I suspect the loss of 25 million child benefit records by HM Government in the United Kingdom will have considerable, long-term ramifications.
I understand that the compromised data represents the details of all the recipients of Child Benefit in the United Kingdom and includes names, addresses, dates of birth, national insurance numbers and, in many cases, the banking details of the parents or guardians involved.
According to a BBC news report, HM Revenue & Customs (HMRC) sent a couple of CDs with this highly sensitive data to the National Audit Office on 18th October 2007, but didn’t discover the information was missing until 24th October 2007. Apparently, the CDs were sent by internal mail without being registered or recorded in any way. It was clearly an accident waiting to happen.
Worse still, when they didn’t turn up, it seems from the statement made to the House of Commons by the Chancellor of the Exchequer, Alistair Darling MP, that a further copy was sent by recorded delivery, which apparently he believes should not have happened either!
It needs a moment or two just to reflect on the enormity of what was done here, not once, but twice. Sensitive details of just under half the UK population were sent by internal post between two offices with little consideration for its security. It seems the first reaction of those who discovered that the data hadn't arrived was to resend it, not to ask what had happened to it!
Furthermore, it seems that Mr Darling knew of the security breach on 10th November 2007, but did not instruct HMRC to inform the police for four days. Exhaustive searches have not found the missing CDs, although by their very nature, no comfort can be drawn from their recovery. They could easily have been copied at any time in transit, let alone after they had been lost. The data has been compromised!
The astounding reality is that just under half the nation’s personal and banking details have been compromised by employees of the government.
The BBC’s summary of Mr Darling’s statement suggests: "The missing information contains details of 25m individuals, 7.25m families - including children’s names, addresses, dates of birth, NI numbers and where relevant bank and building society account details.”
I believe that this amounts to the biggest loss of personal data in the United Kingdom to date and by far the most serious.
The Treasury seems to be blaming junior staff at HM Revenue & Customs, but I am extremely surprised to learn that junior staff have access to the banking details of pretty much every parent with a child under the age of sixteen in the United Kingdom. It seems that there are some exceptionally lax mechanisms for handling sensitive data at HMRC, who are still reeling from two earlier security breaches, including the loss of a laptop holding sensitive data.
The Information Commissioner, Richard Thomas, has apparently remarked that: “This is an extremely serious and disturbing security breach.”
Mr Darling suggests in his statement that the junior employees had breached internal rules for data security, but what I find incredible is that this seems to be routine. For instance, Paul Lewis of the BBC Radio 4 Programme Money Box reported on 3rd November 2007 that 15,000 Standard Life customers' details had been lost in very similar circumstances. Mr Lewis' article states:-
"A month ago a CD containing the names, national insurance numbers, dates of birth and pension plan numbers of nearly 15,000 Standard Life customers was lost by a courier taking it from the Revenue national insurance contributions office in Newcastle to the insurer's headquarters in Edinburgh."
According to Alistair Darling’s statement (as reported by the BBC) on the most recent data loss: “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”
The simple phrase “password protected” really worries me. I would have been much happier had he said “securely encrypted”. The difference is immense.
My immediate reaction is, given the manner in which the data was sent in the first place, just how secure were those passwords? I have horrible images of Microsoft Excel spreadsheet files being locked with a flimsy password known to at least the sender and the recipient. Tools to unlock Excel files proliferate on the Internet and are readily available to anyone who cares to look for them using Google. (It is important to note that the exact file format and security mechanism used in this case does not appear to be public at present.)
The current media focus seems to be on the “banking details”, but I am worried about how this data could be used both now and in the future to compromise all sorts of information. For instance, a large number of people use their date of birth as the basis for their passwords and many organisations use date of birth questions as part of their online security.
If this data becomes widely available on the black market, then 25 million people (statistically more or less every other British reader of this article) may find their data being used fraudulently, possibly to compromise the likes of their ebay account, their email account, their online utility bill facilities, even their MySpace account.
My advice to anyone that uses any of the compromised data as the basis for their passwords is to change them immediately. If it has fallen into the wrong hands, they have probably had it for more than a month...
I certainly agree with Avivah Litan of the Gartner Group who is quoted by the BBC as saying: “The data lost - bank account numbers, names and addresses - represents a gold mine for the thieves and is much more valuable to them than credit card numbers or taxpayer id numbers.” She went on to suggest that “In fact, in the black market, bank account numbers sell for the highest price, or between $30 and $400 (£15 to £200), which is significantly more than the fifty cents to five dollars that criminals pay for credit cards.”
These disks, which are still missing, are clearly worth a fortune. If Avivah Litan is right then they have a black market value of at least £108M. If these disks fall into the wrong hands then it seems reasonable to expect considerable identity theft and fraud to follow for a long time to come. Certainly, there is sufficient detail in these files to seriously compromise the identity of many children in the United Kingdom for a very long time to come.
I can’t imagine that the UK population will feel too enamoured about identity cards and the national identity database when HM Government is currently sending their identity backwards and forwards en-masse on poorly protected CDs. There must be questions raised about how secure people’s personal data is throughout government.
The BBC has already reported that Douglas Thomson and his wife believe that £2,800 was removed from their Alliance & Leicester account using this data on 5th November 2007. According to Mr Thomson: “At the time, our bank was at a loss to explain how such detailed info was somehow available to someone else. At least we now know how.” It must be said that the Alliance & Leicester maintains that this incident is completely unrelated to the HMRC data loss.
The problem is that we all seem to have a problem assessing the importance of data. How many people have important data stored on their computers at home, which isn't backed up? How many students have lost their dissertations and essays to disk corruption, but had no backup? How many people lose mobile phones with the personal details of their friends in their address book? How many people send sensitive material by (intrinsically insecure) Internet email?
As I reflect on this issue, I realise I am not unduly surprised about this latest revelation. Many organisations, let alone people, are extremely cavalier with data. I think the problem is that data really doesn’t look very impressive when it is stored on a couple of CDs. The sheer magnitude of 25 million records doesn’t really hit home until its lost, stolen or printed out.
The Information Commissioner, Richard Thomas has said: "The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly."
Perhaps this incident is just the wake up call we all need.