HMRC loses data cartridge that affects 6,548 pensioners
Technorati Tag: Security Breach
Date Reported:
12/18/07
Organization:
HM Customs and Revenue (HMRC)
Contractor/Consultant/Branch:
None
Victims:
Countrywide Assured pension customers
Number Affected:
6,548
Types of Data:
Names, addresses, dates of birth, national insurance numbers*, and pension contributions.
*~equivalent to Social Security numbers in US
Breach Description:
A "data cartridge" sent from Countrywide Assured to Her Majesty's Revenue and Customs (HMRC) has been lost at an HMRC office in Cardiff. The data cartridge was sent via courier in September, 2007 and contained sensitive personal information belonging to Countrywide Assured pension customers.
Reference URL:
BBC News Story
Report Credit:
BBC News
Response:
From the online source cited above:
Names, addresses, date of births, national insurance numbers and pension contributions were included on a data cartridge which has been lost.
[Evan] This is all prime data for theft.
It had been sent by courier in September from Countrywide Assured.
signed for by HMRC but has since gone missing
[Evan] Not only does HMRC lose data in transit, but they also lose data in house.
It is understood that Countrywide Assured, which is based in Preston in Lancashire, has written letters to the 6,548 affected customers.
"It is very unlikely that any unauthorised person would be able to access the customer information due to the nature of the medium on which the data is held.
[Evan] Security through obscurity doesn't work. This is one of the oldest security fallacies in the book. Don't count on the nature of the medium to provide adequate security.
"We are taking this loss extremely seriously and have done everything possible to locate the data cartridge. We would like to apologise to all those affected."
The spokesman said PricewaterhouseCooper was carrying out an independent review of data loss and HMRC was implementing additional measures to ensure that confidential data was transported and held safely at all times.
[Evan] Its good to see that a third-party has been brought in to consult HMRC. It is obvious that they need it.
Commentary:
What can we say about the people responsible for ensuring confidential information remains secure at HMRC? This is the seventh breach concerning HMRC this year, and the fourth reported on The Breach Blog since October. The head of HMRC already resigned in November as a result of these breaches. Who else should be held accountable? I have lost patience with these people.
Obviously (or maybe not), the proper use of encryption would have offered better assurance of data security that does "the nature of the medium on which the data" was held. I sincerely hope that HMRC encrypts all confidential data at rest soon.
Past Breaches:
Six others reported in the last 12 months concerning HMRC.
November, 2007 - 25 million UK residents affected by HMRC breach
November, 2007 - 15,000 UK pensioners at risk through lost HMRC CD
October, 2007 - Stolen HMRC laptop affects 400
Date Reported:12/18/07
Organization:
HM Customs and Revenue (HMRC)
Contractor/Consultant/Branch:
None
Victims:
Countrywide Assured pension customers
Number Affected:
6,548
Types of Data:
Names, addresses, dates of birth, national insurance numbers*, and pension contributions.
*~equivalent to Social Security numbers in US
Breach Description:
A "data cartridge" sent from Countrywide Assured to Her Majesty's Revenue and Customs (HMRC) has been lost at an HMRC office in Cardiff. The data cartridge was sent via courier in September, 2007 and contained sensitive personal information belonging to Countrywide Assured pension customers.
Reference URL:
BBC News Story
Report Credit:
BBC News
Response:
From the online source cited above:
Names, addresses, date of births, national insurance numbers and pension contributions were included on a data cartridge which has been lost.
[Evan] This is all prime data for theft.
It had been sent by courier in September from Countrywide Assured.
signed for by HMRC but has since gone missing
[Evan] Not only does HMRC lose data in transit, but they also lose data in house.
It is understood that Countrywide Assured, which is based in Preston in Lancashire, has written letters to the 6,548 affected customers.
"It is very unlikely that any unauthorised person would be able to access the customer information due to the nature of the medium on which the data is held.
[Evan] Security through obscurity doesn't work. This is one of the oldest security fallacies in the book. Don't count on the nature of the medium to provide adequate security.
"We are taking this loss extremely seriously and have done everything possible to locate the data cartridge. We would like to apologise to all those affected."
The spokesman said PricewaterhouseCooper was carrying out an independent review of data loss and HMRC was implementing additional measures to ensure that confidential data was transported and held safely at all times.
[Evan] Its good to see that a third-party has been brought in to consult HMRC. It is obvious that they need it.
Commentary:
What can we say about the people responsible for ensuring confidential information remains secure at HMRC? This is the seventh breach concerning HMRC this year, and the fourth reported on The Breach Blog since October. The head of HMRC already resigned in November as a result of these breaches. Who else should be held accountable? I have lost patience with these people.
Obviously (or maybe not), the proper use of encryption would have offered better assurance of data security that does "the nature of the medium on which the data" was held. I sincerely hope that HMRC encrypts all confidential data at rest soon.
Past Breaches:
Six others reported in the last 12 months concerning HMRC.
November, 2007 - 25 million UK residents affected by HMRC breach
November, 2007 - 15,000 UK pensioners at risk through lost HMRC CD
October, 2007 - Stolen HMRC laptop affects 400
Posted by Evan Francen at 12/31/2007 11:10 PM 
Categories: Lost Tape, HM Customs and Revenue, Countrywide Assured
Categories: Lost Tape, HM Customs and Revenue, Countrywide Assured
Posts Atom 1.0
Comments