Inland Revenue Data Loss

Posted on November 20th, 2007 by admin

From the Times

The personal and bank details of 25 million people - almost every child in the country as well as their parents and carers - have been lost by HM Revenue & Customs, the Government admitted today.

Names, addresses, dates of birth, employment and bank details all went missing when two CDs containing the information were mislaid.

What we know so far is that a junior member in the HMRC downloaded the data, put it on CDs (password protected) and sent it through the internal post to the NAO.

First, what the heck are HMRC doing sending CDs in the first place? Secure FTP has been around for a decade. It’s out there, proven, secure, fast and cheap. You can send from any machine to any other.

Second, what is a “junior member” doing with such priveledged rights? Everyone knows that no security is perfect, so you limit security of your highest priveledged operations to a small group. That means that such transfers should involve senior staff.

Third, password protecting data on a CD is about as useful as a chocolate fireguard. If you have the physical data visible and unencrypted, you can open it.

Fourth, sending data through the post is a really bad idea. It’s just not very reliable.

If any of those things had been done, the likelihood is that this mess would not have arisen. Secure FTP would have solved it for certain. A senior member of staff would have known how to handle it better. Had the CDs been encrypted (and the key sent separately), they would have been coasters. Had it gone by motorcycle, it would have had a far better chance of arriving.

It’s data management by Fred Karno’s army. For something like the Inland Revenue, there should be an information security department whose job it is to guard data. To make sure that only the right people get it. That only a small number of people get the highly sensitive data. That any processes that have sensitive data coming in or going out are known and have adequate controls. It seems to me (especially when you count the Standard Life loss of 2 weeks ago) that this is more than freakish bad luck.

This is the same government that wants us to have ID cards to protect us all from identity fraud, and thinks we should have our medical history on a central computer system.

Tags: Politics, Technology //

Discussion Area - Leave a Comment




« Fanboys Ellee Seymour gets her CIPR »