HMRC lost CD exposes 15,000 Standard Life pensioners
Technorati Tag: Security Breach
Date Reported:
11/02/07
Organization:
HM Revenue & Customs (HMRC)
Contractor/Consultant/Branch:
Standard Life (UK)
Victims:
Certain Standard Life customers*
*"Those affected are people who have contracted out of the State Second Pension (S2P), which was formerly known as the State Earnings Related Pension Scheme (Serps), and so have some of their NICs rebated by HMRC to the pension providers of their choice."
Number Affected:
15,000
Types of Data:
Names, National Insurance Contribution (NIC) numbers (~equivalent to Social Security numbers in US), dates of birth, addresses, and pension policy details.
Breach Description:
HM Revenue & Customs sent "a number of discs" containing sensitive personal information to multiple insurers nearly five weeks ago. Discs destined for Standard Life never arrived at the company resulting in the compromise of personal details on 15,000 victims.
Reference URL:
The Register Story
The Telegraph Story
BBC News Story
Report Credit:
Ian Cowie, Telegraph Media Group
submitted to The Breach Blog by a concerned reader
Response:
From the online articles cited above:
"HM Revenue & Customs has lost the confidential data of thousands of people on a computer disc that went missing on its way to Standard Life's pensions department"
"Data on 15,000 pension policy holders, sent in a CD from HMRC offices in Newcastle to Standard Life's Edinburgh headquarters by courier, never arrived."
"Names, National Insurance Contribution (NIC) numbers, dates of birth and pension policy details are included on the disc."
An HMRC spokesman said: "There is no evidence that there has been any fraud but we are taking this matter very seriously and are obviously extremely annoyed with the courier company concerned.
[Comfyllama] Extremely annoyed at the courier? IF the data sent on CD was not encrypted, then HMRC has no right be annoyed at anyone. The victims are the ones who suffer and the victims have the right to be annoyed.
"There was a thorough search for the item, which went missing at the end of September, but it has not been found. We have a duty of care to let people know what has happened and so we are writing to tell them."
"Those affected are people who have contracted out of the State Second Pension (S2P), which was formerly known as the State Earnings Related Pension Scheme (Serps), and so have some of their NICs rebated by HMRC to the pension providers of their choice."
"A spokesman for Standard Life said: "A number of discs – it may have been between 20 and 30 – left HMRC in Newcastle for various insurers, but the courier delivered to everybody else except us."
[Comfyllama] Is it safe to assume that the HMRC which handles some of the most sensitive personal details on UK taxpayers routinely sends confidential data via CDs unencrypted? Holy s%*t! Please excuse my language.
"Maybe it's just a very unfortunate mistake."
[Comfyllama] OK, forgetting to put the seat down is an "unfortunate mistake". Betraying the trust of thousands of people by treating personal information like this is negligence. Again, I am assuming that this data was NOT encrypted, which is not confirmed.
"UK tax authorities reportedly routinely send confidential data on taxpayers to their pension providers via CD, a procedure that has been found wanting of late."
"HM Revenue has declined to confirm whether the data on the disks was encrypted or not."
"The Revenue refused to say "on security grounds" whether the information was encrypted."
[Comfyllama] What?!?! "On security grounds"? Yeah, I would say the data was NOT encrypted.
Commentary:
You have to wonder who is in charge of information security at HMRC to allow such obvious poor security behavior. I am not a victim of this breach, but I am still beside myself on this one. I have difficulty trying to explain insanity.
All sensitive data at rest MUST be encrypted, especially when copied or moved to mobile media.
Past Breaches:
October, 2007 - HMRC stolen laptop, 400 victims, and encryption
May, 2007 - Standard Life mix-up exposes hundreds
Date Reported:11/02/07
Organization:
HM Revenue & Customs (HMRC)
Contractor/Consultant/Branch:
Standard Life (UK)
Victims:
Certain Standard Life customers*
*"Those affected are people who have contracted out of the State Second Pension (S2P), which was formerly known as the State Earnings Related Pension Scheme (Serps), and so have some of their NICs rebated by HMRC to the pension providers of their choice."
Number Affected:
15,000
Types of Data:
Names, National Insurance Contribution (NIC) numbers (~equivalent to Social Security numbers in US), dates of birth, addresses, and pension policy details.
Breach Description:
HM Revenue & Customs sent "a number of discs" containing sensitive personal information to multiple insurers nearly five weeks ago. Discs destined for Standard Life never arrived at the company resulting in the compromise of personal details on 15,000 victims.
Reference URL:
The Register Story
The Telegraph Story
BBC News Story
Report Credit:
Ian Cowie, Telegraph Media Group
submitted to The Breach Blog by a concerned reader
Response:
From the online articles cited above:
"HM Revenue & Customs has lost the confidential data of thousands of people on a computer disc that went missing on its way to Standard Life's pensions department"
"Data on 15,000 pension policy holders, sent in a CD from HMRC offices in Newcastle to Standard Life's Edinburgh headquarters by courier, never arrived."
"Names, National Insurance Contribution (NIC) numbers, dates of birth and pension policy details are included on the disc."
An HMRC spokesman said: "There is no evidence that there has been any fraud but we are taking this matter very seriously and are obviously extremely annoyed with the courier company concerned.
[Comfyllama] Extremely annoyed at the courier? IF the data sent on CD was not encrypted, then HMRC has no right be annoyed at anyone. The victims are the ones who suffer and the victims have the right to be annoyed.
"There was a thorough search for the item, which went missing at the end of September, but it has not been found. We have a duty of care to let people know what has happened and so we are writing to tell them."
"Those affected are people who have contracted out of the State Second Pension (S2P), which was formerly known as the State Earnings Related Pension Scheme (Serps), and so have some of their NICs rebated by HMRC to the pension providers of their choice."
"A spokesman for Standard Life said: "A number of discs – it may have been between 20 and 30 – left HMRC in Newcastle for various insurers, but the courier delivered to everybody else except us."
[Comfyllama] Is it safe to assume that the HMRC which handles some of the most sensitive personal details on UK taxpayers routinely sends confidential data via CDs unencrypted? Holy s%*t! Please excuse my language.
"Maybe it's just a very unfortunate mistake."
[Comfyllama] OK, forgetting to put the seat down is an "unfortunate mistake". Betraying the trust of thousands of people by treating personal information like this is negligence. Again, I am assuming that this data was NOT encrypted, which is not confirmed.
"UK tax authorities reportedly routinely send confidential data on taxpayers to their pension providers via CD, a procedure that has been found wanting of late."
"HM Revenue has declined to confirm whether the data on the disks was encrypted or not."
"The Revenue refused to say "on security grounds" whether the information was encrypted."
[Comfyllama] What?!?! "On security grounds"? Yeah, I would say the data was NOT encrypted.
Commentary:
You have to wonder who is in charge of information security at HMRC to allow such obvious poor security behavior. I am not a victim of this breach, but I am still beside myself on this one. I have difficulty trying to explain insanity.
All sensitive data at rest MUST be encrypted, especially when copied or moved to mobile media.
Past Breaches:
October, 2007 - HMRC stolen laptop, 400 victims, and encryption
May, 2007 - Standard Life mix-up exposes hundreds
Posted by Evan Francen at 11/5/2007 4:53 PM 
Categories: Lost Tape, HM Customs and Revenue, Standard Life
Categories: Lost Tape, HM Customs and Revenue, Standard Life
Posts Atom 1.0
Comments