UK's HMRC mailing error affects more than 50,000 taxpayers
|
Date Reported:
5/27/10
Organization:
HM Customs and Revenue ("HMRC")
Contractor/Consultant/Branch:
Unknown "print supplier"
Location:
London, England
Victims:
English taxpayers
Number Affected:
"around 19,000"*
*Some reports state that as many as 50,000 are affected, but roughly 31,000 did receive the correct information; however, it was unusable - Source: Telegraph.co.uk
Types of Data:
"names, addresses and dates of birth, as well as parts of bank account numbers, salary details and National Insurance numbers"
Breach Description:
"Around 19,000 individuals were sent other people's personal information in the post along with their annual award notice" from HMRC (roughly the UK equivalent to the US IRS).
Reference URL:
Telegraph.co.uk
The Register
This Just Happened
Report Credit:
Christopher Hope, Telegraph.co.uk
Response:
From the online sources cited above:
Around 19,000 individuals were sent other people's personal information in the post along with their annual award notice.
[Evan] I am a little amazed that the HMRC, IRS, and hundreds of other organizations still use postal mail to send sensitive information. I know that it is a crime to steal someone's mail, but do you think that the criminals care? They are criminals after all. We do have the technology that enables us to send this information in an electronic format.
They each received one page of someone else’s tax credit renewal form which included a variety of different personal details.
These included names, addresses and dates of birth, as well as parts of bank account numbers, salary details and National Insurance numbers.
[Evan] From my understanding, these ~19,000 people received forms with their own National Insurance numbers on the back, and a stranger's work, pay and other information printed on the front.
Another 31,000 people received the correct forms, although they were jumbled up in the mail-out, which started on Saturday.
One woman from Hyde in Greater Manchester said she had received a letter that included her neighbour's earnings.
She also was sent the bank sort code and the last four digits of the bank account number of another claimant.
Matthew Elliott, the chief executive of campaign group the Taxpayers’ Alliance, said: “It’s appalling that taxpayers' details have been posted out to total strangers.
“An apology simply cannot undo this latest incompetence from HMRC, and it represents a huge breach of the public's trust.
[Evan] Did the people trust the UK government before this breach happened? Do we, in the U.S. trust our government? The reasons behind the distrust are much larger than this breach, do you think?
“If they can't be responsible with our details, then how can we expect them to administer millions and millions in tax credits?”
A Treasury source said ministers were “dismayed about the last Government’s incompetence and was another example of why the system needs reform”.
A HMRC spokesman blamed a printing error, and played down the danger of identity theft for those affected
She said: “Unfortunately an error has occurred in one of the tax credits print runs causing some customer information to be wrongly formatted.
“Investigations are under way to identify the cause of the problem and we will be contacting affected customers in writing this week, apologising and providing a corrected award notice.
"An initial analysis shows that ID theft could not result from this printing error.”
[Evan] This information should not have been disclosed in the manner that it was, but I agree that identity theft will probably not occur as a direct result of this breach.
Commentary:
I get as fired up about breaches and misuse as just about anyone, but I am not that fired up about this one. This breach could easily have been much worse than it was. The largest impact for HMRC is reputational, but I don't think they had much lower to go anyway.
We can use this breach as a reminder to include mailings in our information security programs. Mailings sometimes contain confidential information such as customer names, addresses, phone numbers, account numbers, marketing materials, special correspondence, etc. Whenever a mailing job is run, it requires certain changes to systems. Do companies with in house mailing departments use change control for their mailings? Do they go through test runs before production runs? What controls are in place to prevent errors? Third-party mailing vendors should be assessed for risk, and included in a general 3rd party information security management program. Just thoughts.
For those of you in the U.S., have a happy and safe Memorial Day! For those of you in the UK, and other places, have a nice weekend!
Past Breaches:
HMRC:
There are more than six breaches in the past concerning HMRC. Arguably the most notable of HMRC breaches occurred in 2007; Incompetence leads to HMRC breach affecting over 25 million in UK.
Posts Atom 1.0
As I tell so many people these days, SECURITY is just another aspect of QUALITY. If you have a security problem that causes damage, it is clearly a problem that crept in due to lack of quality in one of several areas from "requirements" through "operations". And, if you have an identifiable problem with basic quality, there's a good chance it may one day be exploited or accidentally exposed, becoming a security problem.
Jumbled printouts looks like a quality problem that has turned into a security problem. If we call it a security problem, it would be a lack of certain security requirements, or failure to follow through properly on requirements to implementation. For example, it might be done properly by having a statement in your security requirements stating, "Personal information of citizens will not be disclosed to any unauthorized individuals or entities" early on in the development of this service. You're right that test runs should have caught this problem if the requirement could be traced to a test. Or, maybe a slight change in formatting that was not checked for quality (and/or tested) may have led to the poor alignment of page-breaks in a machine.
Either way, it's related to quality nearly as much as security.
Reply to this