Chancellor Alistair Darling has been forced to explain the loss of two computer discs holding records for 25 million individuals and 7.25m families to the House of Commons.
In a statement to the Commons, Darling explained the circumstances behind yesterday's shock resignation of HMRC chairman Paul Gray, revealing that last month a junior employee used the department’s internal mail system to send two password-protected discs that contained a full, unencrypted copy of HMRC’s data relating the payment of child benefit to the National Audit Office. But the discs never arrived.
Two more discs holding the same data were sent subsequently by registered post to the NAO and arrived and were returned safely.
The data breach is one of the world’s biggest ID protection failures, and all the more significant because bank account details are involved. The data lost includes parents' and children's names, addresses, dates of birth, child benefit and national insurance numbers, as well bank account details. The 25 million records included details on 7.25 million families.
A police investigation has been launched into the incident, including staff interviews at HMRC.
Darling admitted it was "highly likely" that there had been breaches of the Data Protection Act. He said HMRC had clear instructions and rules in relation to the downloading and transmitting information, but these had been ignored.
Shadow chancellor George Osborne said the government needed to "get a grip" and deliver a basic level of competence.
He said the breach was the “final blow for the ambitions of this government to create a national ID database”.
Information commissioner Richard Thomas said: “This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly.”
Thomas said he was pleased that HMRC had “reported the breach to my office” and that the chancellor had appointed Kieran Poynter of PricewaterhouseCoopers to carry out an independent review.
“Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO,” Thomas added.
Workers’ unions also responded angrily to the breach, blaming the failure on the “enormous pressure being placed on HMRC by government-imposed job cuts”.
Mark Serwotka, general secretary of the Public and Commercial Services Union (PCS), said job cuts totalling 25,000 by 2011 and the recent merger and massive ongoing restructuring at HMRC had left it particularly vulnerable.
“With additional security checks expected to be put in place for people claiming and making enquiries about child benefit we urge the government to put extra resources into HMRC rather than continuing with cutting jobs,” he added.
HMRC said earlier this month after another, smaller security breach was made public that it had reviewed its arrangements and "introduced safeguards to prevent this happening in future".
Comments
Doug said: Disk Encryption would render the disks useless to anyone that does not possess the passwordwwwcd-lockcom
Dave said: If only life was so straight forward I am afraid that the pressures of work job cuts lack of training etc will all of had an impact on the situation perhaps not directly but it would have been a contributing factor It is very easy for the experienced people amongst us to assume that we would have never sent a CD in the basic mail when we were small The truth is we might have just done that No I am afraid if you dont have the staff and you dont have the time to train your staff then disasters like this are going to happen They shouldnt be even sharing this data in the first place
Dave said: If only life was so straight forward I am afraid that the pressures of work job cuts lack of training etc will all of had an impact on the situation perhaps not directly but it would have been a contributing factor It is very easy for the experienced people amongst us to assume that we would have never sent a CD in the basic mail when we were small The truth is we might have just done that No I am afraid if you dont have the staff and you dont have the time to train your staff then disasters like this are going to happen They shouldnt be even sharing this data in the first place
proverbol said: Very easy to blame a junior when clearly management is at fault for not laying down proper procedures and not ensuring that they are applied however Im puzzled at to what kind of ordinary discs can hold so much information
Peter said: I absolutely agree Even before I scrolled down to read the comments I was thinking what a surprise The unions jumping on their soapbox to excuse one of their members incompetencestupidity It has absolutely nothing to do with job cuts and everything to do with a total lack of commonsense
Peter said: I absolutely agree Even before I scrolled down to read the comments I was thinking what a surprise The unions jumping on their soapbox to excuse one of their members incompetencestupidity It has absolutely nothing to do with job cuts and everything to do with a total lack of commonsense
Law said: Indeed
Paul said: Err why does the PCS blame it on job cuts If there is time to send something out via one method then there is time to send by the correct one Im absolutely maxed out certainly overstretched at work but I dont use that as an excuse for errors Oh for a job in the cushtee public sector and flexi-time or set hours