HMRC loses confidential details of 15 25 million benefit recipients

Becky Hogge, 20 November 2007

The confidential details of 15 25 million child benefit claimants are reported to have been lost by HM Revenue and Customs. The BBC is reporting that HMRC's chairman, Paul Gray, has resigned.

BBC political editor Nick Robinson said he understood ministers had been aware of the problem for nine to 10 days.

Here in the ORG offices we are watching the Chancellor, Alistair Darling, make a statement on the matter to the House of Commons.

Update: The Chancellor has now made his statement to the House of Commons. It appears that the BBC under-reported the amount of people affected by this loss. Darling announced that a "password-protected" CD sent by unrecorded delivery contained details of 25 million individuals. That's just under half the population of the UK.

Details contained on the CD include:

Name;

Children's names;

Address;

Date of Birth;

National Insurance Number;

and, where relevant, bank details.

Darling used his statement to reassure citizens that banks had been informed and were taking measures to protect their accounts. The accounts of those whose details were lost had been flagged, said Darling, and were being monitored for irregular activity. He assured UK citizens that any innocent victim of fraud would be protected under the banking code.

According to Darling, the Information Commissioner will be investigating the data protection breaches that were presumably key in leading to this blunder.

John Drinkwater

Reply #11 on : Tue November 20, 2007, 17:08:50

Make that 25 million :s

Ewan

Reply #10 on : Tue November 20, 2007, 18:33:25

I can't quite get my head around this yet, there's so many sides to this story, not least of which is how exactly does 'a junior official within HRMC' get full unrestricted access to this database?

Aren't we always told this kind of access is extremely restricted to protect peoples privacy, and that systems are heavily monitored to stop stalking of celebrities through their government records?

Shouldn't some internal data security alarms have been ringing the moment the member of staff did the data extract, long before it was actually shipped out (twice) and finally reported as missing?

Dennis Howlett

Reply #9 on : Tue November 20, 2007, 19:08:37

As I understand it the official got their hands on the encrypted tapes - not the database. There is a process problem here that's not been fully explained. If you check the BBC website, they've been giving this a lot of comment space. Last count - 1585 comments - guess how many unhappy citizens?

Ewan

Reply #8 on : Tue November 20, 2007, 19:31:34

Hi Dennis, while I very much hope that you are right, there's nothing in Alistair Darling's speech that refers to encryption, just 'password protected', which lets face it is another thing altogether, zip files and excel files can be password protected but noone should trust them for 25 million people's details.

And the second reason I doubt it's just the tapes and not the full database extract is that they were sending the copy to the national audit office, who wouldn't (I presume) have the decryption key for normal backups of the database, instead there would have to be one created especially for them.

Becky

Reply #7 on : Wed November 21, 2007, 10:02:48

Check out Open Rights Group Advisory Council member Dr Ian Brown on Newsnight last night: http://news.bbc.co.uk/1/hi/programmes/newsnight/default.stm (starts 11 minutes into the programme).

Tom

Reply #6 on : Wed November 21, 2007, 12:21:13

Looking at the coverage in the Guardian this morning, they cover the password vs. encrypted issue, and state they understood that the database was only protected with a password, crackable in minutes by an expert.

Crazy to think that the records for 25 million people will fit on two CDs - I have an 8GB pen-drive, and could probably therefore steal not only the current database, but some archive versions too.

Jonathan

Reply #5 on : Wed November 21, 2007, 14:31:33

If it really is all those details for 25 million people on two CDs, that only leaves < 60 bytes per person. It really needs to be compressed, so could it be a password protected zipfile?

How about a FOI request asking how many of the 100,000 HMRC employees have this level of database access? If it's many, never mind the loss of these CDs: it would only take one crooked worker to take a copy.

The Open Rights Group : Blog Archive » MPs call for tougher data protection regime

Reply #4 on : Thu January 03, 2008, 13:26:39

[...] The House of Commons Justice Committee has today released a report into the protection of public data. The report is a good summary of the state of play and, in particular, of developments since the Chancellor announced to Parliament in Novemeber last year that HMRC had lost confidential records affecting 25 million UK citizens. [...]

The Open Rights Group : Blog Archive » Copyright commotions 101: Free event at LSE next month

Reply #3 on : Fri February 15, 2008, 18:34:31

[...] the government mailed half the nation’s bank details to the darknet at the end of last year, it looked like 2008 was going to be the year privacy issues hit the [...]

The Open Rights Group : Blog Archive » Who’s been losing your data?

Reply #2 on : Wed December 17, 2008, 15:49:05

[...] all the time. But these institutions don’t always keep that data safe. In fact, since HMRC lost its entire database of child benefit claimants last year, high profile data losses have hit the headlines with worrying regularity. But how does this affect [...]

Murky Blog » Data Loss

Reply #1 on : Fri December 19, 2008, 10:45:03

Write a comment

Required fields are marked with *.