25 million people’s personal data “lost in the mail” by UK government

If Joe Hockey – or his Labor successor – start talking about what a great idea the “not-an-ID-card” Access Card – is, here’s a tale from the UK about the hazards of giving governments too much personal data. The Guardian reports:

On October 18, a junior civil servant at the child benefit offices in Tyne and Wear set in train a series of events which put 25 million people at risk of fraud, forced the resignation of the government’s most senior tax collector, put in doubt the future of the government’s ID card scheme, and reinforced doubts as to the competence Gordon Brown’s administration.

It is understood (though not yet absolutely established) that on that Thursday, two CDs, password-protected but containing the government’s entire database of child benefit claimants, including the bank details of 7.25 million families, were sent from the HM Revenue and Customs (HMRC) offices in Waterview Park, Washington, to the National Audit Office on Buckingham Palace Road, London. The government and police believe they were sent by a civil servant with IT know-how, unregistered, via the HMRC’s internal postal system, operated by the private courier TNT. But they did not arrive.

Were the CD’s to make their way into the hands of criminals, they would allow identity theft on a massive scale.

Unsurprisingly, the UK government, particularly new Chancellor Alistair Darling, is scrambling to deal with the fallout, which is particularly embarrassing given that they are keen to introduce identity cards in the UK. As well as a complete bit of misdirection about the ease with which the data could be accessed: “Darling revealed that although the information on the CDs was not encrypted, it was password-protected.” This is like locking a flywire door; anyone armed with the most elementary tools would have been able to bypass such minimal protection. There also seems to be an effort to blame the individual concerned, who undoubtedly made a “”colossal error” in extracting the massive amount of information, burning it to an unencrypted CD and putting it in the regular, untracked, departmental courier service, all of which were apparently breaches of departmental security policy.

Yes, whomever was responsible for this made a career-ending mistake – assuming they weren’t directly ordered to do so by a superior, which I wouldn’t rule out. But there had to have been security policy failures at every level to make this possible. It simply shouldn’t have been possible for a “junior civil servant” to extract this scale and detail of information out of the relevant database without massive red flags being raised. Furthermore, there should be considerable barriers to taking any information – particularly bulk information – out of the system and onto external file systems. And, furthermore, by default everything that gets written to an external data source in such an environment where there is such quantities of sensitive personal data – laptops, CD’s, key drives, and the like – should have strong encryption applied to it. There are freely available commercial (and for that matter free) tools that can do this. And, yes, the fact that somebody who knew how to get such information out of the HMRC’s database didn’t realize that it was a massive no-no to burn it to CD and pop it in the post suggests a severe failure of security training.

And it’s not like the department concerned hasn’t had any warning that they have a security problem: as this IT press blog notes, they’ve recently had issues with stolen laptops with unencrypted data, and a CD containing personal information of 15,000 people, being lost.

All that said, I doubt that most government departments, or for that matter most big businesses, do anything much different – everybody from the janitor up has full access to the company database, and can pull data onto unguarded external data storage; laptop hard drives full of sensitive information routinely walk out the door without encryption to protect it. And that is why I am so unenthusiastic about attempts to make further information available across multiple government departments, as the Access Card project proposed for Australia would undoubtedly do.

And the first thing the new Treasurer of Australia (or Finance Minister) should be doing after the election on Saturday is asking the head of the Australian Tax Office – and every other government department that keeps records on a large section of the Australian population – why the same thing couldn’t happen here. And if the answer is “our staff wouldn’t be that stupid”, they’d better start knocking heads together.

Advertisements
Posted in politics, Security
15 comments on “25 million people’s personal data “lost in the mail” by UK government
  1. tigtog says:

    Scary post, Rob. *shudder*

  2. wilful says:

    Plibersek has said unequivocally that the Access Card is dead, should they form government.

  3. Wilful: I hope so. These things, unfortunately, are like the bloody hydra – there’s nitwits in bureaucracies who always think this would make their life easier and can’t imagine that the benevolent government departments they run could ever, ever, lose or abuse the data they collect. And, sooner or later, they find an eager-beaver minister, wave “efficiencies” and “fraud reduction” (not to mention “terrorism”, since 2001) under their nose, and, voila, it all comes back. Remember, it was a Labor government who proposed the Australia Card back in the 1980s.

  4. But the lost CDs have turned up on eBay, so it’s all right then. 🙂

  5. david tiley says:

    The trouble is, the transfer of information for health and economic reasons does make life easier. Try living without a drivers license, a medicare card, or a debit card or (in my case) a credit card and see how far you get.

    And remember that we are all dependent on mobile phones, which make us trackable all the time as the little buggers keep telling the masts where we are. Add a bit of remote email from the blackberry, and a GPS in the car or on the phone.. we become but datanodes, and they become continuous.

    But the information makes us more and more vulnerable to the misuse of power. Home imprisonment is just one example, where you can be left in the community, your movements tracked, your contacts monitored – and your family pays the cost of your imprisonment. Ooh, yummy.

    One possible strategy, as I occasionally rant about, is the Scandinavian system of putting government information about citizens online, which functions both as a form of social control, and makes some of it innocuous. Some of it.

    Imagine if your mobile phone tracking records were freely available online.. shudder.. it would take a microsecond before people would be enraged, and that leads straight to the question: if agencies are holding information which we don’t want to be made public, why are they holding that information in the first place?

    just rambling. One more sleep.

  6. david tiley says:

    I’m so excited I can’t even count. Two more sleeps.

  7. FDB says:

    No sleeps at all, if you’re excited enough David.

  8. bilb says:

    good one FDB

  9. mharrison says:

    Welcome to Britain. Living here, I can so understand how this happened. And yes apparently the junior civil servant was ordered to burn the disks by a senior civil servant. The National Audit Office specifically requested that the personal data be stripped out but the “system” wouldn’t allow that so they would have had to do to the data management contract company to get them to change the “system” which would have cost money. Failures at every level over a long period.

  10. grace pettigrew says:

    Sounds all a bit hysterical to me. Yes, there was a serious failure in procedures, so fix it. Yes, the CDs are missing, but there is no evidence they are in criminal hands, they might be in some rubbish bin somewhere. The whole thing is being beaten up by the press and the opposition into a massive problem, threatening to bring the government down. A bit of calm reflection would not go astray.

  11. I’ve thought about it calmly for a moment Grace…and I still think this was a mistake of the highest order.

    The fact that it happened at all was indicative of systemic failure. What’s to stop another “junior official” taking the same data, slipping it in a USB drive in his back pocket, and selling it to the highest bidder? That is the issue, not that the UK has probably dodged a bullet this time.

  12. SG says:

    Be interesting if this is a career-ending moment for some minor civil servant, when plugging a random electrician full of holes at point blank range (and chasing the train driver, and pointing guns at your fellow officers!) merely earns you a reprimand (and the support of the prime minister).

  13. Dave Bath says:

    It’s worth noting that information security in the UK is much better than most of the world (BS7799 was the first decent infosec standard, and became ISO 17799). Australians are more at risk than the Brits, and it’s doubtful whether an Oz PM (of either major party) would stand up and give such an unspun mea-culpa as Brown.

    It’s worth noting that information management systems (paper or electronic) in Oz agencies (and subcontractors) are meant to adhere to the Protective Services Manual from the Attorney-General, which points to Defence Signals Directorate ACSI33 as the minimal standard for information security.

    Unfortunately, despite the best efforts of the good folk at the DSD and AGIMO, it is too easy for managers to plead ignorance of the requirements, and thus systems are insecure.

    I argued in my AccessCard senate submission (14) that …

    I recommend that relevant expert agencies (dsd.gov.au, agimo.gov.au, naa.gov.au) together with the Australian National Audit Office are required to review all the specifications of work in contracts to implement the system, sign off on the implementation before it goes into production and carry out appropriately resourced audits on an annual basis.

    Shortly after my submission, the DSD, who are only too happy to help agencies and subcontractors at no charge, responded to a query from the AccessCard committee (sub) that while they can

    offer technical advice on the current tender evaluations; security advice on system design; evaluation and accreditation of information communications technology security products used in the development and maintenance of the system; and vulnerability assessments both before and after system rollout

    , unfortunately the bean-counters can happily ignore all technical requirements (with impunity because there are rarely compliance checks)

    The final decision on all aspects of the system remains with the Department of Human Services.

    Until the DSD, AGIMO are given teeth, until managers in agencies and subcontractors are made explicitly aware of their obligations, and until ANAO is properly resourced to check out this important area in all agencies (which has national security implications as well as privacy issues), then we are extremely vulnerable.

    Mind you, it’s likely that in Oz, where things are incredibly lax, any stuffups wouldn’t be discovered, wouldn’t be reported, and Ministers would "not ask, not tell". The public would only be alerted once the damage had already been done by many (unsubtle) criminal activities.

  14. SG: it seems increasingly unlikely that the junior person, whomever they are, will get hung out to dry for this. The latest reports coming out of Britain suggest that much more senior officials were cc’d on emails explaining what was going on. Furthermore, the emails indicate that the reason for not stripping out the sensitive data was because they’d have to pay their IT supplier extra to do it, which is very, very odd.

    Excluding the relevant fields from the database query that generated the data dump should have been a trivial task. If HMRC are so utterly dependent on outsourcing that they don’t even have the expertise to perform something so simple, they must be even more screwed up than we realize…

  15. SG says:

    it’ll still be an interesting comparison, if Brown or someone just under him can lose his job for this, but Blair can hold his position after his organisation murdered someone in cold blood, then threatened their own cops and chased a train driver onto a live railway line. It says something about the priorities of English media (and political organisations) that one thing is a punishable offence, but the other can be swept under the rug. And in both cases senior figures stepped in to authorise the action which led to the final “blunder” (if in the case of de Menezes it was actually a blunder).

Comments are closed.

  • An error has occurred; the feed is probably down. Try again later.
%d bloggers like this: