HM Revenue debacle brings gasps from IT community

Chancellor Alistair Darling’s description of the event as a catastrophe and the immediate resignation of HMRC chairman Paul Gray don’t begin to deal with the ramifications likely to come out of this. Yesterday, it became clear that the discs, which were lost about one month ago, contain the entire database of 25 million recipients of child benefit. They had been transported using the government’s internal mail system with password protection only and no encryption – in clear breach of rules governing data protection. “The loss of this data by HM Revenue and Customs is yet another example of the danger of putting sensitive information on an easy to lose format such as discs and the result of internal policies not being backed up by good security practice,” says Greg Day, McAfee security analyst. “The department will need to explain to consumers why it has taken 10 days to disclose this breach and the extent of the risk to their personal details. At this point we would have to assume the worst until more details are given – and the public and the government should be taking steps to limit the damage and risk, if and when the data enters the wrong hands.” And Mark O’Dell, director of specialist IT firm Connect Support Services, adds: “The real question is why the government is still using antiquated technology to transfer data around the country? Every sensible business is already using systems to highly encrypt and transmit data within a private network, so it can never be simply mislaid. It’s amazing that customs and revenue are still stuck in the past using such risky procedures.” The potential impact of this incident is strikingly clear, and yet again points to the paramount importance of comprehensive and enforced security procedures – as well as to the enormous risks posed by massive centralised databases in he hands of the incautious: As Matthew Tyler, of Evolution Security Systems, says: “After the debacle at Newcastle Council a couple of months ago, this seems to add to the weight of evidence that the public sector is not taking the security of our data seriously enough. This does not bode well for either the national DNA database or more importantly the potential new ID Card scheme.” As to the immediate outcome, the availability of a large volume of confidential and very valuable data could easily provide a lucrative revenue stream for malicious gain. Also, there is the small question of the infringement to data protection laws, as well as the incredible damage to confidence in government departments. Darling must be praying that the data doesn’t fall into the wrong hands to be used, for example, to create digital clone identities. His point in yesterday’s Commons statement, that to date no unusual activity had yet been detected by the banks, will be slim comfort to a government presiding over a department the merger of which seems to have left if far from fit for purpose. In the meantime, McAfee’s and others’ advice to government departments and businesses alike remains unchanged: Implement a Data Loss Prevention' solution: Develop, enforce and ensure compliance of a security policy Safeguard data at every stage Data on portable storage formats or transferred over public connections should be encrypted and only accessed by trusted parties Implement access control and monitoring tools Monitor and prevent installation and usage of unauthorised applications Educate and (re)train employees