Comments on: HMRC loses confidential details of 15 25 million benefit recipients

By: The Open Rights Group : Blog Archive » Copyright commotions 101: Free event at LSE next month

Fri, 15 Feb 2008 17:34:31 +0000

[...] the government mailed half the nation’s bank details to the darknet at the end of last year, it looked like 2008 was going to be the year privacy issues hit the [...]

By: The Open Rights Group : Blog Archive » MPs call for tougher data protection regime

Thu, 03 Jan 2008 12:26:39 +0000

[...] The House of Commons Justice Committee has today released a report into the protection of public data. The report is a good summary of the state of play and, in particular, of developments since the Chancellor announced to Parliament in Novemeber last year that HMRC had lost confidential records affecting 25 million UK citizens. [...]

By: Jonathan

Jonathan — Wed, 21 Nov 2007 13:31:33 +0000

If it really is all those details for 25 million people on two CDs, that only leaves < 60 bytes per person. It really needs to be compressed, so could it be a password protected zipfile?

How about a FOI request asking how many of the 100,000 HMRC employees have this level of database access? If it’s many, never mind the loss of these CDs: it would only take one crooked worker to take a copy.

By: Tom

Tom — Wed, 21 Nov 2007 11:21:13 +0000

Looking at the coverage in the Guardian this morning, they cover the password vs. encrypted issue, and state they understood that the database was only protected with a password, crackable in minutes by an expert.

Crazy to think that the records for 25 million people will fit on two CDs - I have an 8GB pen-drive, and could probably therefore steal not only the current database, but some archive versions too.

By: Becky

Becky — Wed, 21 Nov 2007 09:02:48 +0000

Check out Open Rights Group Advisory Council member Dr Ian Brown on Newsnight last night: http://news.bbc.co.uk/1/hi/programmes/newsnight/default.stm (starts 11 minutes into the programme).

By: Ewan

Ewan — Tue, 20 Nov 2007 18:31:34 +0000

Hi Dennis, while I very much hope that you are right, there’s nothing in Alistair Darling’s speech that refers to encryption, just ‘password protected’, which lets face it is another thing altogether, zip files and excel files can be password protected but noone should trust them for 25 million people’s details.

And the second reason I doubt it’s just the tapes and not the full database extract is that they were sending the copy to the national audit office, who wouldn’t (I presume) have the decryption key for normal backups of the database, instead there would have to be one created especially for them.

By: Dennis Howlett

Dennis Howlett — Tue, 20 Nov 2007 18:08:37 +0000

As I understand it the official got their hands on the encrypted tapes - not the database. There is a process problem here that’s not been fully explained. If you check the BBC website, they’ve been giving this a lot of comment space. Last count - 1585 comments - guess how many unhappy citizens?

By: Ewan

Ewan — Tue, 20 Nov 2007 17:33:25 +0000

I can’t quite get my head around this yet, there’s so many sides to this story, not least of which is how exactly does ‘a junior official within HRMC’ get full unrestricted access to this database?

Aren’t we always told this kind of access is extremely restricted to protect peoples privacy, and that systems are heavily monitored to stop stalking of celebrities through their government records?

Shouldn’t some internal data security alarms have been ringing the moment the member of staff did the data extract, long before it was actually shipped out (twice) and finally reported as missing?

By: John Drinkwater

John Drinkwater — Tue, 20 Nov 2007 16:08:50 +0000

Make that 25 million :s