Let us be clear about the scale of this catastrophic mistake – the names, the addresses and the dates of birth of every child in the country are sitting on two computer disks lost in the post.
On Tuesday 20th November 2007, the United Kingdom’s Chancellor of the Exchequer, Alistair Darling rose in the House of Commons.
To a choir of gasps of astonishment from other Members of Parliament he announced:
Two password – protected discs containing a full copy of Her Majesty’s Revenue and Customs (HMRC) entire data in relation to the payment of child benefits was sent to the National Audit Office (NAO) by HMRC’s internal post system operated by the courier TNT.
The package was not recorded or registered.
It appears that data has failed to reach the addressee in the NAO.
The lost data relates to approximately 25 million people in the United Kingdom (nearly half the country’s population).
On Tuesday 20th November 2007, the United Kingdom’s Chancellor of the Exchequer, Alistair Darling rose in the House of Commons.
To a choir of gasps of astonishment from other Members of Parliament he announced:
Two password – protected discs containing a full copy of Her Majesty’s Revenue and Customs (HMRC) entire data in relation to the payment of child benefits was sent to the National Audit Office (NAO) by HMRC’s internal post system operated by the courier TNT.
The package was not recorded or registered.
It appears that data has failed to reach the addressee in the NAO.
The lost data relates to approximately 25 million people in the United Kingdom (nearly half the country’s population).
The personal data on the missing discs include names, addresses and dates of birth of children, together with the National Insurance numbers and bank details of their parents.
***
The problems started in March when the NAO first asked for the names, National Insurance numbers and child benefit numbers of every child.
The NAO wanted the information to select 100 cases at random for its annual audit of HMRC.
The NAO wanted bank and other details removed from the discs. An HRMC official replied that it could only provide all the details on the database to keep the cost down.
The discs were sent by junior staff at HMRC to the NAO as unrecorded internal mail via TNT on Thursday 18th October.
On Wednesday 24th October the NAO complained to the HMRC that they had not received the data.
By Saturday 10th November, the Chancellor had been informed.
By sending the data in a computer disc format the HRMC broke nearly every standing procedure with regards to the management of sensitive information.
The incident was a breach of the United Kingdom’s Data Protection Act and resulted in the immediate resignation of HMRC Chairman Paul Gray.
The cost of stripping out the confidential information – and thus avoiding most of the problems regarding the lost data of 25 million people – has since been estimated as being £5,000.
***
Below is a link to an approach to managing such incidents – a Computer Security Incident Response Team:
http://www.cert.org/csirts/Creating-A-CSIRT.html
