Pensions details on lost CD not encrypted

A lost compact disc containing the personal pension details of 15,000 people was not encrypted.

The CD was lost in transit between Her Majesty's Revenue and Customs Service (HMRC) and financial services company Standard Life, and was unencrypted, HMRC revealed on Monday.

An HMRC statement said: "HMRC take the security of customer information very seriously. The data, which contained the records of around 15,000 people, was lost in transit by HMRC's external courier."

"Customers have been written to and precautionary measures have been put in place to check customers' records for any fraudulent activity. We have also reviewed our arrangements and introduced safeguards to prevent this happening in future."

One form of pension payment is an Age Related Rebate (ARR). Funds are paid into the accounts of individuals' pension providers by HMRC electronically, depending on the level of the National Insurance contributions people have made. The pension details of the individuals are then sent separately to pension providers, to enable their records to be updated.

In this instance 15,000 pension details of customers of Standard Life were sent to the pension provider by HMRC via an unnamed third-party courier, at the end of September. However, the courier lost the disc, which was not encrypted, an HMRC spokesperson silicon.com siter publication ZDNet.co.uk.

"HMRC very much regrets that this has happened and are committed to working with the institutions to ensure that those customers affected receive the advice and support they require," said the HMRC statement. "We have asked customers to remain vigilant and have set up a number of dedicated HMRC telephone hotlines."

The data contained on the disk included the surnames and initials of the individuals, as well as their National Insurance numbers, dates of birth and pension plan numbers. That the disc was not encrypted means the details can be read more easily.

Tom Espiner writes for ZDNet.co.uk