Sorry, Darling, it's not good enough
So… Her Majesty's Revenue and Customs (HMRC) have managed to lose two discs that contained the personal details of all families in the UK with a child under the age of 16. An accident waiting to happen one might say! This data included name, address, and date-of-birth information. It also included National Insurance (NI) numbers (akin to South Africa's ID numbers) and, let us not forget, the little matter of personal bank details. Up to around 25 million people are now potentially identity fraud victims. However, according to the UK's Chancellor Alistair Darling, we should not get too concerned, as there is no evidence that the data has gone to criminals. Well thank heavens for small mercies and three cheers for the government for reassuring us all say I!
The Chancellor also went on to state that the missing data in itself was not enough for miscreants to access other people's bank accounts as passwords and other information would be needed, but admitted there was an “increased risk” and said people should keep an eye on their accounts and not give out personal details requested unexpectedly by phone. Indirectly, all that Mr. Darling says may be true, but what he has conveniently chosen to overlook is the fact that data theft has already been successfully committed from other organisations using far fewer details than were potentially being exposed by HMRC.
Scandalous
The need to address data loss was already a high-profile issue prior to yesterday's announcement from the government that child benefit agency records had been lost on their way between HMRC offices and the National Audit Office (NAO). To have your systems breached by hacker attacks or information stolen because of other malicious activity is one thing, but to put yourself in the position where you simply give away sensitive data is scandalous. The head of HMRC services has fallen on his sword and resigned, the Chancellor Alistair Darling is under pressure as the Minister responsible, and the Prime Minister Gordon Brown, until a few months ago a former Chancellor, looked very uncomfortable indeed yesterday evening.
Nevertheless, this should not be about individual personalities, although I am sure that opposition politicians will inevitably take the opportunity to make this situation very personal, especially when you consider that the Prime Minister put most of the rules and regulations that HMRC are currently operating under in place in his former role. It is really about the competence of government technology, its supporting systems, and the procedures that are put in place to ensure that individual employees know what they should and should not do with sensitive information.
Alistair Darling should not for one second believe that he or his government colleagues can get away with blaming junior members of the revenue services for a breach of procedures when the fundamental controls for dealing with sensitive information appear not to have been in place. The Chancellor is reported to have said that the lost discs were password protected – this is not anywhere near good enough protection for highly sensitive personal information.
Not even a basic audit trail
The data does not appear to have been encrypted, which it clearly should have been, and the package itself was not recorded, so there is not even a basic audit trail. Then, having accepted that the original set of data had been lost due to the wholly unacceptable methods used, a further package was sent out, this time by recorded post. Now stop me if I am getting ahead of myself here, but this was data that was requested by the NAO – a body that itself bears some responsibility for security matters.
Everyone that is serious about information security knows that sensitive personal and financial data must be handled correctly. If it is being moved between different sites it must be delivered using secure channels. Even at a basic level the use of passwords are not considered as secure protection, and finally all sensitive and financial data should be held in an encrypted form. HMRC, and the UK government as their masters, score zero out of three on this specific incident and, given their recent wholesale rejection of House of Lords proposals on IT security, they do not appear to have anything sensible to say on information security matters.
Andrew Kellett is Senior Research Analyst at Butler Group. He has worked to promote the delivery of research on operational and business systems, and currently takes responsibility for all aspects of IT Security.