How did 25 million records get 'lost in the post'?

The loss by Her Majesty's Revenue & Customs (HMRC) of two CDs crammed with sensitive data is now being seen as the UK's biggest ever data breach.

In a statement to the House of Commons on Tuesday the Chancellor of the Exchequer, Alistair Darling, revealed the full scale of the data loss to gasps from MPs.

HMRC revealed the missing CDs contain 25 million records of agents, alternative recipients, children and customers on the child benefit database.

This breaks down as the names, addresses, dates of birth, National Insurance numbers and, when relevant, the bank account details of some 15.5 million children, 7.25 million claimants and 2.25 million alternative payees, such as partners or carers.

The result is the banking industry and almost every family in the UK have been put on alert because of fear their personal details could now fall into the hands of criminals and ID thieves.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

It now seems HMRC's practice of sending sensitive data on CDs through the post has been going on for some months and would most likely have continued were it not for this incident.

SNP MP Stewart Hosie asked the Chancellor: "I am most concerned about the system failure, including as regards the implementation of guidelines, which allowed a junior official to copy the entire child benefit database on to a disc and post it, unregistered, to anyone."

The timeline of events shows the National Audit Office (NAO) requested the National Insurance numbers of everyone on the child benefit database from HMRC in March and a junior HMRC official - ignoring standing procedures relating to the security and access to data and its transit - copied the details onto CDs and posted them to the NAO using the tax office's courier TNT. That data was received by the NAO and returned after use.

But Darling told MPs this week: "It now appears that, following a further request from the NAO in October for information from the child benefit database, again at a junior level and again contrary to all HMRC standing procedures, two password-protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit were sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered."

This time those CDs sent on 18 October failed to reach the NAO. And on being told on 24 October by the NAO the package had not arrived, the junior HMRC official simply made another copy of the data and sent it again through the post - this time registered - to the NAO. Thankfully that package arrived.

HMRC now admits that, given the sensitivity and confidentiality of the data, a cryptographic key should have been used and the data should only have been accessed on a standalone computer terminal in a secure environment. The data should also have been sent by secure and traceable, recorded delivery with a full audit trail for transportation.

It was then nearly three weeks on 8 November before news the CDs sent on 18 October containing the child benefit data had gone missing was reported to HMRC's senior management. Darling was then informed on the morning of Saturday 10 November and the Prime Minister shortly after.

Despite comprehensive searches of HMRC offices, the CDs failed to turn up and on 14 November Darling instructed the HMRC chairman Paul Gray to call in the Metropolitan Police to conduct a full investigation - though that has so far failed to locate the missing CDs.

Darling said the delay in notifying the public about the security breach was on the advice of privacy watchdog the Information Commissioner, the Financial Services Authority and the Serious Organised Crime Agency, in order for HMRC and the banks to take remedial action before a public statement was made.

The Information Commissioner Richard Thomas said in a statement: "This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs - we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO."

Individual banks and other financial institutions, including building societies and post offices, of affected accounts have been notified and the individual institutions are flagging those accounts to monitor for irregular activity.

Darling said: "They tell me that so far they have found no evidence of such activity."

The reality is millions of UK families have been warned to monitor their accounts and bank statements for any unusual activity. The banks say there is no need for customers to ask for a new account and have warned people against giving out personal or account details requested unexpectedly by phone or email.

In the meantime the fallout at HMRC begins, with chairman Paul Gray already having fallen on his sword. The Independent Police Complaints Commission will now carry out an independent investigation into the incident.

Gary Garland, IPCC Commissioner with responsibility for HMRC, said in a statement: "The focus of our investigation will be to identify the causes of this extremely serious failure and consider whether relevant local and national policies and guidelines were complied with."

The Metropolitan Police investigation and search for the missing CDs is also ongoing and the government has appointed PricewaterhouseCoopers chairman Kieran Poynter to investigate HMRC's security procedures and processes for data handling.

HMRC senior management have also instructed tax office staff that no information is to be downloaded from computers in this way without the authority of a very senior member of HMRC.

Additional interim security arrangements put in place as a result of the breach include rules stating all significant bulk data transfers outside the department should be conducted by automated electronic transfer, any transfer on removable media such as CDs must be securely encrypted.

The Chancellor said the NAO in future will also be required to visit the location where the data is stored when such quantities need to be scrutinised, instead of downloading it. The whole sorry episode also raises serious questions about the government's ability to run a national identity database as part of the controversial ID card scheme.

Shadow chancellor George Osborne challenged the Chancellor: "Does he agree that today must mark the final blow to the government's ambition to create a national ID card? They simply cannot be trusted with people's personal information. There are 25 million people whose personal details have been lost by this government. Never mind the lack of vision; just get a grip and deliver a basic level of competence."

Security expert Graham Titterington, principal analyst at researcher Ovum, said the data lost is enough for thieves to perform a comprehensive identity theft job on each of the 25 million people, including applying for passports, national identity cards and bank accounts in their names.

He said in a statement: "If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations. The UK government, and the nation, is reduced to hoping that these two CDs are languishing in a trash can somewhere."