Security experts lambast HMRC

Security experts have assailed HM Revenue and Customs (HMRC) for being responsible for the loss of 25 million confidential child benefit records, which has opened up fraud risks.

The government blunder involved the loss of computer discs sent via courier, which contained the details of over seven million people's bank details. HMRC chairman Paul Gray has resigned.

Jonathan Armstrong, partner at international law firm Eversheds, said: "The breach is also likely to give birth to a number of phishing scams. Even if the data on the CDs does not get into the hands of fraudsters it is likely that even now a large email campaign is being planned to prey on the British public."

"We have been involved with a number of major multinational breaches and have spoken with clients after the event to help others learn from their experience. In many cases the consequences of the data breach are worse than first anticipated," he added. "Often the losses are due to failures with third parties, including couriers where back-up tapes or CDs go astray. A common theme is that the contracts with those couriers are often inadequate to cover loss - in one case for example losses were well over $1m when the contract with the courier made their maximum liability half that."

Fred Piper, professor, director, of information security group at Royal Holloway University of London, said it "beggars belief" as to how this data loss could have occurred.

"It shouldn't happen. It beggars belief as to who authorised this, and whether they had authority to send the data or just did it," he said. "It's a straightforward, irresponsible cock up. If you must transfer data, there should be a clear reporting structure to the value of data. If it is valuable data, then only senior staff should authorise it and that data needs adequate protection."

Yesterday, the Chancellor of the Exchequer, Alistair Darling issued a statement, which admitted that the discs were password protected. However, Darling but did not state whether the discs were encrypted. Calls to HMRC were not returned at time of writing.

Piper said: "Had it been encrypted, that's the first thing they would have said. HMRC said the discs were password protected, but had they been protected properly, they would have been stated this. Don't know what level of protection, but we can only surmise that if HMRC are not stating that the data is encrypted, then it isn't."

Darling added that an independent review of HMRC’s security procedures is taking place, with the full results being published in spring 2008.

Bob Ayers, associate fellow at Chatham House's International Security Programme, questioned how this could have happened. "The most obvious reason is it was either poor security procedures, or poor compliance with those procedures... What kind of data protection regime is there in place in which highly sensitive information is stuffed in an envelope and given to guy on a motorbike to courier across London? What kind of protection regime treats such vitally important information in such cavalier fashion?"

Ayers urged government to review its processes, technology and compliance. "The solutions to correcting this problem could be technical, procedural, legislative and administrative."

"We are getting a lot of head-patting from the government that they are in charge and they are trying to figure out what happened. We are being told not to panic and not to change our bank accounts," he said. "I would want to know how did this happen. I'm not talking about the mechanics, but how did we get to the position that such critically sensitive information is being treated like a package of fish and chips and moved around London. Until we understand the answer, there can be no assurance that this is not going to happen again and again and again."

Comments