Chancellor Alistair Darling has been forced to explain the loss of two computer discs holding records for 25 million individuals and 7.25m families to the House of Commons.
In a statement to the Commons, Darling explained the circumstances behind yesterday's shock resignation of HMRC chairman Paul Gray, revealing that last month a junior employee used the department’s internal mail system to send two password-protected discs that contained a full, unencrypted copy of HMRC’s data relating the payment of child benefit to the National Audit Office. But the discs never arrived.
Two more discs holding the same data were sent subsequently by registered post to the NAO and arrived and were returned safely.
The data breach is one of the world’s biggest ID protection failures, and all the more significant because bank account details are involved. The data lost includes parents' and children's names, addresses, dates of birth, child benefit and national insurance numbers, as well bank account details. The 25 million records included details on 7.25 million families.
A police investigation has been launched into the incident, including staff interviews at HMRC.
Darling admitted it was "highly likely" that there had been breaches of the Data Protection Act. He said HMRC had clear instructions and rules in relation to the downloading and transmitting information, but these had been ignored.
Shadow chancellor George Osborne said the government needed to "get a grip" and deliver a basic level of competence.
He said the breach was the “final blow for the ambitions of this government to create a national ID database”.
Information commissioner Richard Thomas said: “This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly.”
Thomas said he was pleased that HMRC had “reported the breach to my office” and that the chancellor had appointed Kieran Poynter of PricewaterhouseCoopers to carry out an independent review.
“Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO,” Thomas added.
Workers’ unions also responded angrily to the breach, blaming the failure on the “enormous pressure being placed on HMRC by government-imposed job cuts”.
Mark Serwotka, general secretary of the Public and Commercial Services Union (PCS), said job cuts totalling 25,000 by 2011 and the recent merger and massive ongoing restructuring at HMRC had left it particularly vulnerable.
“With additional security checks expected to be put in place for people claiming and making enquiries about child benefit we urge the government to put extra resources into HMRC rather than continuing with cutting jobs,” he added.
HMRC said earlier this month after another, smaller security breach was made public that it had reviewed its arrangements and "introduced safeguards to prevent this happening in future".