HMRC data management beggars belief
Newly released documents clarify several hitherto open questions concerning the HMRC loss of the Child Benefit database, and the picture that emerges is not pretty. Email correspondence just released by the UK National Audit Office (NAO) strongly suggests that the data were stored as a matter of routine in the form of password-protected zip files, which are notorious for being easy to crack. Furthermore, the reason given by HMRC for not filtering out information the NAO specifically asked to be removed, such as parents' names, addresses and banking details, was explicitly stated to be a matter of "cost to the department": a cost estimated by various sources as a mere 5,000 UK pounds. The NAO only wanted the names, National Insurance numbers and Child Benefit numbers of the children. Had all other information been excluded as requested, the resulting data would be far less useful for fraud or other nefarious purposes even were it to fall into the wrong hands.
An analysis by Techworld suggests that at least eight people at HMRC were aware of this data transfer, one of them at Assistant Director level "with the title Process Owner for Child Benefit". So this was no one-off unauthorised act by a junior staff member as previously suggested by government sources. Indeed, according to Shawn Williams, a solicitor who handles benefit fraud cases for HMRC, it is a commonplace. Commenting in the Independent, he said "Sometimes there is no security at all, sometimes there are instructions telling you how to access the data, sometimes the password is just written on a compliments slip and included with the disc."
It is inevitable in such a lax regime that data will go astray, and indeed several sources today report that, despite the attention this debacle has attracted, two more disks have been lost by the same agency only this week. We can only hope that the extended powers recently proposed by the Information Commissioner are granted and have sufficient bite to eliminate this endemic problem in the management of personal data by government agencies.
- UK tax head resigns over lost personal data, heise Security news
- The HMRC data loss - the real implications, heise Security comment
- Capitalising on the HMRC data loss, heise Security news
- UK Information Commissioner seeks extended legal powers, heise Security news