As Britain contemplates the business-end of the loss of data on 25 million individuals and 7.25 million families, the extent of the breach is becoming clearer. To paraphrase the late, great Jackie Gleason, TJX is but a mere bag of shells. These lost records include the names of those receiving benefits and of their children, addresses and dates of birth, child benefit and national insurance numbers, and, sometimes, bank account details.
For those of you who haven’t been by the CIA Factbook recently, Great Britain had a total population, last July, of 60.8 million. So this is, like, a big deal. Totally.
Chancellor of the Exchequer Alistair Darling made a statement to the House of Commons on the 20th of November. The statement was, sadly, unsurprising. It turns out that, even when an organization as butch andclued-in as Her Majesty’s Revenue and Customs has in place procedures about how to classify as and then how to handle sensitive data, idiots still can lead to what in this case is a Royal pooch-screw.
Tell us more, Darling:
The National Audit Office – which is independent of Government, but answerable to Parliament – has a right to ask for and access data from HMRC in discharging its compliance responsibilities.
In March of this year it appears that a junior official within HMRC provided the National Audit Office with a full copy of HMRC’s data in relation to the payment of child benefit.
In doing so it is clear that the strict rules governing HMRC standing procedures were not followed. These procedures relate to the security and access to data as well as its transit to ensure that data is properly protected. This information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information it received in March to HMRC after auditing it.
It now appears that following a further request from the NAO in October for information from the Child Benefit database, andagain at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s post system operated by the courier TNT. The package was not recorded or registered.
Mr Speaker, it appears the data has failed to reach the addressee in the NAO. [Emphasis added]
But wait! There’s more:
Mr Speaker, I also have to tell the House that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at the NAO. However, again HMRC should never have let this happen. [Emphasis emphatically added]
D’OH! Now wait a second. That last time he did not say that it was by a junior staffer. He did say that he had no idea when it happened, and that nearly three weeks elapsed between the time of the breach – the ‘non-arrival event’ – and management notification (“[I]t is believed the data was sent from HMRC to the NAO on 18 October, the fact it did not arrive it was not reported to HMRC’s senior management until 8 November, nearly 3 weeks later…”)
So just to regroup: the NAO has the right to ask for the data. HMRC has the responsibility to provide it, but only upon following strict procedures to safeguard it. At least two junior-level datacrats bypassed these “strict” procedures (I’d bet a pound – these days about $100 – that this was done to save everyone time and hassle), and a third, urm, somebody sent out another copy of these disks on the back of a motorbike et voila!.
- 98% stupid or inadvertent
- 1.5% modestly skilled thieves
- 0.5% targeted attacks by trained, skilled users with motive – financial, political or otherwise.
- 100% due to an organizational lack of understanding of how data is created, where it resides, where it travels, who accesses it and where it goes