If Joe Hockey – or his Labor successor – start talking about what a great idea the “not-an-ID-card” Access Card – is, here’s a tale from the UK about the hazards of giving governments too much personal data. The Guardian reports:
On October 18, a junior civil servant at the child benefit offices in Tyne and Wear set in train a series of events which put 25 million people at risk of fraud, forced the resignation of the government’s most senior tax collector, put in doubt the future of the government’s ID card scheme, and reinforced doubts as to the competence Gordon Brown’s administration.
It is understood (though not yet absolutely established) that on that Thursday, two CDs, password-protected but containing the government’s entire database of child benefit claimants, including the bank details of 7.25 million families, were sent from the HM Revenue and Customs (HMRC) offices in Waterview Park, Washington, to the National Audit Office on Buckingham Palace Road, London. The government and police believe they were sent by a civil servant with IT know-how, unregistered, via the HMRC’s internal postal system, operated by the private courier TNT. But they did not arrive.
Were the CD’s to make their way into the hands of criminals, they would allow identity theft on a massive scale.
Unsurprisingly, the UK government, particularly new Chancellor Alistair Darling, is scrambling to deal with the fallout, which is particularly embarrassing given that they are keen to introduce identity cards in the UK. As well as a complete bit of misdirection about the ease with which the data could be accessed: “Darling revealed that although the information on the CDs was not encrypted, it was password-protected.” This is like locking a flywire door; anyone armed with the most elementary tools would have been able to bypass such minimal protection. There also seems to be an effort to blame the individual concerned, who undoubtedly made a “”colossal error” in extracting the massive amount of information, burning it to an unencrypted CD and putting it in the regular, untracked, departmental courier service, all of which were apparently breaches of departmental security policy.
Yes, whomever was responsible for this made a career-ending mistake – assuming they weren’t directly ordered to do so by a superior, which I wouldn’t rule out. But there had to have been security policy failures at every level to make this possible. It simply shouldn’t have been possible for a “junior civil servant” to extract this scale and detail of information out of the relevant database without massive red flags being raised. Furthermore, there should be considerable barriers to taking any information – particularly bulk information – out of the system and onto external file systems. And, furthermore, by default everything that gets written to an external data source in such an environment where there is such quantities of sensitive personal data – laptops, CD’s, key drives, and the like – should have strong encryption applied to it. There are freely available commercial (and for that matter free) tools that can do this. And, yes, the fact that somebody who knew how to get such information out of the HMRC’s database didn’t realize that it was a massive no-no to burn it to CD and pop it in the post suggests a severe failure of security training.
And it’s not like the department concerned hasn’t had any warning that they have a security problem: as this IT press blog notes, they’ve recently had issues with stolen laptops with unencrypted data, and a CD containing personal information of 15,000 people, being lost.
All that said, I doubt that most government departments, or for that matter most big businesses, do anything much different – everybody from the janitor up has full access to the company database, and can pull data onto unguarded external data storage; laptop hard drives full of sensitive information routinely walk out the door without encryption to protect it. And that is why I am so unenthusiastic about attempts to make further information available across multiple government departments, as the Access Card project proposed for Australia would undoubtedly do.
And the first thing the new Treasurer of Australia (or Finance Minister) should be doing after the election on Saturday is asking the head of the Australian Tax Office – and every other government department that keeps records on a large section of the Australian population – why the same thing couldn’t happen here. And if the answer is “our staff wouldn’t be that stupid”, they’d better start knocking heads together.