Incompetence leads to HMRC breach affecting over 25 million in UK
Technorati Tag: Security Breach
Date Reported:
11/20/07
Organization:
HM Customs and Revenue (HMRC)
Contractor/Consultant/Branch:
None
Victims:
Child Benefit recipients and their children
Number Affected:
25,000,000 individuals AND 7,250,000 families
Types of Data:
Recipient names, their children's names, addresses, dates of birth, Child Benefit numbers, National Insurance numbers*, and bank or building society account details
*~equivalent to Social Security numbers in US
Breach Description:
Compact discs containing extremely sensitive and personal information about 25 million UK citizens and 7.25 million UK families were lost in transit from her Majesty's Revenue & Customs to the National Audit Office (NAO). This is the single largest information security breach involving personal data in UK history.
Reference URL:
Reuters UK Story
icHarrow.co.uk Story
Telegraph.co.uk Story
Report Credit:
Reuters UK
Response:
From the sources cited above:
Computer discs holding personal data on 25 million people and 7.2 million families have gone missing, Chancellor Alistair Darling has admitted to MPs.
[Comfyllama] This is a HUGE breach. I hope that this breach gets as much press as humanly possible so everyone (except those still living in caves) will realize the breadth of this problem worldwide.
"the details included names, addresses, dates of birth, Child Benefit numbers, National Insurance numbers and bank or building society account details."
[Comfyllama] I am not 100% sure, but this seems like some very very sensitive data.
Paul Gray, head of Revenue and Customs, has already resigned over what Darling described as a "serious failure" at the tax authority, which is already embroiled in two other major security breaches this year.
[Comfyllama] I know that Paul Gray is very highly regarded by some, but what the heck was this guy thinking? This is nothing new here. This is complete negligence on the part of his staff. The two breaches referred to are both mentioned on The Breach Blog and both could have been easily avoided!
sent by HMRC's postal system
sent last month to the National Audit Office (NAO) but never arrived.
Mr Darling said police had no evidence the information "has found its way into the wrong hands" or of any evidence that it has been sued for fraud. He has appointed Kieran Poynter, chairman of Price Waterhouse Coopers, to investigate HMRC security procedures.
[Comfyllama] What kind of evidence would show you that the information "has found its way into the wrong hands"? IF the information did fall into the wrong hands, you wouldn't know it until it was too late. Maybe Kieran Poynter will mandate encryption for confidential data?
"Obviously the Prime Minister and the Government take the protection of personal data extremely seriously," she added. "This is an issue which he considers to be very important." The spokeswoman said the Prime Minister "fully supported" the action being outlined by the Chancellor to deal with the issues.
[Comfyllama] Hogwash! I am a Yankee, so what do I know? The Government should put their words into some kind of action! The last two HMRC breaches both could have been mitigated through the simple use of encryption. You could (should) have seen this coming! The Prime Minister would do well to comment on this breach himself rather than through a spokeswoman.
Mr Darling told the Commons: "I regard this as an extremely serious failure by HMRC in their responsibility to the public."
[Comfyllama] Even though the word "extremely" is used, this is still an understatement. HMRC was negligent meaning "marked by or given to neglect especially habitually or culpably"** or "failing to exercise the care expected of a reasonably prudent person in like circumstances"**, take your pick.
**Source - Merriam-Webster's Online Dictionary
MPs gasped as Mr Darling told them: "The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families".
That effectively means the personal details of every family in the country with a child under 16 have gone missing.
[Comfyllama] Every family in the UK with children under 16 is affected by this stupidity.
The opposition accused the government of laying half the population of Britain open to identity fraud and ridiculed its competence over running the country.
"Get a grip and deliver a basic level of competence," Conservative Treasury spokesman George Osborne shouted across the parliamentary floor at Darling.
[Comfyllama] Mr. Osborne is absolutely correct. Even a "basic level of competence" would have prevented this breach!
"Half the country will be very anxious about the safety of their family and security of their accounts will be wondering how the government allowed this to happen."
Commentary:
I am not a victim nor am I even a UK resident, but I am really ticked off! Mr. Gray gets off easy, the rest of the families in the UK have to deal with this for God knows how long. How would a UK resident protect themselves from the government that is designed to protect them to begin with? Make sense?
The two breaches this year are mentioned below. The last HMRC breach reported on The Breach Blog occurred in exactly the same manner as this one.
Past Breaches:
November, 2007- HMRC lost CD exposes 15,000 Standard Life pensioners
October, 2007 - Lost HMRC laptop exposes 400
Date Reported:11/20/07
Organization:
HM Customs and Revenue (HMRC)
Contractor/Consultant/Branch:
None
Victims:
Child Benefit recipients and their children
Number Affected:
25,000,000 individuals AND 7,250,000 families
Types of Data:
Recipient names, their children's names, addresses, dates of birth, Child Benefit numbers, National Insurance numbers*, and bank or building society account details
*~equivalent to Social Security numbers in US
Breach Description:
Compact discs containing extremely sensitive and personal information about 25 million UK citizens and 7.25 million UK families were lost in transit from her Majesty's Revenue & Customs to the National Audit Office (NAO). This is the single largest information security breach involving personal data in UK history.
Reference URL:
Reuters UK Story
icHarrow.co.uk Story
Telegraph.co.uk Story
Report Credit:
Reuters UK
Response:
From the sources cited above:
Computer discs holding personal data on 25 million people and 7.2 million families have gone missing, Chancellor Alistair Darling has admitted to MPs.
[Comfyllama] This is a HUGE breach. I hope that this breach gets as much press as humanly possible so everyone (except those still living in caves) will realize the breadth of this problem worldwide.
"the details included names, addresses, dates of birth, Child Benefit numbers, National Insurance numbers and bank or building society account details."
[Comfyllama] I am not 100% sure, but this seems like some very very sensitive data.
Paul Gray, head of Revenue and Customs, has already resigned over what Darling described as a "serious failure" at the tax authority, which is already embroiled in two other major security breaches this year.
[Comfyllama] I know that Paul Gray is very highly regarded by some, but what the heck was this guy thinking? This is nothing new here. This is complete negligence on the part of his staff. The two breaches referred to are both mentioned on The Breach Blog and both could have been easily avoided!
sent by HMRC's postal system
sent last month to the National Audit Office (NAO) but never arrived.
Mr Darling said police had no evidence the information "has found its way into the wrong hands" or of any evidence that it has been sued for fraud. He has appointed Kieran Poynter, chairman of Price Waterhouse Coopers, to investigate HMRC security procedures.
[Comfyllama] What kind of evidence would show you that the information "has found its way into the wrong hands"? IF the information did fall into the wrong hands, you wouldn't know it until it was too late. Maybe Kieran Poynter will mandate encryption for confidential data?
"Obviously the Prime Minister and the Government take the protection of personal data extremely seriously," she added. "This is an issue which he considers to be very important." The spokeswoman said the Prime Minister "fully supported" the action being outlined by the Chancellor to deal with the issues.
[Comfyllama] Hogwash! I am a Yankee, so what do I know? The Government should put their words into some kind of action! The last two HMRC breaches both could have been mitigated through the simple use of encryption. You could (should) have seen this coming! The Prime Minister would do well to comment on this breach himself rather than through a spokeswoman.
Mr Darling told the Commons: "I regard this as an extremely serious failure by HMRC in their responsibility to the public."
[Comfyllama] Even though the word "extremely" is used, this is still an understatement. HMRC was negligent meaning "marked by or given to neglect especially habitually or culpably"** or "failing to exercise the care expected of a reasonably prudent person in like circumstances"**, take your pick.
**Source - Merriam-Webster's Online Dictionary
MPs gasped as Mr Darling told them: "The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families".
That effectively means the personal details of every family in the country with a child under 16 have gone missing.
[Comfyllama] Every family in the UK with children under 16 is affected by this stupidity.
The opposition accused the government of laying half the population of Britain open to identity fraud and ridiculed its competence over running the country.
"Get a grip and deliver a basic level of competence," Conservative Treasury spokesman George Osborne shouted across the parliamentary floor at Darling.
[Comfyllama] Mr. Osborne is absolutely correct. Even a "basic level of competence" would have prevented this breach!
"Half the country will be very anxious about the safety of their family and security of their accounts will be wondering how the government allowed this to happen."
Commentary:
I am not a victim nor am I even a UK resident, but I am really ticked off! Mr. Gray gets off easy, the rest of the families in the UK have to deal with this for God knows how long. How would a UK resident protect themselves from the government that is designed to protect them to begin with? Make sense?
The two breaches this year are mentioned below. The last HMRC breach reported on The Breach Blog occurred in exactly the same manner as this one.
Past Breaches:
November, 2007- HMRC lost CD exposes 15,000 Standard Life pensioners
October, 2007 - Lost HMRC laptop exposes 400
Posted by Evan Francen at 11/20/2007 1:16 PM 
Categories: Poor Business Practice, HM Customs and Revenue
Categories: Poor Business Practice, HM Customs and Revenue
Posts Atom 1.0
Just in case we were naive enough to think that US taxpayers are immune:
One recent example, IRS mails other peoples' information to Oregon man.
I am sure I could find others.
Reply to this
It would have been ok if they would have lost only some data that can’t really affect the people involved, like their children's names, addresses, and dates of birth and so on… but they lost bank and building society account details, national insurance numbers! This is outrageous! Really! Do you know if someone’s account was used by those who got the dates after this event?
Reply to this