UK banks could be forced to close the accounts of all child benefit claimants affected by an HMRC operational failure believed to involve the loss of 25 million records stored on discs, a Gartner analyst has warned.
And if the banks were forced to take such a step because the data fell into criminal hands it could cost as much as £300m to the UK banking system.
Avivah Litan, a Gartner distinguished analyst, said the reported data loss is especially serious because it reportedly includes bank account details, and the security and fraud detection systems for bank accounts are much less advanced than those for credit cards.
“The data lost – bank account numbers, names and addresses – represents a goldmine for the thieves and is much more valuable to them than credt card numbers or taxpayer ID numbers,” said Litan.
“Even the possibility of such a move will throw the UK banks into emergency response mode, and they will need to closely monitor all fund transfers out of potentially affected accounts.”
Litan said the issue was especially problematic as the UK is shortly due to implement its Faster Paymetns initiative, which will usher in nearly immediate funds transfer.
Litan said the banks would be on high alert looking for suspicious activity related to the accounts and “at the first sign of any activity would shut down accounts.”
But Litan said the likelihood that the data, if lost rather than stolen, has fallen into criminal hands is extremely low.
“History shows that a citizen with sensitive account data contained on lost media has a loss than 1% chance of falling victim to identity theft,” she said.
Philip Wicks, a consultant for business and technology consultancy Morse, said “Organisations should put in place technology controls that prevent sensitive and confidential data being copied to disks or any other devices that can be taken offsite.
“If and when there is a need for data to be taken offsite, a special request should be made and granted only when assurances are given on how the data will be secured.”
The lost data appears not have been encrypted, and security specialist McAfee said the data breach was “yet another example of the danger of putting sensitive information on an easy to lose format such as discs and the result of internal policies not being backed up by good security practice.”
McAfee added that HMRC “will need to explain to consumers why it has taken 10 days to disclose this breach and the extent of the risk to their personal details.”