NEWS
A lost compact disc containing the personal pension details of 15,000 people was not encrypted.
The CD was lost in transit between Her Majesty's Revenue and Customs Service (HMRC) and financial services company Standard Life, and was unencrypted, HMRC revealed on Monday.
An HMRC statement said: "HMRC take the security of customer information very seriously. The data, which contained the records of around 15,000 people, was lost in transit by HMRC's external courier."
"Customers have been written to and precautionary measures have been put in place to check customers' records for any fraudulent activity. We have also reviewed our arrangements and introduced safeguards to prevent this happening in future."
One form of pension payment is an Age Related Rebate (ARR). Funds are paid into the accounts of individuals' pension providers by HMRC electronically, depending on the level of the National Insurance contributions people have made. The pension details of the individuals are then sent separately to pension providers, to enable their records to be updated.
In this instance 15,000 pension details of customers of Standard Life were sent to the pension provider by HMRC via an unnamed third-party courier, at the end of September. However, the courier lost the disc, which was not encrypted, an HMRC spokesperson silicon.com siter publication ZDNet.co.uk.
"HMRC very much regrets that this has happened and are committed to working with the institutions to ensure that those customers affected receive the advice and support they require," said the HMRC statement. "We have asked customers to remain vigilant and have set up a number of dedicated HMRC telephone hotlines."
The data contained on the disk included the surnames and initials of the individuals, as well as their National Insurance numbers, dates of birth and pension plan numbers. That the disc was not encrypted means the details can be read more easily.
Tom Espiner writes for ZDNet.co.uk
Comments
There are 4 comments. Join the discussion
1. Dave Brown
<Deep sigh> - and these are the people who reckon they can securely manage our ID card system (for those of us who agree to take them of course)!
Cowboys!
2. Graham Coles
Could we please have a mandatory fine or jail sentence for anyone using the phrase:
' ... take the security of customer information very seriously ...'
when describing how they've just compromised a large amount of unencrypted personal data.
I'm sorry, but this PR crap is really just getting a bit much. If HMRC had have actually taken security of their information seriously it would have been encrypted. No excuses, no spin, it would have been done!
How much effort could it possibly take to use a truecrypt volume or gpg to encrypt the file. Clearly far to much for a government organization that 'takes security really seriously'.
At last they are finally being exposed. The next time that I hear some halfwitted government minister saying how seriously they will protect data used in their shambles of an ID card project, I'll know exactly what they mean. Something between the amount of care they take by not encypting personal pension data at all and encrypting details on a wireless passport that also contains the key in plaintext.
If only consumer law applied to governments, we could send this one back for a refund ... it clearly doesn't work properly.
3. Christopher Hubbard
and the government expect us to have confidence in the new ID cards, where even more information will be available in one place?!
But do they ever listen to public opinion?!
4. anonymous
Was the last sentence [" That the disc was not encrypted means the details can be read more easily."] intended for those of us who failed GCSE?