The UK government’s loss of two disks containing social security and bank details of a whopping 25 million British citizens emerged on Tuesday, and has already seen one very senior head roll – that of Paul Gray, chairman of the UK’s tax organization, Her Majesty’s Revenue and Customs.
Gray’s resignation was announced on Tuesday, but was not enough to seal the fallout from the data loss, which has escalated up to the prime minister.
I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families who receive child benefits, Brown said in the UK House of Commons on Wednesday.
The PM was responding to fierce criticism from the opposition Conservative party, which is making the most of the issue that it says has compromised every family in the land. Opening up the possibility of another resignation, the Conservative party has extended its attack to Alastair Darling, UK chancellor.
Darling has denied that the data loss was caused by the UK government’s decision to merge its revenue and customs organizations, so causing staff cuts.
The disks were lost in October, when they were sent by a courier company from an HMRC office to another UK government agency. They contained the agency’s entire child benefit records, and included the names, addresses, dates of birth and bank account details for 7 milllion families, and 25 million individuals.
In terms of numbers, the loss is not as large as others. Two years ago US credit card payment processor CardServices was forced to admit to the loss of up to 40 million credit card records, when hackers broke into its systems.
But security experts have said that bank account details are far more useful to criminals that credit card numbers. Curtis W Preston, vice president consultant at storage consultancy Glasshouse Technologies said that the loss also sets a world record in another way.
It’s a record for data loss via removable media. The previous biggest one was when CitiGroup lost tapes containing 4m records, Preston said.
Preston described the act of sending data on password-only protected disk as unforgivably stupid.
I can’t say strongly enough just how incredibly dumb it is to do this. Password protected? That’s really easy for any hacker to crack. And on a CD that is readable by everybody on the planet. At least with a backup tape the hacker has to get an LTO tape drive, he said.
Putting it in that format and sending it via common carrier? Give me a break. Maybe ten years ago or even five years ago that would have been forgivable, but not nowadays, he said.
UK chancellor Alastair Darling said that there were policies in place at HMRC to prevent such moves, but that they appear to have been breached.
When the disks failed to show up at their intended destination, a second pair was sent, this time via registered post. They at least reached their destination. It was not until two weeks later that senior management in the HMRC were informed of the loss.
In September HMRC lost records of around 15,000 people that had been sent to a UK mortgage company. In the same month, a laptop containing tax details of around 400 individuals was stolen.
The BBC has reported that one Scottish family saw around $6,000 withdrawn from its bank account in November, by an individual who used child benefit details to persuade the bank that they were the account owner. At the time, the bank could offer no explanation of how that had happened.
Preston said: If a criminal gets your bank details, they can use it to steal your identity, which is one of worst crimes of fraud to suffer. It’s hard to detect, and when trouble happens you’re not assumed to be innocent. It’s the other way around – you’ve got to prove your innocence, he said.
Our View
The potential for pain suffered by an organization after a data loss is illustrated by the fact that this event has given the UK government’s opponents ammunition on entirely different fronts, such as a proposed national identity card, and an existing project to create a National Health IT records system.
The loss also suggests that because no amount of policy or guidelines can ultimately prevent staff from making blunders, security needs to be more physically embodied.