To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/digitaldefences/0,3800014341,39169247,00.htm

HMRC data blunder to sink ID cards?
Best of Reader Comments: Oops, butterfingers...

By Natasha Lomas

Published: Thursday 22 November 2007

The news two CDs containing the confidential personal details of 25 million child benefit recipients have been lost by HM Revenue & Customs (HMRC) has caused outrage and disbelief among silicon.com readers, many of whom believe it has serious implications for the government's ID cards scheme.

The CDs contain the names, addresses, dates of birth and National Insurance numbers of the entire HMRC child benefit database, which also includes the bank account details of more than seven million parents, guardians and carers.

They were posted by a junior HMRC official through its internal mail provider TNT to the National Audit Office (NAO) on 18 October. However the discs failed to arrive and their whereabouts still remains unknown.

Full Disclosure campaign

silicon.com is aiming to make businesses and government take data security more seriously. Read more here.

The loss of the data was not made public until weeks after the discs went astray.

An anonymous silicon.com reader from Hove said the episode involves "procedural and supervision failures" both at HMRC and the NAO, adding: "How could auditors have thought it acceptable to be sent the entire database (with only password protection) by (outsourced) internal mail? Who audits the auditors?"

This point was echoed by another reader - consultant David Leslie, from Edinburgh - who wrote: "As I understand it, excessive personal data was being transferred - NAO was only asking for NI numbers, but they were being given the lot. To me, that smacks of a systematic disregard of Data Protection principles and thus the law."

Another reader, ex-RAF cryptographer Paul Howard, said the government's delay in making the data loss public underlines the need for the UK to adopt Californian-style data breach legislation "to ensure the loss of personal records are notified within the shortest possible time".

silicon.com is campaigning for the UK government to pass legislation that would force organisations to disclose when a breach of their systems has put user data at risk.

On the issue of data access, many readers were shocked and angry that a junior official could apparently waltz in, gain access to and download so much sensitive data unchallenged. And others questioned why the database lacked access controls.

There was also shock that the post was used to transfer the data, rather than a secure digital method of file transfer. "So much for broadband Britain!" wrote an anonymous IT contractor from Richmond. "Some government numpty must have made a policy decision that posting unencrypted CDs in a jiffy bag was safer, faster and cheaper than dropping them onto a secure FTP. I despair."

Software developer Anthony Hunt, from Maidstone, added: "Heads should roll and policy should change. Send CDs in the post? In the 21st century?"

The implications for the government's ID cards projects of their butterfingers approach to data did not pass without comment. A reader from London wrote: "A good thing to come out of this is that the ID card is dead in the water."

An anonymous reader from Buckinghamshire added: "If we ever wanted a reason for civil disobedience if they try to bring the ID cards scheme in, this is it. How useless at IT do they have to prove themselves [to be] before we say no more?"

And Robert Wingfield, from London, called it "another example of the hopeless mismanagement and lack of respect and consideration for the population by our government".