Security experts savage UK gov't over data breach
- 22 November, 2007 08:11
Security experts have criticized HM Revenue and Customs (HMRC) for creating fraud risks on several fronts when it lost 25 million child benefit records.
The government blunder, which chancellor Alistair Darling revealed Tuesday to MPs and the country, involved the loss of two computer discs sent via an internal courier which contained millions of bank account details. HMRC chairman Paul Gray has resigned over the debacle.
Jonathan Armstrong, partner at international law firm Eversheds, warned: "The breach is likely to give birth to a number of phishing scams. Even if the data on the CDs does not get into the hands of fraudsters it is likely that even now a large email campaign is being planned to prey on the British public.
"We have been involved with a number of major multinational breaches and have spoken with clients after the event to help others learn from their experience," said Armstrong.
"In many cases the consequences of the data breach are worse than first anticipated."
Fred Piper, a professor at Royal Holloway University of London, said it was extraordinary that the data loss occurred.
"It shouldn't happen. It beggars belief as to who authorized this, and whether they had authority to send the data or just did it," he said.
"It's a straightforward, irresponsible cock-up. If you must transfer data, there should be a clear reporting structure that recognizes and protects valuable data. If it is valuable, then only senior staff should authorize it and that data needs adequate protection."
Chancellor Darling said Tuesday that the discs were password protected but the data is not thought to have been encrypted.
Piper said: "Had it been encrypted, that's the first thing they would have said. HMRC said the discs were password protected, but had they been protected properly they would have been stated this."
The government has commissioned an independent review of HMRC's data-handling procedures from PricewaterhouseCoopers, with the full results due to be published in spring 2008.
Bob Ayers, associate fellow at Chatham House's International Security Programme, said any inquiry needed to get to the bottom of how this happened.
"But you have to ask: what kind of data protection regime is there in place in which highly sensitive information is stuffed in an envelope and given to guy on a motorbike to courier across London? What kind of protection regime treats such vitally important information in such cavalier fashion?"
Ayers urged the government to review all its processes, technology and compliance. "The solutions to correcting this problem will likely be technical, procedural, legislative and administrative," he added.
"We are getting a lot of head-patting from the government reassuring us that they are in charge and are trying to figure out what happened. We are being told not to panic and not to change our bank accounts," he said. "I would want to know how this happened. I'm not talking about the mechanics, but how did we get to the position that such critically sensitive information is being treated like a package of fish and chips and moved around London?
"Until we understand the answer, there can be no assurance that this is not going to happen again and again and again."
Jamie Cowper, at security firm PGP Corporation, said the UK's understanding of the threats around data breaches had "certainly come a long way" in light of Gray's resignation.
"But you have to ask whether this is really going to help solve the operational risk issues that the organization clearly faces.
"These discs should never have been transported in the first place -- information of this type should only be transmitted using the strongest security protocols available such as encrypted batch transfer -- but more to the point, these details should not have been stored in this medium."
"Discs are easy to lose, but difficult to protect. This type of information should only be stored on formats where the data can be encrypted transparently, so that it remains protected wherever it resides, and whether at rest or in motion."
How to prevent data loss
Jonathan Armstrong, partner at international law firm Eversheds, advises firms to:
- look at where and how they hold data and who else has access to it
- pick their response team for when they have a breach
- implement thorough training systems to improve awareness about the consequences of a breach
- make sure they have a system for concerned customers or employees to get in touch
- look into the costs of buying credit checks in advance
- look at third party contracts and the security systems of those contractors