since customers typically set up automated payments and transfers. Debit cards that link to the old accounts may also have to be closed and reissued."

Even before the dust has settled, some pundits are looking at how the government needs to change its data security policy. Security software specialist Checkpoint is just one security industry player to wade into the debate.

Checkpoint technical manager Caroline Ikomi said: "By encrypting automatically, the chances of data being intercepted for criminal purposes are far less likely. It can literally protect organisations from their own mistakes."

John Colley, former head of information security at Royal Bank of Scotland, now European MD of the International IS Security Certification Consortium, believes the solution is more about educating government employees to handle citizens' personal data with more care. The data in question was password protected, but sent through an unsecured courier service.

He said: "Government must ensure information security is indoctrinated as a shared responsibility for all employees. This information was lost by people who most likely did not understand the enormity of the risk that was being taken."

As far as government policy over the handling of citizens' information goes, this breach is a pretty damning indictment for the proposed ID card scheme. Protest group NO2ID has not been slow in jumping on the issue.

National NO2ID coordinator Phil Booth said: "This data disaster shows up the madness behind the government's ID schemes. People had no choice about giving up that information. It makes the government the biggest identity thief of all."