“HMRC has a responsibility towards the public. It has failed to meet the standards expected of it,” Alastair Darling, the chancellor, told in the House of Commons on 20 November. “I deeply regret this and apologise for the anxiety that will be caused.”
Paul Grey, the chairman of Her Majesty’s Revenue and Customs (HMRC), has resigned over the loss. The data, on all children, parents and carers claiming the UK’s universal child benefit, was sent from HMRC in Washington, in the north-east of England, to the National Audit Office in London, which had requested it for audit purposes.
The lost data includes the names, addresses and dates of birth of every child in Britain, as well as financial information on adult claimants. A total of 25 million people are affected – more than two-fifths of the UK’s population.
It was sent by a junior employee of HMRC through an internal mail service on 18 October. When the NAO reported the data had not been received, the employee resent the discs, although this time by registered, recorded post.
The original discs were reported lost on 8 November, and the chancellor was informed on 10 November. He told the House of Commons that he delayed reporting the loss initially to allow a thorough search to take place by Customs officials, and when this failed to produce results, to involve the police and to allow the UK’s banks and building societies to establish checks on every affected account to look for suspicious activity.
“So far, they have found no evidence of such activity,” Darling said. Checks have been back-dated to 18 October: “Again, so far, they have found no evidence of unusual activity.” He added that the police do not believe the data has fallen into the wrong hands, but conceded that it was “highly probable” that the Data Protection Act has been breached.
Darling announced an enquiry into HMRC’s data handling processes, to be carried out by Kieran Poynter, UK chairman of audit firm PricewaterhouseCoopers. He said HMRC has changed its procedures, so the transmission of such data requires sign-off from a senior manager.
The opposition called for the government to abandon its plans for a national identity register and identity cards as a result of the breach. George Osborne, the shadow chancellor, who called the HMRC’s loss a “catastrophic mistake” which should mark the final blow for the identity card scheme.
He added that the government had compromised the information security of every family in Britain. “They simply cannot be trusted with people’s personal information,” he said. “Get a grip and deliver a basic level of competence.”
Avivah Litan, a senior Gartner analyst, said she could not think of any more serious breach of personal information. Although the US Veterans Administration lost a laptop with a similar number of names, addresses and social security numbers, this did not include bank account details, which is the most highly-prized kind of data for fraudsters.
“Banks will be scrambling to think what to do. They will be looking for signs of fraud, and the first they see, they will shut down accounts,” she said.
Litan said that, as the government has said the information is password-protected, “it’s obviously not encrypted”. She said such data should be encrypted even when within the organisation, and should be sent only through encrypted electronic transfer. Although she added that only 1% of data lost on physical media is put to criminal use, the publicity around this case makes fraud more likely. In the worst case, a breach of the data could cost the UK $300 million (£145m), she said.
In a statement, the information commissioner Richard Thomas said: “This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link.”
“The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly. As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour,” he continued, adding that he welcomed the enquiry by Kieran Poynter.
On 14 November, the Information Commissioner’s Office told a House of Lords enquiry that the government should introduce criminal penalties including prison sentences for severe breaches of personal data.