HMRC's loss of 28 million records is evidence that the government can not be trusted with biometric information, and the UK national ID scheme is untenable, according to FBI fraud expert and world renowned ex-con artist Frank Abagnale.
Chancellor of the Exchequer Alistair Darling admitted that discs containing the records of up to 25 million child benefit claimants were lost in transit to government watchdog, the National Audit Office. The lost discs were password protected, but not encrypted, and included bank details and national identity numbers.
"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch me if you can and a fraud expert who has worked extensively for the FBI over the past 32 years.
Governments, corporations and local authorities do a "horrible job of protecting data" said Abagnale.
"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The UK government needs to do a much better job of protecting the information of it citizens," he said.
"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."
He added: "This is what scares me about the concept of UK ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain, for instance, a criminal to approach someone to steal information," said Abagnale.
While biometrics is excellent for providing access to entering and leaving buildings, people shouldn't trust the government with their DNA. "I would never be able to, I wouldn't trust them with that information."
"[Governments and corporations] won't spend the money to make [IT systems] as secure as it could be. They will cheat out on it. Those are my concerns," he added. "The technology is there. There are hundreds of off the shelf identity management software products out there that can do a good job of controlling the data and controlling who sees the data."
Commonly ID thieves will obtain records and hold them for years after the theft, before embarking on fraudulent activity, said Abagnale, who urged the UK government to provide long-term and stringent monitoring service. "The government needs to be more specific about what it is going to do to protect its citizens if their information is out there. They need to provide monitoring service to monitor credit records for at least three years, because this activity might not surface for a year."
If the data was stolen, then it is likely the thief will "sit on" this information for a number of years before harvesting identities. "Because the records are for younger people, many may not have a credit record yet. Once they reach adult age, they could find their identity had been sold before they've even started on life."
The recent incident of large scale data loss highlights the difference between data breach notification laws in the US and the UK. The UK government waited more than 10 days to notify parliament and the public of the breach. In the US, under current laws, the government would have had to notify immediately.