News Archive

Data Loss Shock

by msecadm4921

Millions of people have had personal data mislaid by the Government in what the Chancellor Alistair Darling has described as ‘as an extremely serious failure by HMRC’.

Missing are sort code and bank account details, national insurance numbers, dates of birth, names and address details of all families in receipt of child benefit, and the names and dates of birth of those children for whom child benefit is payable. <br><br>The Chancellor told the House of Commons on November 20, to audible gasps from MPs: "In March of this year it appears that a junior official within HMRC {Revenue and Customs] provided the National Audit Office with a full copy of HMRC’s data in relation to the payment of child benefit.<br><br>"In doing so it is clear that the strict rules governing HMRC standing procedures were not followed. These procedures relate to the security and access to data as well as its transit to ensure that data is properly protected. This information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information it received in March to HMRC after auditing it.<br><br>"It now appears that following a further request from the NAO in October for information from the Child Benefit database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s post system operated by the courier TNT. The package was not recorded or registered … it appears the data has failed to reach the addressee in the NAO.<br><br>He went on that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at the NAO. <br><br>"However, again HMRC should never have let this happen. Although it is believed the data was sent from HMRC to the NAO on 18 October, the fact it did not arrive it was not reported to HMRC’s senior management until 8 November, nearly three weeks later. I was informed on Saturday 10 November and immediately instructed that comprehensive searches be carried out of all premises where the missing data might be found. These searches are continuing."<br><br>Mr Darling added that it is highly likely that there have been breaches in the Data Protection Act. The Information Commissioner, Richard Thomas, will investigate. He too told Radio 4’s Today programme on November 21 that it was almost certaion that there had been a breach of the DPA, and described it as a ‘shocking’ case. Mr Thomas went on to stress that other data breaches have been done by retailers, banks and other government departments, and repeated his call for the power to inspect data processes, without the consent of an organisation. As it is the Office of the Information Commissioner needs permission to inspect. <br><br>Apology<br><br>On the HM Customs and Revenue website, the government department apologies. A statement says: "As is usual in these circumstances, if you are the innocent victim of banking fraud you will not have to pay, but you may want to take some precautionary steps to protect yourself. If you receive bills, invoices or receipts or see entries in your statements for goods or services which you have not ordered you should contact your bank or building society immediately. In addition, do not give out personal or account details if anyone contacts you unexpectedly. Instead take a note of their name and number, and if you are at all suspicious contact your bank or building society. If your password uses any of your personal data, for example your child’s name or date of birth, you may also wish to consider changing any passwords you use." <br><br>Meanwhile the bank payments association APACS advised that if you are concerned about the potential HMRC data compromise telephone the HMRC dedicated Child Benefit Helpline on 0845 302 1444.<br><br>While there is no evidence that the lost data has fallen into criminal hands APAC produced customer advice, containing questions and answers, and tips on spotting and stopping identity theft.<br><br>Paul Smee, APACS Chief Executive said: “Whilst this incident is extremely serious, at this stage customers should not be unduly concerned, as there’s no evidence that the data has fallen into criminal hands. As part of its usual procedures the banking industry has done all it can to protect its customers accounts and will continue to do so. In the event that anyone is the innocent victim of fraud as a result of this incident customers can have peace of mind that they enjoy protection under the Banking Code which means that you should not suffer any financial loss as a result. <br><br>“There is no need for customers to ask for a new account or to contact their bank or building society. There is no evidence of an increase in suspicious activity on those customers’ accounts since the data was mislaid on 18th October. We are confident that every action has been taken by HMRC and the banking industry to minimise the risk of any fraud.”<br><br>Comments<br><br>Among the comments so far, Professional Security Magazine columnist Ken Rogers said: &quot;In the pharmaceutical industry all drugs were delivered by a vetted member of staff or by a well checked out courier. Government needs a shake up on so many security issues by a practical security consultant who has a proven record."

Businesses should be learning lessons about the importance of protecting confidential information, says the British Security Industry Association.

"Compliance with the Data Protection Act is imperative for every business," says BSIA Information Destruction Section Chairman, Anthony Pearlgood. "By contravening the requirements of the Act and not sufficiently protecting confidential information, businesses run the risk of prosecution by the Office of the Information Commissioner."

He added: "Ensuring that confidential information is disposed of responsibly is an essential part of compliance with the data protection legislation. The BSIA has produced a Security Waste Audit which will help businesses assess whether their confidential waste is being disposed of securely. The Association advises engaging the services of a BSIA information destruction company to shred all confidential material. By making sure that you have stringent confidential waste disposal procedures in place, you will protect not only your business, but also your customers and suppliers from the risk of identity fraud."

From Chris Mayers, chief security architect at IT security firm Citrix: “Despite early assurances from the government that this data won’t have fallen into the wrong hands, that may owe more to good luck than judgment. It sounds like a fundamental failure of proper data protection planning that such a large volume of sensitive data would ever be moved in any format without the strictest digital and physical security in place. <br><br>“But why did this information even need to be transported at all? In these days of secure remote access there is rarely any need for data to be written onto a CD and transported anywhere.<br><br>“All organisations handling sensitive data need to realise there is nothing more important than their responsibility to keep that data secure. That means ensuring data is properly encrypted, and travels only when necessary: not on ordinary CDs, print-outs, or even on laptops – all of which appear to go missing with appalling regularity. <br> <br>&quot;It’s not enough to react to loss of data. Organisations need to have robust security at all times.&quot; <br><br>For what some of the papers say: The Scotsman<br><br>http://news.scotsman.com/index.cfm?id=1831812007<br><br>In The Guardian, the affair is termed Discgate:<br><br>http://www.guardian.co.uk/commentisfree/story/0,,2214432,00.html<br><br>For more from APACS, visit http://www.apacs.org.uk&amp;lt;br&amp;gt;&amp;lt;br&amp;gt;And for the Chancellor’s statement in full:

Related News

  • News Archive

    Fraud Unit

    by msecadm4921

    A specialist police unit dedicated to combating insurance fraud is to be set-up through a police-private sector partnership. Funded by the insurance…

  • News Archive

    SIA Review Digested

    by msecadm4921

    Below, a digest of the 44-page Security Industry Authority: A Hampton Implementation Review Report, from the Better Regulation Executive. The report points…

  • News Archive

    Access Without PC

    by msecadm4921

    New from Honeywell, the PW-6000 Intelligent Controller, a hardware architecture capable of providing access control solutions for large enterprises. Designed to operate…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing