Discgate

From Orgwiki

UK Government 'loses' records for 25 million individuals and 7.25 million families. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.


A junior official put all the data on a CD and posted it. At the time, a senior civil servant was made aware of this. The data was not encrypted. Banks were not informed of the loss for six days. Our privacy is important and organisations which process our personal data have to show them respect.


Contents

[edit] What was lost

BBC reports

  • 7.25 million claimants
  • 15.5 million children, including some who no longer qualify but whose family is claiming for a younger child
  • 2.25 million 'alternative payees' such as partners or carers
  • 3,000 'appointees' who claim the benefit under court instructions
  • 12,500 agents who claim the benefit on behalf of a third party

[edit] Time Line

  • 02 October 2007: The National Audit Office [NAO] formally asks HM Revenue and Customs [HMRC] for files on child benefit claimants.
  • 18 October 2007: HMRC sends the CDs by the courier TNT to the National Audit office in London
  • 24 October 2007: HMRC informed by the NAO that the package had not arrived, the junior HMRC official simply made another copy of the data and sent it again through the post - this time registered - to the NAO.
  • 25 October 2007: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.
  • 05 November 2007: HMRC confirms that the first set of CDs is still missing.
  • 08 November 2007: Three weeks after they where lost the HMRC's senior management informed of fact the CDs had gone missing. The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. (BBC claims they where told 3 November)
  • 10 November 2007: Alistair Darling was then informed in the morning and the Prime Minister shortly after. HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs.
  • 14 November 2007: Alistair Darling instructs Paul Gray the HMRC chairman to call in the Metropolitan Police to conduct a full investigation. Darling said the delay in notifying the public about the security breach was on the advice of privacy watchdog the Information Commissioner, the Financial Services Authority and the Serious Organised Crime Agency, in order for HMRC and the banks to take remedial action before a public statement was made. (The banks dispute that they asked for the delay.)

15 November 2007 - Richard Thomas, Information Commissioner, says remedial action must be taken before public is informed

  • 20 November 2007: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.
  • 21 November 2007: HMRC issues an apology (apollogy it self contains sensitive data causing yet more problems)

[edit] Correspondence relating to the lost data

scans of correspondence relating to the lost data

[edit] Not the First Time

Copies of the database were sent, again by CD, to the accounting firm KPMG, although those discs arrived safely and were later returned. No one reported this at the time.

[edit] And Not the Last Time

Sensitive data continues to be lost - HMRC are not alone in failing to properly secure other people's personal details - see UK Privacy Debacles.

[edit] MoD recruitment laptop computer scandal

House of Commons debate MOD (Data Loss) 21 January 2008

  • 153,000 people who submitted detailed application forms
  • 5.700 bank account details
  • Initial belief that the data was encrypted
  • Admissions that the data was not encrypted at all
  • 2 previous stolen recruitment data laptops
  • Cabinet Office review of data handling
  • Yet Another Review - Sir Edmund Burton
  • No resignations by Ministers or senior MoD staff

See Spy Blog for more details Des Browne now admits to 3 stolen, unencrypted Ministry of Defence recruitment laptop computers

[edit] Fallout

[edit] Poynter Review

[edit] Terms of reference

The Treasury has published terms of reference for the Poynter Review, which will investigate security processes and procedures for data handling in Her Majesty’s Revenue & Customs.

To establish the circumstances that led to the significant loss of confidential personal data on Child Benefit recipients and other recent losses of confidential data and the lessons to be learnt, and in the light of those circumstances to examine:

  • HMRC practices and procedures in the handling and transfer of confidential data on taxpayers and benefit/credit recipients;
  • the processes for ensuring that these procedures are communicated to staff and the safeguards in place to ensure they are adhered to;
  • the reasons why these failed to prevent the loss of confidential data;
  • whether these procedures and processes are sufficient to ensure the confidentiality of personal data.

The review will report initially by 14 December on the exact circumstances and events that led to the loss of the Child Benefit data, taking account of the ongoing investigation by the Metropolitan Police. It will make interim recommendations on any further, urgent measures that HMRC should put in place to guarantee the confidentiality of personal data.

The review will also consider wider implications, reporting in the Spring and, in consultation with the Independent Police Complaints Commission (IPCC) and Information Commissioner, make recommendations on:

  • how internal processes and culture can be strengthened to achieve appropriate data security in the future;
  • whether HMRC’s wider procedures for the handling of confidential data and liaison with other organisations should be changed to reduce the risks and how this might be done.

Notes to editors

1. The Chancellor of the Exchequer, the Rt Hon Alistair Darling MP, announced the review in a statement to the House of Commons on 20 November.

2. Kieran Poynter is Chairman and Senior Partner of PricewaterhouseCoopers and will report to the Chancellor of the Exchequer. The review is being carried out with the knowledge and cooperation of the Independent Police Complaints Commission (IPCC) and the Information Commissioner.

[edit] Review of Data Handling procedures in Government

Terms of reference for the Review of Data Handling procedures in Government 23 November 2007

The Prime Minister has asked the Cabinet Secretary to establish a review into data handling procedures in Government.

The Review will be led by Robert Hannigan, Head of Intelligence, Security and Resilience in the Cabinet Office, working closely with heads of departments.

The Cabinet Secretary wrote to all Heads of Departments on Thursday 22 November setting out the terms of the Review.

The terms of Reference of the Review will be:

To Examine:

  • the procedures in Departments and agencies for the protection of data;
  • their consistency with current Government wide policies and standards;
  • the arrangements for ensuring that procedures are being fully and properly implemented;

and to make recommendations on improvements that should be made.

The process will be carried out in two stages:

  • first, to ask urgently for an analysis of Departmental and agency systems and procedures to identify compliance with policies and standards, and recommendations for practical improvements and better management of risk that can be identified. Each Department is asked to complete this, covering their agencies as well, by 10 December so that the Prime Minister can be advised by the end of the year.
  • Second, to then look collectively at improved standards and procedures, including the role of the centre and governance mechanisms as well as the introduction of better compliance and audit arrangements. A plan to deliver any changes will also be produced. The aim is to complete this early in the New Year.

This Review will also take into account the work being done by Kieran Poynter of Pricewaterhouse Coopers into HM Revenue and Customs data handling procedures and the work being done by the Information Commissioner and Mark Walport of the Wellcome Trust on the security of personal data across society as a whole.

[edit] Quotes

House of Commons debate George Osborne 20 November 2007

"Let us be clear about the scale of this catastrophic mistake: the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post; and the bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing."

Information Commissioner Richard Thomas, 22 November 2007

"Individuals value their privacy - institutions do not."

Microsoft ID chief Kim Cameron 22 November 2007

Meanwhile, in parliament, Prime Minister Gordon Brown explained that security measures had been breached when the information was downloaded and sent by courier to the National Audit Office, although there had been no “systemic failure”.
This is really the crux of the matter. Because, from a technology point of view, the failure was systemic.
...Isn’t it incredible that “a junior official” could simply “download” detailed personal and financial information on 25 million people? Why would a system be designed this way?
To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.

Ovum principal analyst Graham Titterington

"This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from Her Majesty's Revenue & Customs in just three months."

FBI fraud expert and world renowned ex-con artist Frank Abagnale. Author of Catch me if you can

"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data,"
"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."

Jenny McCartney 25 November 2007

"For the Government to blame a low-level employee for this fiasco is a bit like allowing a teenage work experience girl access to the nuclear button, and then bleating that she had 'clearly not followed strict rules' when she reached for her skinny latte and accidentally wiped out Tajikistan."

Lords’ Merits of Statutory Instruments Committee following scrutiny of the regulations to bring Contactpoint into being 10 July 2007

However, the Government have not in our view conclusively demonstrated that a universal database is a proportionate response to the problem being addressed. While the Government have taken the need for security seriously, the scale and importance of the scheme increase the risk that any accidental or inadvertent breach of security, or any deliberate misuse of the data, would be likely to bring the whole scheme into disrepute.

Justice Select Committee - Protection of Private Data

"There is evidence of a widespread problem within Government relating to establishing systems for data protection and operating them adequately,"
"It is widely accepted that it is necessary to have a substantial increase in the powers given to the Information Commissioner to enable him to review systems for data protection and their application - recent events have underlined the urgency of this."

[edit] News

[edit] April

2008-05-11 - politics.co.uk - Government slammed over data breach
Summary: The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today. The admission comes from an internal email at the Department for Work and Pensions (DWP) by one of the department's security advisers which was leaked to internet blog Dizzy Thinks. The email reads: "I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. "However, once the data and the separate password are received, staff are then forwarding the data and password on together. This defeats the purpose of the security measure entirely."
2008-04-30 - ZDNet - BCS: Gov't data breaches have eroded public trust
Author: Tom Espiner
Summary: The British Computing Society has criticised the government, claiming its high-profile data breaches have eroded public trust. On Tuesday the BCS published the results of a survey of members of the public. Of the 1,025 respondents, 66 percent said their trust in government departments had decreased due to information breaches such as the loss of 25 million personal records by HM Revenue & Customs last year. ..."People inside the public sector know [it] is not terribly surprising that [breaches such as HMRC's] happened, but for people outside the public sector this was a huge shock."
2008-04-28 - silicon.com - House of Lords backs data loss law change
Author: Nick Heath
Summary: Losing personal data took a step closer to becoming a criminal offence after the House of Lords backed a change in the law. Peers supported an amendment to the criminal justice and immigration bill which would make it a criminal offence to carelessly release or lose personal data. The amendment, proposed by Liberal Democrat Lady Miller, would make it an offence for anyone to "intentionally or recklessly disclose information" or "repeatedly and negligently" allows information to be disclosed.
2008-04-23 - OUT-LAW - Privacy chief notified of 94 data breaches since HMRC debacle
Summary: The Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released yesterday. Half of the 28 private sector security breaches were by financial services companies. The problem of the loss of personal information gained in profile in the aftermath of HMRC's loss of two discs containing the entire register of people claiming child benefit last year. The information on the discs included names addresses and banking details of 25 million people, leading to widespread fears of identity theft.
2008-04-23 - Kable - Hold less data says information commissioner
Summary: "Data protection to a large extent is about data minimisation," Thomas told the Infosecurity Europe conference in London on 22 April 2008. "Take the missing MoD laptop (reported in January). The media talk about the military person who left the laptop in the back of his car, but there are more fundamental questions." "Why were 600,000 details being collected in the first place, of casual enquirers about joining the armed forces, and applicants and recruits? Why was it kept for so long? Why was data there for 10 years? What use was it being put to, why was it being collected and retained?" "Then, why was the entire database transferred to a laptop? Then, why was the laptop not encrypted? And only then do you get to the question, why did it get left overnight in the back of a car?"
2008-04-22 - The Times - Top officials to be held to account for data losses
Author: Jonathan Richards
Summary: Senior Whitehall figures are to be held personally responsible if their department loses or mishandles personal information, under a range of measures designed to increase data security. Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection "much more seriously" under proposals due to be laid out by Gus O'Donnell, the Cabinet Secretary. In the coming weeks Mr O'Donnell is expected to present the findings of a report on data security. The report was commissioned by the Prime Minister in the wake of the loss of 25 million child benefit claimant records by the HMRC in November.
2008-04-22 - Kable - Minister seeks to cut £30 ID card cost
Summary: Home Office minister Meg Hillier has said the government wants industry to help drive down the cost of the identity cards to the public. ... Hillier said that some 60% of citizens are in favour of identity cards and that the percentage has remained steady, despite the huge data loss at HM Revenue and Customs. She predicted that as identity cards are rolled out people will realise the benefits of carrying them.
2008-04-09 - BBC - Data loss prompts security move
Author: Niall Blaney
Summary: Thousands of "ultra-secure" computers costing £6m are to be bought by the NI executive following a series of embarrassing losses of personal data. About 4,000 high-security laptops and 10,000 new desktop computers are being bought. The BBC has also learned the Civil Service is to launch a secure system which may do away with sending people's details through the post. Discs containing the details of 6,000 NI drivers went missing in December.

[edit] March

2008-03-25 - Computing - One in 10 citizens trust government with data
Author: Tom Young
Summary: Only one in 10 people trust the government with their personal data, according to a survey by ICM Research for supplier Data Encryption Systems (DES). The survey highlights the extent to which the government's track record on data security has impacted public opinion.
2008-03-20 - Computing - Public losing confidence in government security
Author: Tom Young
Summary: The recent spate of high-profile data losses has led the public to take more care of their personal information, according to the Information Commissioner’s Office (ICO). Some 85 per cent of people now refuse to give out personal details wherever possible.
2008-03-20 - ZDNet - Public gets more savvy about data security
Author: Tim Ferguson
Summary: People in the UK are becoming much savvier with their personal information, suggesting the recent spate of high-profile data breaches has had an impact. An Information Commissioner's Office (ICO) survey has found eight out of 10 people are now taking more care with their personal information.
2008-03-18 - out-law - Government must take data protection more seriously, says Parliament committee
Summary: The minister responsible for data protection should be more powerful according to a Parliamentary committee which has also condemned the Government for not taking data protection seriously enough. The Joint Committee on Human Rights said that a spate of recent losses of personal data by the Government or its agencies is "symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously … the rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards." "The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector," the Committee said. The Committee was reporting on a series of data protection breaches by public authorities, the most serious of which was the loss of personal and banking details of 25 million people by HM Revenue and Customs last November.
2008-03-17 - ZDNet - HMRC named 'internet villain' of the year
Author: David Meyer
Summary: This year, HM Revenue & Customs (HMRC) won the villain award for losing millions of citizens' personal data.
2008-03-17 - Kable - Data breaches damage trust in government
Summary: Two thirds of Britons trust government less as a result of recent data losses, according to research for the British Computer Society. When asked to describe their level of trust in established institutions, such as government departments, to correctly manage their data following recent data breaches and losses, 66% said their trust had decreased, 31% said it had stayed the same, and 1% said it had increased.
2008-03-14 - ZDNet - MoD admits loss of over 11,000 ID cards
Author: Nick Heath
Summary: The Ministry of Defence has admitted that more than 11,000 military ID cards have been lost or stolen in the past two years.
2008-03-14 - Information World Review - MPs raise fears over data protection for national ID register
Summary: Repeated breaches of data protection laws by government departments raise huge question marks over plans for the national identity register required for ID cards and biometric passport, an influential parliamentary human rights watchdog has warned. MPs and peers on the Lords and Commons Joint Committee on Human Rights said repeated losses of personal information by departments had increased their concern, and announced they "intend to take a close interest in the government's detailed proposals for the national identity register as and when they emerge."
2008-03-14 - Kable - Government's "insufficient respect" for personal data
Summary: MPs have said recent data protection breaches are "symptomatic of the government's failure to take safeguards sufficiently seriously". The report from Parliament's joint committee on human rights says that the problem with government data protection is cultural: "There is insufficient respect for personal data in the public sector."
2008-03-11 - Justice Committee Press Release - Government response to Committee report on private data loss published
Summary: Chairman of the Committee, Rt Hon Alan Beith MP said: "I think it was a shock to the public to find that such sensitive personal data could so easily be accessed and downloaded, and that it was possible for such data to be so easily lost, and of course further examples have come to light since the massive scale of the HMRC data loss was revealed. The public are going to take a lot more convincing that the Government has got a grip on this problem."
2008-03-06 - The Register - Tories call for big changes to cybercrime offences
Author: John Oates
Summary: Civil servants who lose public data could be prosecuted under proposals announced by the Conservative Party. It's one of a number of measures touted, as the Tories call for major changes in how the UK deals with cybercrime and data protection. ... the Tories are also calling for a "breach law" - forcing financial services companies to inform the Financial Services Authority if their systems are hacked or compromised in some way and confidential data is at risk.
2008-03-04 - The Guardian - More than 1,000 government laptops lost or stolen, new figures show
Author: Elizabeth Stewart
Summary: More than 1,000 laptops have been lost or stolen from government departments in recent years, new figures have revealed. Details of departmental losses were disclosed to MPs in a series of written ministerial answers to the House of Commons which reveal that at least 1,052 laptops have gone missing, including 200 in the last year alone.

[edit] February

2008-02-28 - BBC - Home Office CD in auction laptop
Summary: A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay. The CD was found between the keyboard and circuit board of the laptop by computer repair technicians in Westhoughton, near Bolton. When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".
2008-02-27 - Kable - Minister defends ID security
Summary: The National Identity Register will have very limited access, stringent security and no risk of 'discs flying around', MPs have been told Home Office minister Meg Hillier defended the government's plans for its controversial National Identity Scheme, as she faced questions about data security from a committee of MPs. Hillier, who has responsibility for identity cards, said it was important to win public confidence in the scheme, particularly following a number of recent cases in which the government had misplaced or lost confidential data. The biggest loss was at HM Revenue and Customs (HMRC). It sent two discs with the details of 25m families to the National Audit Office by courier, which failed to arrive.
2008-02-22 - The Telegraph - Child database 'will never be fully secure'
Summary: Ministers faced calls to scrap a controversial database containing the personal details of every child in England yesterday after warnings that it would never be completely secure. An independent report called for tighter security to be put in place for the £224?million ContactPoint system, which is due to be introduced later this year. Ministers asked the consultants Deloitte to review arrangements for the database after the lost computer discs scandal at HM Revenue and Customs last November. MPs called on the Government to release the report in full after ministers decided to publish no more than a five-page summary for security reasons.
2008-02-21 - NO2ID - Government tries to ignore security risk to millions of families
Summary: A report commissioned by the government following the HMRC Child Benefit data breach last year confirms that the ContactPoint database, intended to contain the details of every child and parent in the country, can never be made secure. This confirms objections that NO2ID and other campaigners have been pressing since the passing of the Children Act 2004. The report by Deloitte and Touche, of which a summary was published this afternoon, says: "It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring." The government has refused to publish the full report, 'for security reasons'. In essence it is trying to ignore the problem. It appears from the Executive Summary that has been published that Deloitte confirms some of the issues identified by campaigners well before the legislation had been passed. Phil Booth, NO2ID’s national coordinator, said: "If the report identifies problems in ContactPoint, then the government should face up to them – not try to keep them secret. Ministers can no longer say, "You’ll just have to trust us". We know we can't." "If the government's own report says no system accessible by over 300,000 people can ever be made secure, the answer is not to ignore it and hope everyone forgets. What will they do when - not if - the system is abused? Hide that too?" "ContactPoint is just one more case where official face-saving trumps the basic rights of the general public. Behind the cosy slogan, 'every child matters' seems to mean putting every child equally at risk. If the government cared about more than sloganising, it would scrap the whole scheme immediately."
2008-02-20 - Finacial Times - MPs deride £5.4bn cure-all
Author: Jim Pickard and Jimmy Burns
Summary: Meg Hillier, Home Office minister, will next week outline details of the next phase of Britain's £5.4bn ID card programme - with the government insisting that the public still wants the scheme. But with MPs yesterday calling for the project to be ditched, ministers have a fight on their hands to justify not only its cost but its scope. ... a series of public data losses have further dented confidence in the scheme.
2008-02-18 - The Sun - 20,000 bank files found in squat
Author: Oliver Harvey
Summary: Sensitive information on 20,000 people – including their bank account numbers and health details – has been found dumped in a hippy squat. ...Documents included names, phone numbers and addresses, dates of birth, pay slips, bank forms and details of private interviews with benefit claimants. ...The Haringey Council files – many stamped "Confidential" - date from the 1980s to 1993.
2008-02-15 - ZDNet - ICO: Data-breach spate 'no worse' than normal
Author: Tom Espiner
Summary: The Information Commissioner's Office has said that the rash of data-breach reports in the past five months is due not to more data breaches, but to more people admitting to them. HM Revenue & Customs' loss of 25 million details of people claiming and receiving child benefit was the catalyst for a surge of data-loss reports, an ICO spokesperson told ZDNet.co.uk on Friday. "More people are stepping forward as they realise the importance of data breaches," said the spokesperson. "We don't think the situation is any worse. Back in July last year we highlighted the need for more data protection."
2008-02-14 - BBC - Medical records laptop is stolen
Summary: A laptop containing the medical records with information on 5,123 patients has been stolen from a Black Country hospital.
2008-02-10 - The Observer - We trusted this country. Look how it treats us
Author: John Gray
Summary: The fiascos of 'e-government' are not anomalies that can be corrected by more rigorous procedures. The billions that have been squandered on unworkable computer networks in the NHS and the repeated loss of data throughout government are signs of a dysfunctional system. The disappearance of millions of learner drivers' details somewhere in the Midwest is par for the course. Nothing that has been announced by Gordon Brown will prevent similar debacles. Inevitably, there will be more such incidents - plenty more.
2008-01-06 - The Guardian - Poll shows growing opposition to ID cards over data fears
Author: Alan Travis
Summary: 25% now strongly against their use, says ICM survey, Majority concerned about sharing of personal details, 50% against 47% in favour. The number of people strongly opposed to the introduction of a national identity card scheme has risen sharply, according to the results of an ICM poll to be published today. Those campaigning against ID cards said last night that the poll, with results showing that 25% of the public are deeply opposed to the idea, raises the prospect that the potential number of those likely to refuse to register for the card has risen. If the poll's findings were reflected in the wider population, as many as 10 million people may be expected to refuse to comply. The ICM survey also shows that a majority of the British people say they are "uncomfortable" with the idea that personal data provided to the government for one purpose should be shared between all Whitehall-run public services.
2008-02-05 - ZDNet - BlackBerrys grounded by Whitehall data ban
Author: Nick Heath
Summary: Government BlackBerry devices and PDAs have been grounded by the Whitehall-wide ban on the movement of unencrypted personal data. The devices have fallen foul of the department-wide ban imposed by cabinet secretary Sir Gus O’Donnell in the wake of the revelations about the Ministry of Defence data loss last month that resulted from a stolen laptop. The Cabinet Office confirmed that any government electronic device, even down to a mobile phone, would have to have any personal data encrypted before it could leave Whitehall premises.
2008-02-04 - Liberal Democrate Press Release - 100,000 families didn't receive letter of apology over lost discs fiasco
Author: Danny Alexander MP
Summary: Over 100,000 families didn’t receive a letter of apology from the Government after their child benefit data was lost last year, according to figures obtained by the Liberal Democrats. After losing the personal details of every child benefit recipient last year, the Chancellor promised to send out a letter informing each of the 7.25 million households of the error and apologising. But 101,500 of the addresses lost were not ‘current’, perhaps because the records had not been updated since a family had moved, so these households have still not yet received a letter. Commenting, Liberal Democrat Shadow Work and Pensions Secretary, Danny Alexander said: "The loss of millions of families’ personal details was beyond incompetent yet the Government has gone one better by failing to contact all the families affected." "It's bad enough that people are now at risk of fraud and identity theft, but the least ministers could do is make a serious effort to contact each family to apologise." "From losing personal records to wrongly paying tax credits, this bungling Government is failing families across the board."
2008-02-01 - OUT-LAW - Expect Government to be interested in your IT security
Author: Dr Chris Pounder
Summary: Disaster has struck and all big organisations should be preparing to pay the price. In the aftermath of the HM Revenue & Customs (HMRC) loss -of personal information and a subsequent flood of data security breaches, large organisations should be ready to prove that they can take care of personal information. Anyone who thought that the HMRC disaster was a one-off could not hold that view for long as a Ministry of Defence laptop, a Marks & Spencer employee database and others have created an ever-growing list of organisations suffering a loss of important or confidential data. ... Already the Government has conceded that it intends to provide increased power to the Information Commissioner to carry out inspections and audits, and has introduced a two-year custodial offence where malpractice with respect to personal data can be linked to staff malfeasance.

[edit] January

2008-01-31 - The Guardian - Our state collects more data than the Stasi ever did. We need to fight back
Author: Timothy Garton Ash
Summary: To trust in the good intentions of our rulers is to put liberty at risk. I'd go to jail rather than accept this kind of ID card. ... Today, the people of East Germany are much less spied upon than the people of Britain. The human rights group Privacy International rates Britain as an "endemic surveillance society", along with China and Russia, whereas Germany scores much better. ... All this from a government which, having collected so much data on us, goes around losing it like a late-night drunk spreading the contents of his pockets down the street. Twenty-five million people's details mislaid by Her Majesty's Revenue and Customs; at least 100,000 more on an awol Royal Navy laptop; and so it goes on. ... The Liberal Democrat leader Nick Clegg has said he would go to jail rather than accept an ID card of this intrusive kind. So would I. And so, I believe, would many thousands of our fellow-citizens. (There's a good website called NO2ID where you can join the fray.) Which is why, I suspect, the government won't be so foolish. But we need to draw the line well before ID cards. There are liberties that we have already given away, while sleeping, and we must claim them back.
2008-01-28 - The Telegraph - Online tax system 'too risky' for the famous
Author: Robert Winnett
Summary: Thousands of "high profile" people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk. This provoked anger from consumer groups and accountants who said the same levels of security should be offered to all taxpayers regardless of their perceived fame. HMRC was responsible for losing 25 million child benefit records and the latest admission will concern millions of people entrusting the online system with their confidential financial records.
2008-01-27 - Financial Times - No ID, no problem
Summary: In the two years since legislation for a UK national identity card scheme gained royal assent, the case against the multi-billion pound programme has become overwhelming. ... Ministers argue that ID cards would reduce identity and benefit fraud. But Revenue & Customs’ loss of two computer discs containing personal details of 25m people, including bank account numbers, has instead exposed the opportunity for abuse on an undreamed of scale.
2008-01-24 - Computing - Why personal data loss must not be tolerated
Author: Mike Howse
Summary: In the recent HM Revenue & Customs (HMRC) data debacle (Discgate), employees at all levels of seniority neglected security policies and procedures, copied database information to disks, and sent data unencrypted in the post. In the past few weeks we have seen multiple data loss reports: Northern Ireland drivers’ licence details, Merseyside health workers’ data and HMRC’s admission that its Cardiff office either lost the personal details of more than 6,500 people claiming pensions and/or sent the data to unauthorised recipients
2008-01-23 - The Independent - Court case data discs go missing
Author: Vicky Shaw
Summary: Personal details from court cases contained on four CDs have gone missing in the post, the Government said today. The Ministry of Justice launched an investigation after the information was lost when it was sent recorded delivery. A spokeswoman would not comment on a report that the missing courtroom data discs contained details of at least 55 defendants and other restricted data not released in open court, potentially including the names and addresses of alleged victims and witnesses. ... The MoJ released a brief statement which said: "Her Majesty's Inspectorate of Court Administration (HMICA) confirms that four CD-Roms are missing." "They were sent recorded delivery. Ministers and the Information Commissioner were notified immediately it was recognised that personal data had been lost." "An investigation is under way so it would be inappropriate to comment further at this stage." Yesterday saw a new ban come into place on Whitehall staff removing unencrypted laptops containing personal data from their offices.
2008-01-23 - Computer Active - ID cards to arrive in 2012
Author: Andrea-Marie Vassou
Summary: UK citizens will receive their compulsory national ID card two years after the proposed date, according to documents leaked to the Conservative party. ... Security expert Richard Clayton agreed, attributing the delay to the Government's recent "incompetent handling of private data". Becky Hogge, director at the the Open Rights Group told Computeractive: "It would come as no surprise if the Government was to reconsider its plans for ID cards given its recent record on data protection."
2008-01-22 - The Register - MoD laptop losses expose government data indifference
Author: John Oates
Summary: The latest data giveaway by the UK's Ministry of Defence shows that not even the most basic IT policies are being followed. There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea. Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data.
2008-02-23 - The Scotsman - 'Two-year delay' blow for ID card proposals
Author: Gerri Peev
Summary: Gordon Brown's plans for identity cards were dealt a blow last night after leaked documents revealed the government plans to delay a national roll out of the scheme for at least two years. ... David Davis, the shadow home secretary said: "I should think this scheme is in the intensive care ward." "There are clear faults in the whole government strategy as demonstrated from disc-gate to Birmingham-gate or whatever you want to call it." "There is a clear fracture in public confidence. When we started there were 80 per cent for it. Now I suspect 80 per cent oppose it." "It all amounts to giving the government an insoluble problem." "It is a political nightmare for them which why there have been serial delays."
2008-01-22 - The Guardian - MoD admits inquiry into 69 lost laptops
Author: Richard Norton-Taylor
Summary: Stolen files not encrypted, Browne tells Commons as Whitehall issues staff ban on movement of data. ... two further laptops containing unencrypted information on at least 500 people had been stolen since 2005. A Royal Navy laptop was stolen from a car in Manchester in October 2006 and an army laptop was stolen from a careers office in Edinburgh in December 2005. These losses were on top of the 69 laptops and seven PCs reported stolen from the ministry.
2008-01-22 - Kable - Navy recruiters broke data regulations
Summary: Defence minister Des Browne has told the House of Commons that officials broke Ministry of Defence (MoD) procedures by placing individuals' data on laptops. ... "It's not clear why recruiting officers routinely carry information on a large number of people or why the database should carry all that information at all," he said.
2008-01-22 - ZDNet - MoD lost three unencrypted laptops
Author: Tom Espiner
Summary: Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information.
2008-01-22 - Computing - Whitehall looks to encryption
Summary: Urgent moves to boost the capacity of Whitehall departments to encrypt data are underway following a ban on removing laptops containing unencrypted personal data from government offices. Orders were issued by cabinet secretary Sir Gus O'Donnell as MPs grilled defence secretary Des Browne on the loss of two further Ministry of Defence (MoD) laptops prior to the one containing data on 600,000 recruits nearly two weeks ago. Browne announced that, in addition to the Whitehall-wide review, he has commissioned an investigation into weaknesses in MoD information security by Information Advisory Council chairman Sir Edmund Burton.
2008-01-21 - Three military laptops with secure data missing
Author: Nico Hines
Summary: Three military laptops containing personal details of new recruits have been stolen from Ministry of Defence staff since 2005, Des Browne was forced to admit today. The Defence Secretary was making a statement to the House of Commons explaining the loss of a laptop containing the personal data of 600,000 people earlier this month when he made the embarrassing admission.
2008-01-21 - The Guardian - The national ID register will leak like a battered bucket
Author: Jackie Ashley
Summary: The record of lost data of the past few years should be a warning to us all: our personal details are safe in nobody's hands. ... last year when the child benefit records for a mere 25 million people, including dates of birth, national insurance numbers and bank and building society details, were lost by HM Revenue and Customs (HMRC). ... As it happens, the HMRC had lost details of 15,000 people when they were sent to Standard Life the previous month. Also in September an HMRC laptop was lost with the details of 400 Isa holders on it. ... And there were other similar incidents, going back at least to 2005. Indeed, according to parliamentary answers HMRC had in the previous year been responsible for a modest 2,111 data-protection breaches. ... The government is going to introduce a single system for all our identities. And I promise, you can't trust it. It will leak like a battered old bucket.
2008-01-21 - ZDNet - Government at a loss over data security
Summary: With the Ministry of Defence's loss of more than half a million personal details from a car in Birmingham, the best that can be said is that it's nearly 24.5 million fewer records than HMRC managed. No doubt Gordon Brown will be announcing this as a 97.5 percent reduction in serious stupidity per quarter. Even at this rate, however, the entire country's private information will be in criminal hands by 2012. The Home Office could save time by starting up an RSS feed.
2008-01-21 - ZDNet - MoD loses 600,000 personal details
Author: Tom Espiner
Summary: The Ministry of Defence has admitted losing the details of 600,000 people after the theft of a laptop from a Royal Navy officer in Birmingham last week. The MoD also lost the bank details of approximately 3,500 of those people
2008-01-21 - BBC - More MoD laptop thefts revealed
Summary: Defence Secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts since 2005. The other two laptops held similar data but on fewer people, he told MPs. ... the information was not encrypted. ... Dr Fox said it was potentially more damaging than HM Revenue and Customs' loss of 25 million people's child benefit details. He also said some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004.
2008-01-19 - The Telegraph - MoD under pressure to explain data loss
Author: Robert Winnett and Juliet Turner
Summary: Des Browne, the Defence Secretary, has come under intense pressure to explain the loss of the personal details of 600,000 people interested in joining the Armed Forces. The data was saved on a laptop computer that was stolen from a Royal Navy officer in Birmingham last week on the night of January 9, but the MoD only disclosed it had been lost late last night. ... Simon Davis from the privacy watchdog Privacy International said: "I'm flabbergasted. I cannot believe that our flagship security unit the MOD cannot get the handling of information right. "To think that somebody would have a laptop containing unencrypted information rivals the HMRC data breech." "The problem is that there are so many procedures in place to protect information that nobody knows which one's in place. Junior officials can't remember them and nobody knows what's happening." "We need to slim-down the amount of procedures in place to protect information."
2008-01-19 - The Independent - Ministers face embarrassment over stolen laptop and further data losses
Author: Nigel Morris
Summary: Ministers faced further questions over data security last night after a laptop computer containing the details of 600,000 people was stolen and hundreds of documents listing personal data on benefits claimants were found dumped at a roadside. The disclosures - three months after computer discs listing child benefit records of 26 million people vanished – left the Government facing fresh embarrassment over the security of personal data
2008-01-19 - The Scotsman - 600,000 armed forces files lost – but MoD takes nine days to admit theft of laptop
Author: Russell Jackson
Summary: The goverment was at the centre of another data-breach row last night after revealing a Royal Navy officer's laptop containing the details of 600,000 people had been stolen. ... Information experts immediately asked why the sensitive information was not encrypted. The government has been dogged by information breaches since October when it admitted losing the entire child-benefit database after two CDs went missing from HMRC.
2008-01-18 - ZDNet - HMRC letters of apology cost £2.25m
Author: Nick Heath
Summary: The government has admitted it cost £2.25m to send letters of apology to people affected by the loss of 25 million child-benefit records by HM Revenue & Customs.
2008-01-15 - Web User - HMRC up for web villain award
Summary: The Internet Service Providers Association (ISPA) has named the candidates for its Internet Villain of the Year 2007 award. ... HM Revenue and Customs (HMRC) was nominated for the Villain of the Year award for "failing to take the protection of peoples' personal data seriously and highlighting bad practice in protecting data by losing computer disks containing confidential details of 25 million child benefit recipients," ISPA said.
2008-01-15 - ZDNet - Police demand HMRC foots bill for disc search
Author: Nick Heath
Summary: Scotland Yard will demand HM Revenue & Customs foots the record bill for the police force's hunt for the missing data discs containing 25 million child-benefit records. ... A spokeswoman for HMRC said the department has agreed to pay the costs that "we have triggered as a result of the police investigation into the disappearance of the child-benefit data".
2008-01-15 - The Guardian - Personal data is as hot as nuclear waste
Author: Cory Doctorow
Summary: We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back
2008-01-13 - The Telegraph - Hunt for data discs lost in post is called off
Author: Richard Edwards
Summary: Police have given up the search for the missing Customs and Revenue discs containing personal details of 25 million people after an operation costing the taxpayer tens of thousands of pounds. Scotland Yard sources said the six-week operation was the "most expensive lost property inquiry ever known". Officers found other mislaid documents "stuffed away in cupboards" during a forensic search of the Government department at the centre of the fiasco, but now believe the discs will never be found.
2008-01-10 - Accountancy Age - Bonus payouts for HMRC staff that lost benefit discs
Author: Penny Sukhraj
Summary: The HMRC department that caused the blunder which saw the personal details of 25 million families go missing, has been given £19m in performance-related bonuses. ... Conservative chairman of the Treasury sub-committee, Michael Fallon, described the scale of the payout as 'staggering'. 'Given the over-payments of tax credits and data loss mistakes, constituents might be surprised to learn that a third of staff at HMRC shared a performance-related bonus,' said Fallon.
2008-01-08 - BBC - Clarkson stung after bank prank
Summary: Jeremy Clarkson revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs. He wanted to prove the story was a fuss about nothing. But Clarkson admitted he was "wrong" after discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK. ... Clarkson now says of the case: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."
2008-01-07 - The Telegraph - Government's record year of data loss
Author: David Harrison
Summary: A record 37 million items of personal data went missing last year, new research reveals. Most of the data was lost by government officials but councils, NHS trusts, banks, insurance companies and chain stores also mislaid or published personal information about staff or members of the public. Many losses were caused through CDs going missing in the post, laptop thefts, and inadequate security systems that failed to stop hackers reading information stored on computers.
2008-01-05 - BBC - Teachers 'put pupil data at risk'
Summary: Teachers in nearly half of England's primary schools back up pupil data on CDs and memory sticks, which they then take out of school, research suggests. RM blamed a lack of clear guidance, but the government said it published advice for schools on the issue. The warning comes after a string of data security breaches by government departments and associated agencies.
2008-01-03 - The Guardian - MPs say losing computer data should be made a crime
Author: Tania Branigan
Summary: Recklessly or repeatedly mishandling personal information should become a criminal offence, a committee of MPs urges today in the wake of the child benefit fiasco. A report from the justice select committee says there is evidence of a widespread problem within government and expresses concern that further cases of data loss are still coming to light, adding that concerns about systemic failings were raised two years ago by the man now in charge of the government's review of security. The committee says that companies should be obliged to report information losses.
2008-01-03 - The Register - MPs call for stronger data protection laws
Author: John Oates
Summary: The Commons Justice Committee recommended the introduction of new offences so that a data controller could be charged for recklessly or intentionally disclosing, or obtaining, personal data. MPs echoed fears raised by Information Commissioner that there could well be further data breaches. The committee also noted that government departments cannot currently be held responsible for data breaches.
2008-01-03 - BBC - Tougher data laws needed, say MPs
Summary: Reckless or repeated breaches of data security should become a criminal offence, a committee of MPs has said. Currently, government departments cannot be held criminally responsible for data protection breaches. But a report on the "truly shocking" loss of 25m people's personal details by HM Revenue and Customs, the Commons justice committee demands tougher laws.
2008-01-03 - The Times - Whitehall should be prosecuted over data loss, say MPs in call for new law
Author: Greg Hurst
Summary: MPs are calling for new offences to allow Whitehall departments to be prosecuted for data security blunders such as the loss of child benefit records for 25 million people. The cross-party Commons Justice Committee says that the criminal law must be strengthened to close loopholes and reflect the gravity of offences involving the theft or loss of personal data. Ministers are already planning to toughen sanctions for data protection offences. Government sources suggest that penalties will include up to two years’ imprisonment rather than fines as at present.
2008-01-03 - Computing - Government data needs attention
Summary: The government must balance moves to join up services with the risk of data privacy problems, say MPs. The Commons justice committee report published today re-emphasises the need for wider powers for the Information Commissioner in the aftermath of the HM Revenue & Customs lost discs fiasco.
2008-01-03 - Justice Select Committee - Protection of Private Data
Summary: We are gravely concerned that this incident is not an isolated example

[edit] December

2007-12-31 - BBC - Clegg pledging to fight ID cards
Summary: The new Lib Dem leader has pledged to campaign "tirelessly" against "expensive, invasive" ID cards in 2008. Nick Clegg said the recent data loss "scandals" had created a lack of public confidence in the government's ability to look after personal information. His comments were made in his New Year message to the Lib Dem party.
2007-12-30 - The Guardian - Doctors revolt on patient records
Author: Eileen Fairweather
Summary: SENIOR doctors are encouraging a mass revolt against the government’s £12 billion national health database by supporting a campaign to urge patients to opt out. Activists in the British Medical Association (BMA) have produced a pro forma letter that people can send to their GP to stop their records going onto the database. The doctors fear that patients’ records could be misused if they are made available to health workers across the country, as is planned under the Connecting for Health system.
2007-12-30 - The Sunday Times - Beware the state’s ID card sharks
Author: David Davis MP the shadow home secretary
Summary: If Gordon Brown picks one failure from his first six months to learn from, it should be the loss of 25m people’s personal details. If he makes one resolution for 2008, it should be to scrap his reckless plan to introduce compulsory ID cards. "Discgate" was the result of ministerial incompetence, but also flawed policy. As chancellor, Brown relentlessly pursued his forlorn vision of a "joined-up identity management regime" across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a "single source of truth".
2007-12-27 - The Guardian - Primary school pupils' personal data 'at risk'
Summary: Personal details of 2 million primary schoolchildren in England are being put at risk by staff taking home unprotected data. A survey of almost 1,000 primary schools found that 49% were backing up pupil data on to discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft. IT experts RM School Management Solutions, which carried out the survey, said that only 1% of respondents encrypted the data. A further 4% of schools were leaving sensitive and unprotected data at unsecured locations on the school premises.
2007-12-24 - The Independent - PM in new pledge to secure databases
Author: Andrew Grice
Summary: Gordon Brown has accepted that the Government will need to bring in new safeguards to restore public confidence in the huge databases held by state-run services. ... His pledge came during a telephone conversation with Nick Clegg in the past week.
2007-12-24 - The Financial Times - Concern over data handling grows in UK
Author: Jimmy Burns
Summary: The Department of Health confirmed that nine National Health Service trusts in England and Wales had admitted losing patients' records. The loss, thought to involve data on hundreds of thousands of adults and -children, emerged as part of a government-wide data security review following security breaches in other departments. ... Andrew Lansley, the opposition home affairs spokesman, said the latest loss underlined the case against the government developing centralised data bases. It also raised serious questions over how the planned electronic patients database in the NHS would be able to protect sensitive medical records, he said. "For over two years we have argued for data to be held locally, with networking rather than one central database. The government should accept that this would offer us greater protection," Mr Lansley said.
2007-12-24 - The Guardian - Primarolo admits ignorance over data losses by nine NHS trusts
Author: Patrick Wintour
Summary: The health minister, Dawn Primarolo does not know exactly what is has been lost by nine NHS trusts. Ministers will be worried that the loss will further undermine confidence in the department's plans for a new computer database of all NHS patients' records. ... The data losses appear to have emerged locally, with potentially the biggest loss by City and Hackney Primary Care Trust in London, which has reportedly mislaid the details of 160,000 children after a computer disc failed to arrive at its destination at St Leonard's hospital. ... The campaign group NO2ID, which opposes ID cards and moves to centralise all NHS records, said: "We are now starting to see the consequences of the government obsession with information 'sharing' and centralised IT in the NHS. If you care about your privacy, then keep your medical records between you and your doctor, and out of the hands of the Department of Health, if you can."
2007-12-23 - Yahoo! News - NHS trusts lose patients` details
Summary: Nine NHS trusts have admitted losing patients' information in the aftermath of the HM Revenue and Customs (HMRC) data loss scandal, it has emerged.
2007-12-23 - The Sunday Mirror - Data scandal is a sickener
Summary: Today the Sunday Mirror reveals that medical records have been lost by nine separate health service trusts. Once again, the incompetence is staggering. The most personal details of thousands of people have been treated with scandalous disrespect.
2007-12-23 - The Sunday Mirror - 9 trusts lose files
Author: Vincent Moss and Justin Penrose
Summary: Hundreds of thousands of Health Service patients' details have gone missing in a new data scandal. Sensitive details about adults and children were lost in 10 incidents at NINE separate NHS Trusts. Health Secretary Alan Johnson's department last night confirmed details - kept on computer discs or memory sticks - had gone missing. But the Department of Health refused to reveal how many patients were involved or the exact nature of the blunders. Cases include the loss of a CD holding 160,000 children's names and addresses by a Trust in East London and the loss of 244 cancer patients' details by the Maidstone and Tunbridge Wells health trust in Kent. In one case, in Norfolk and Norwich, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. ... THE TRUSTS: Bolton Royal Hospital, Sutton and Merton, Maidstone and Tunbridge Wells (two incidents), Sefton Merseyside, City and Hackney, Mid Essex, East and North Herts, Norfolk and Norwich, Gloucester Partnership Foundation Trust
2007-12-20 - ZDNet - The lonesome death of data protection
Author: Tom Espiner
Summary: Discgate as Bob Dylan would have song about it.
2007-12-20 - The Guardian - Chattering classes deserve a debate about e-government
Author: Michael Cross
Summary: In the continuing fallout from the child benefit disc disaster, the government's IT chiefs can draw one small consolation: the "transformational government" programme to join up public services through IT is now on the chattering classes' agenda. The chattering is mainly hostile, of course, with a consensus that e-government will create a snooper's paradise or a permanent milch cow for IT consultancies. Or both. ... It involves an old IT management technique called the "scream test": the way to find out what a rambling old IT system is really being used for is to turn it off and see who screams. To kick-start the e-government debate, we should do the same. That's right: turn it all off, from your council's webcam to NHS Healthspace to the DVLA's car tax online service. The whole shooting match, off. The screams, I suspect, will be louder than the chattering classes would have us believe.
2007-12-19 - The Economist - Learning the embarrassing way
Summary: For many years Britain's tiny band of civil libertarians have been trying to alert their countrymen to the danger of proliferating government databases, which allow bureaucrats to share citizens' information among themselves with the minimum of fuss. A string of recent blunders have made their case more powerfully than years of lobbying. The latest to emerge has been the loss earlier this year of 3m driving-test records held at a data centre in Iowa. ... Others see a more fundamental problem. The Foundation for Information Policy Research points out that data losses are an inevitable consequence of the government's determination to build massive databases to keep tabs on its citizens. And despite the embarrassments of the past few weeks, it shows no sign of abandoning the biggest project of all: its plan to introduce identity cards for everyone.
2007-12-19 - The FT - The price of trust
Author: Sue Cameron
Summary: Public trust in HMRC has come in for a further battering this week. First came the progress report on what happened over the missing discs containing half the nation's bank details and what urgent measures should be taken. The report, by Kieran Poynter, chairman of PwC, tells Alistair Darling, the chancellor: "I have seen no evidence thus far that would lead me to conclude that the statement given by you to parliament was inaccurate." Hm. Very guarded. Mr Poynter, whose work is "far from complete", has called for the download function on all HMRC laptops and PCs to be disabled, among other moves, but has shown heroic reticence about criticising HMRC.
2007-12-18 - The Times - Millions more ID records go missing
Author: Philip Webster
Summary: The records of more than three million British learner drivers have gone missing from a "secure facility" in the US, an embarrassed Government admitted last night. Labour’s dismal autumn hit another low as, minutes after ministers admitted that they still did not know the whereabouts of two discs holding sensitive information on 25 million people, they were forced to confess they had lost the details of all candidates for the driving theory test between 2004 and 2007.
2007-12-18 - ZDNet - HMRC did breach data laws
Author: Tom Espiner
Summary: The organisation responsible for administering the UK's data-protection legislation has said the government breached data laws when millions of records were stolen in the data debacle at HM Revenue & Customs.
2007-12-17 - foundation for information policy research - The Government misses the point on Poynter
Summary: The Foundation for Information Policy Research (FIPR) believes that the Government's response to the interim Poynter report shows that they just don't understand what has gone wrong. Their refusal to abandon the headlong rush towards Transformational Government -- the enormous centralised databases being built to regulate every walk of life -- is not just pig-headed but profoundly mistaken. Both Alasdair Darling, commenting on the HMRC fiasco, and Ruth Kelly, telling the House about the loss of 3 million people's personal information, told us that once 'lessons have been learned' and 'procedures tightened' the march to ever-larger database systems will continue. Before Transformational Government came along, only small amounts of data were lost -- but as the new databases cover the whole population, everyone's affected now, not just a few unlucky people. Transformational Government means putting all of the eggs into one basket and it is creating: The multi-billion pound identity card scheme, to hold data on the whole population. The National Health spine, which will make everyone's health records available for browsing by a million NHS workers. ContactPoint which will record details on every child in England, with details of their parents, carers and indicators of whether they have any contact with social services. Three hundred thousand people can look that information up. A universal pensioner's bus pass scheme which will hold the data on 17 million people, and in principle will let any bus driver learn your age and address -- when all that it should record is an entitlement to free travel. Ross Anderson, Chair of FIPR and Professor of Security Engineering at the University of Cambridge said, "the Government believes that you can build secure databases and let hundreds of thousands of people access them. This is nonsense -- we just don't know how to build such systems and perhaps we never will. The correct way to design such systems is to localise the data, in a school, in your local GP practice. That way when there is a compromise because of a technical failure or a dishonest user then the damage is limited. "You can have security, or functionality, or scale -- you can even have any two of these. But you can't have all three, and the Government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don't work, and that place citizens' privacy and safety at risk when they do." Richard Clayton, FIPR Treasurer said, "Personal data ought to be handled as if it were little pellets of plutonium -- kept in secure containers, handled as seldom as possible, and escorted whenever it has to travel. Should it get out into the environment it will be a danger for years to come. Putting it into one huge pile is really asking for trouble. The Government needs to completely rethink its approach and abandon its Transformational Government disaster."
2007-12-17 - Downing Street Says - Data Security
Summary: Asked if the new measures re data security related to Government or just to HMRC, the Prime Minister's Spokesman said that they related to Government; the O’Donnell review was about looking at all departments.
2007-12-14 - Kable - Police call off discs search
Summary: UK police are to stop searching for the missing child benefit CDs early next week
2007-12-13 - The Register - Brown quizzed on gov IT failures
Author: John Oates
Summary: Prime Minister Gordon Brown admitted this morning that the government has "a long way to go" to a coherent IT strategy. Asked by MP Edward Leigh about systemic failures at the HMRC, which led to the loss of two CDs containing the entire child benefit database, Brown said there was a difference between rules not being followed and failure of procedures and systems. He also said no one had lost any money.
2007-12-12 - Evening Standard - Children's data discs lost in hospital blunder
Author: Mark Prigg
Summary: The personal details of 160,000 children have been lost at a London hospital in a fresh blunder over confidential information. A computer disc containing the data was sent to St Leonard's Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. The disc contained their names, dates of birth and addresses.
2007-12-12 - BBC - Loan application forms go missing
Summary: 800 budgeting loan applications containing personal and confidential information about members of the public were lost by the Department for Work and Pensions. The forms contained applicants' names, addresses, dates of birth, National Insurance numbers and bank details.
2007-12-12 - The Register - Six in ten UK punters fear what gov will do with private data
Author: John Oates
Summary: Research sponsored by Symantec reveals that six out of ten UK citizens do not believe their data is safe with government departments.
2007-12-12 - Ministory of Justice Press Release - Consultation launched into the use and sharing of personal information
Summary: A consultation into how personal information is used and shared in the public and private sectors has been launched today by Richard Thomas and Dr Mark Walport. The consultation forms part of an independent review into the use and sharing of personal information announced by the Prime Minister on 25 October. It asks how and why information is shared and used; whether the Data Protection Act offers sufficient safeguards; what impact technological advances have had on the protection of personal information; and whether there are lessons the UK can learn from other countries.
2007-12-12 -Scotsman - Government under fire after three new data mix-ups
Author: Angus Howarth
Summary: Confidential personal details of dozens of prisoners, including their criminal records, have been delivered to a private company instead of going to Norfolk Police.
2007-12-11 - The Times - Northern Irish driver data discs lost in post
Author: Hannah Fletcher
Summary: Two computer discs containing personal details of more than 6,000 Northern Irish drivers have been lost, a leaked letter from the Northern Ireland Department of the Environment has confirmed. The discs, which contain the names and addresses of the motorists and the licence plate numbers of their 7,685 vehicles, went missing at a sorting centre in Coventry.
2007-12-11 - BBC - Thousands of driver details lost
Summary: The Driver and Vehicle Licensing Agency in Northern Ireland has lost the personal details of 6,000 people, on two discs after being sent to the agency's headquarters in Swansea. The information was not encrypted. Shadow Transport Secretary Theresa Villiers said "It looks like it has failed to learn anything from the HMRC catastrophe,"
2007-12-10 - The Register - Brown knew data loss was disaster waiting to happen
Author: John Oates
Summary: The loss of the child benefit was a disaster waiting to happen and the Prime Minister was warned about inadequate data protection procedures years ago. Internal auditors examined procedures in March 2004. "Fraudulent/malicious activity was not being detected... Live support staff had root access and could do anything without being detected with obvious risks." ... "no encryption between certain elements in the system".
2007-12-10 - Information World Review - Lost HMRC data sounds wake up call for security pros
Author: Clement James
Summary: At the CSO Interchange - a forum for chief security officers – held in London recently, 60 per cent of senior security professionals present professed to having only "some idea" as to where their customer data is stored and "limited controls" over it. ... Speaking at the event, cross bench peer, Lord Erroll, a member of the House of Lords Science and Technology Committee, described the recent HMRC data breach as a "godsend". "With luck the missing CDs have ended up in a landfill site but this fiasco will force the government to start taking security seriously and the powers of the Information Commissioner's Office will be strengthened," he said.
2007-12-10 - ZDNet - CIOs: Encryption only part of data-security solution
Author: Andy McCue
Summary: Policies, processes and a "corporate ethos" of care of data are more important in securing sensitive information than using encryption technology. Two-thirds of a 12-strong CIO Jury IT user panel, said technologies such as encryption need to be part of a more holistic approach to security, including training for staff and strict enforcement of policies.
2007-12-10 - Kable - PM failed to heed data warning
Summary: Gordon Brown was told three years ago that weak data protection procedures governing the child benefit database made fraud or mistakes more likely and potentially undetectable. Obvious holes in working practices, such as the ability of junior officials to download the whole database and the use of unencrypted discs, were also highlighted. Internal auditors examined procedures in March 2004. Their findings were written up by Treasury risk manager Richard Fennelly.
2007-12-11 - The Independent - Discgate: Treasury was told of dangers
Author: Andrew Grice
Summary: Gordon Brown has been accused of ignoring a warning by Whitehall computer experts that could have prevented personal data on 25 million people being lost.
2007-12-09 - Liberal Democrat Press Release - HMRC letter shows Brown to blame
Author: Vince Cable MP
Summary: Commenting on reports that HMRC was warned in a letter three years ago about both junior staff accessing databases and weak procedures which meant that mistakes and fraud were unlikely to be detected, Liberal Democrat Acting Leader and Shadow Chancellor Vince Cable said "How can people have confidence in Government databases holding personal information when Departments like the HMRC have taken such a cavalier attitude?" "These reports also show that the blame for lost discs lies with Gordon Brown, as he should have acted on the worries of his auditors while he was Chancellor."
2007-12-09 - This is London - Disc security warning years ago
Summary: The Government was warned three years before 25 million people's records were lost in the post. Internal auditors raised concerns that junior staff had access to the database and information was not being encrypted. They also told Whitehall bosses that weak procedures meant mistakes and fraud were unlikely to be detected. A letter circulated by Treasury risk manager Richard Fennelly in March 2004, "Fraudulent/malicious activity was not being detected...Live support staff had root access and could do anything without being detected with obvious risks." There were also worries that there was "no encryption between certain elements in the system".
2007-12-07 - The Guardian - In the age of leaky data, there is no such thing as a secure online computer
Author: Simon Jenkins
Summary: This week Britain's information commissioner, Richard Thomas, confessed that "a stream" of sheepish data custodians had formed outside his door "on a confessional basis" after last month's Revenue & Customs child-benefit data leak. They had all lost material that the public had entrusted to their care. They had taken it home, posted it somewhere, left it on a bus, dumped it in a bin or sent it to some government department. ... The groups most eagerly awaiting the government’s ID computer are criminals and terrorists. The home secretary, Jacqui Smith, will supply them with detailed, supposedly confidential identification, including digitised biometrics, of every British citizen and visitor passing through immigration.
2007-12-07 - BBC - Better data protection 'required'
Summary: A report by Demos warns that people are losing control of their private data and are not sufficiently aware of how many bodies hold their information. The report comes less than a month after HM Revenue and Customs lost discs containing 25 million people's details. ... "The government must urgently develop a more coherent strategy around the way personal information is held and used," the report says. It adds: "Government departments should have a responsibility to tell individuals how their information is used and how that affects them."
2007-12-06 - Accountancy Age - Apology for disc blunder costs the taxpayer £3m
Author: Richard Brooks
Summary: A grovelling letter of apology sent to as many as seven million families over the loss of child benefit data cost the government £3m. A HMRC spokesman admitted this week that the cost was actually £3m.
2007-12-06 - Forbes - UK's Brown at odds with HMRC chief over 'systemic failure' claim
Summary: Gordon Brown is at odds with the acting head of HMRC over claims that the loss of benefit claimant details was part of wider systemic failure within the department.
2007-12-06 - The Register - HMRC coughs to more data losses
Author: John Oates
Summary: David Hartnett told the House of Commons Treasury Select Committee that HMRC was aware of seven other data breaches since Revenue and Customs merged in 2005.
2007-12-06 - The Telegraph - HMRC boss admits to more data losses
Author: Andrew Porter
Summary: HMRC has admitted there have been seven other significant data losses in recent years. ... Yesterday, the Telegraph revealed that the names of up to 350 people who are on the witness protection scheme were on the two discs that were lost in October. Despite the Ministry of Justice claiming last night that they had been "assured" by HMRC that witnesses were not at risk, the Telegraph can reveal that both the Met Police and the Association of Chief Police Officers (Acpo) have been involved in the matter and are "concerned". And a furious behind the scenes row erupted over the HMRC's attempt to calm fears. Officials at the Ministry of Justice who are aware of the concerns had prepared a statement which said there were possible “risks” and were at loggerheads with their counterparts at HMRC.
2007-12-06 - Kable - HMRC offers lost discs reward
Summary: HM Revenue and Customs is offering a reward of £20,000 for information leading to the recovery of the lost child benefit data discs. The Metropolitan Police investigation has now been reduced - 47 detectives were involved in early searches, but this has fallen to 32.
2007-12-05 - Action on Rights for Children - Babes in the Wood
Author: Terri Dowty
Summary: The DWP recently wrote to all local authorities advising them to password-protect Housing Benefit data, regularly copied on to CD-Roms and sent by courier to Newcastle. What data are we talking about? It includes: Name, Address, NI Number, Date of birth, Ages of children, Employment and housing status, Any other benefits applied for/received, Details of income, Whether they have a partner, Whether they are currently in prison, Whether they have been referred to fraud investigators. The password that would allegedly guard this data was sent to every local authority in an unsecured, unencrypted email. It was the same password for each LA, and they were advised that they should use it on each occasion (pdf) that they submitted their Housing Benefit return.
2007-12-05 - The Guardian - HMRC admits seven security breaches
Summary: HM Revenue and Customs have suffered seven breaches of security of "some significance" involving the loss of personal data, the organisation's new acting chairman has disclosed. Giving evidence to the Commons Treasury sub-committee, Mr Hartnett acknowledged that the losses could represent a "systemic failure" by the organisation.
2007-12-04 - Pulse - A spine waiting to snap
Author: Phil Peverley
Summary: Despite the loss of the disks by HMRC the government is continuing with its plans to upload the medical records of the entire population to another national database. What’s it for? What’s the point? And just who, in their right mind, would consent to their private medical records being logged on to a system to which tens of thousands of incompetent New Labour work-experience buffoons theoretically could have access? Not one of the patients I have discussed it with, that’s for certain. My personal medical records will not be joining this ludicrous Keystone Cops experiment. Neither will those of any of my patients. It is simply not possible that our government can give us any sort of guarantee that some berk in Birmingham will not download the lot and send it to his DVD rental club by accident
2007-12-05 - BBC - £20,000 reward offered for discs
Summary: A reward of £20,000 is being offered for the return of two HM Revenue and Customs CDs. Meanwhile, the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. These "may well" indicate systemic failure, David Hartnett added.
2007-12-05 - Liberal Democrat press release - More lost discs show appalling lack of attention to people's security
Author: Vince Cable MP
Summary: Commenting on news that there have been seven incidents of lost discs in the HMRC in the last two and a half years, Acting Liberal Democrat Leader and Shadow Chancellor Vince Cable said: "This shows an appalling lack of attention to people’s security, inexplicable failure to encrypt data and a chaotic method of dealing with transportation." "The Government is investigating the errors in the HMRC but it should be looking at how widespread such practices are across government departments including the Department for Work and Pensions and Department of Health."
2007-12-05 - The Guardian - Government offers reward in hunt for lost data
Author: James Sturcke
Summary: The government today offered a £20,000 reward for the safe return of two missing CDs containing personal details of half the British population. ... In a statement, the Met said its primary search had been concluded without recovering the discs, which hold the details of more than 25 million people.
2007-12-05 - Telegraph - Lost data discs 'endanger protected witnesses'
Author: Andrew Porter
Summary: Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records. The missing data discs are understood to contain both the real names and the new identities of up to 350 people who have had their identities changed after giving evidence against major criminals.
2007-12-05 - Computing - ICO warns of more breaches
Author: Tom Young
Summary: More cases of public information lost by central government departments have come to light since the HMRC fiasco, Information Commissioner Richard Thomas told the Commons Justice committee yesterday. ... Thomas also described the HMRC breach as "the worst the ICO has encountered" and said it called into question the security of the entire system of data sharing in government if information was not being encrypted.
2007-12-04 - BBC - More firms 'admit disc failings'
Summary: Several firms have admitted security failings in the wake of the loss of two discs containing 25 million people's details, MPs have been told. ... The Information Commissioner Richard Thomas told the justice committee that, since October, "quite a number of organisations, both public and private sector, have come to us saying that they think they have found a problem... almost on a confessional basis, bringing to our attention problems they have encountered with security in their own organisations." "I would question whether anybody should be allowed to download an entire database of this scale without going through the most rigorous pre-authorisation checks." "It was a really shocking example of loss of security."
2007-12-04 - The Register - Ex-HMRC boss gets shiny new civil service post
Author: John Oates
Summary: Paul Gray will work on special projects for the Cabinet Office after less than two weeks' gardening leave. Gray quit as chairman of Her Majesty's Revenue and Customs on 20 November - he took responsibility for the loss of two CDs containing the entire child benefit database.
2007-12-04 - OUT-LAW - Privacy chief given another chance to seek new powers
Summary: This afternoon Commissioner Richard Thomas will appear before the House of Commons Justice Committee to give evidence about data protection and his powers, which he is known to believe are too limited. ... In the aftermath of that crisis Thomas was given a small measure of the extra power he has been seeking, but he is known to believe that a tougher data protection regime is essential. "In the light of the admitted mishandling of private personal data by Her Majesty's Revenue & Customs, the Committee will hold a one-off evidence session with the Information Commissioner," said a statement from the Justice Select Committee.
2007-12-03 - The Telegraph - Poll shows more people now oppose ID cards
Author: Philip Johnston
Summary: More people now oppose Labour's proposed