Discgate

UK Government 'loses' records for 25 million individuals and 7.25 million families. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.


A junior official put all the data on a CD and posted it. At the time, a senior civil servant was made aware of this. The data was not encrypted. Banks were not informed of the loss for six days. Our privacy is important and organisations which process our personal data have to show them respect.


What was lost

BBC reports

  • 7.25 million claimants
  • 15.5 million children, including some who no longer qualify but whose family is claiming for a younger child
  • 2.25 million 'alternative payees' such as partners or carers
  • 3,000 'appointees' who claim the benefit under court instructions
  • 12,500 agents who claim the benefit on behalf of a third party

Time Line

  • 02 October 2007: The National Audit Office [NAO] formally asks HM Revenue and Customs [HMRC] for files on child benefit claimants.
  • 18 October 2007: HMRC sends the CDs by TNT Post (the unregistered bulk mail arm of the secure courier TNT) to the National Audit office in London
  • 24 October 2007: HMRC informed by the NAO that the package had not arrived, the junior HMRC official simply made another copy of the data and sent it again through the post - this time registered - to the NAO.
  • 25 October 2007: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.
  • 05 November 2007: HMRC confirms that the first set of CDs is still missing.
  • 08 November 2007: Three weeks after they were lost the HMRC's senior management informed of fact the CDs had gone missing. The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. (BBC claims they were told on the 3rd of November)
  • 10 November 2007: Alistair Darling was then informed in the morning and the Prime Minister shortly after. HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs.
  • 14 November 2007: Alistair Darling instructs Paul Gray the HMRC chairman to call in the Metropolitan Police to conduct a full investigation. Darling said the delay in notifying the public about the security breach was on the advice of privacy watchdog the Information Commissioner, the Financial Services Authority and the Serious Organised Crime Agency, in order for HMRC and the banks to take remedial action before a public statement was made. (The banks dispute that they asked for the delay.)

15 November 2007 - Richard Thomas, Information Commissioner, says remedial action must be taken before public is informed

  • 20 November 2007: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.
  • 21 November 2007: HMRC issues an apology (apology itself contains sensitive data causing yet more problems)

Correspondence relating to the lost data

scans of correspondence relating to the lost data

Not the First Time

Copies of the database were sent, again by CD, to the accounting firm KPMG, although those discs arrived safely and were later returned. No one reported this at the time.

And Not the Last Time

Sensitive data continues to be lost - HMRC are not alone in failing to properly secure other people's personal details - see UK Privacy Debacles.

MoD recruitment laptop computer scandal

House of Commons debate MOD (Data Loss) 21 January 2008

  • 153,000 people who submitted detailed application forms
  • 5.700 bank account details
  • Initial belief that the data was encrypted
  • Admissions that the data was not encrypted at all
  • 2 previous stolen recruitment data laptops
  • Cabinet Office review of data handling
  • Yet Another Review - Sir Edmund Burton
  • No resignations by Ministers or senior MoD staff

See Spy Blog for more details Des Browne now admits to 3 stolen, unencrypted Ministry of Defence recruitment laptop computers

Fallout

Poynter Review

Terms of reference

The Treasury has published terms of reference for the Poynter Review, which will investigate security processes and procedures for data handling in Her Majesty’s Revenue & Customs.

To establish the circumstances that led to the significant loss of confidential personal data on Child Benefit recipients and other recent losses of confidential data and the lessons to be learnt, and in the light of those circumstances to examine:

  • HMRC practices and procedures in the handling and transfer of confidential data on taxpayers and benefit/credit recipients;
  • the processes for ensuring that these procedures are communicated to staff and the safeguards in place to ensure they are adhered to;
  • the reasons why these failed to prevent the loss of confidential data;
  • whether these procedures and processes are sufficient to ensure the confidentiality of personal data.

The review will report initially by 14 December on the exact circumstances and events that led to the loss of the Child Benefit data, taking account of the ongoing investigation by the Metropolitan Police. It will make interim recommendations on any further, urgent measures that HMRC should put in place to guarantee the confidentiality of personal data.

The review will also consider wider implications, reporting in the Spring and, in consultation with the Independent Police Complaints Commission (IPCC) and Information Commissioner, make recommendations on:

  • how internal processes and culture can be strengthened to achieve appropriate data security in the future;
  • whether HMRC’s wider procedures for the handling of confidential data and liaison with other organisations should be changed to reduce the risks and how this might be done.

Notes to editors

1. The Chancellor of the Exchequer, the Rt Hon Alistair Darling MP, announced the review in a statement to the House of Commons on 20 November.

2. Kieran Poynter is Chairman and Senior Partner of PricewaterhouseCoopers and will report to the Chancellor of the Exchequer. The review is being carried out with the knowledge and cooperation of the Independent Police Complaints Commission (IPCC) and the Information Commissioner.

Review of Data Handling procedures in Government

Terms of reference for the Review of Data Handling procedures in Government 23 November 2007

The Prime Minister has asked the Cabinet Secretary to establish a review into data handling procedures in Government.

The Review will be led by Robert Hannigan, Head of Intelligence, Security and Resilience in the Cabinet Office, working closely with heads of departments.

The Cabinet Secretary wrote to all Heads of Departments on Thursday 22 November setting out the terms of the Review.

The terms of Reference of the Review will be:

To Examine:

  • the procedures in Departments and agencies for the protection of data;
  • their consistency with current Government wide policies and standards;
  • the arrangements for ensuring that procedures are being fully and properly implemented;

and to make recommendations on improvements that should be made.

The process will be carried out in two stages:

  • first, to ask urgently for an analysis of Departmental and agency systems and procedures to identify compliance with policies and standards, and recommendations for practical improvements and better management of risk that can be identified. Each Department is asked to complete this, covering their agencies as well, by 10 December so that the Prime Minister can be advised by the end of the year.
  • Second, to then look collectively at improved standards and procedures, including the role of the centre and governance mechanisms as well as the introduction of better compliance and audit arrangements. A plan to deliver any changes will also be produced. The aim is to complete this early in the New Year.

This Review will also take into account the work being done by Kieran Poynter of Pricewaterhouse Coopers into HM Revenue and Customs data handling procedures and the work being done by the Information Commissioner and Mark Walport of the Wellcome Trust on the security of personal data across society as a whole.

Quotes

House of Commons debate George Osborne 20 November 2007

"Let us be clear about the scale of this catastrophic mistake: the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post; and the bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing."

Information Commissioner Richard Thomas, 22 November 2007

"Individuals value their privacy - institutions do not."

Microsoft ID chief Kim Cameron 22 November 2007

Meanwhile, in parliament, Prime Minister Gordon Brown explained that security measures had been breached when the information was downloaded and sent by courier to the National Audit Office, although there had been no “systemic failure”.
This is really the crux of the matter. Because, from a technology point of view, the failure was systemic.
...Isn’t it incredible that “a junior official” could simply “download” detailed personal and financial information on 25 million people? Why would a system be designed this way?
To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.

Ovum principal analyst Graham Titterington

"This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from Her Majesty's Revenue & Customs in just three months."

FBI fraud expert and world renowned ex-con artist Frank Abagnale. Author of Catch me if you can

"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data,"
"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."

Jenny McCartney 25 November 2007

"For the Government to blame a low-level employee for this fiasco is a bit like allowing a teenage work experience girl access to the nuclear button, and then bleating that she had 'clearly not followed strict rules' when she reached for her skinny latte and accidentally wiped out Tajikistan."

Lords’ Merits of Statutory Instruments Committee following scrutiny of the regulations to bring Contactpoint into being 10 July 2007

However, the Government have not in our view conclusively demonstrated that a universal database is a proportionate response to the problem being addressed. While the Government have taken the need for security seriously, the scale and importance of the scheme increase the risk that any accidental or inadvertent breach of security, or any deliberate misuse of the data, would be likely to bring the whole scheme into disrepute.

Justice Select Committee - Protection of Private Data

"There is evidence of a widespread problem within Government relating to establishing systems for data protection and operating them adequately,"
"It is widely accepted that it is necessary to have a substantial increase in the powers given to the Information Commissioner to enable him to review systems for data protection and their application - recent events have underlined the urgency of this."

News

April

2009-04-09 - The Register - UK.gov delays new data breach powers
Author: Chris Williams
Summary: The government has failed to meet its own deadlines to bring in new powers for the Information Commissioner's Office (ICO) to fine companies who lose personal data. The Ministry of Justice won't say when it plans to publish the secondary legislation needed to set the fines or why it did not meet its March target.
2009-04-09 - The Guardian - Police chief Bob Quick steps down over terror blunder
Author: Vikram Dodd and David Batty
Summary: Britain's most senior counterterrorism officer resigns over security leak that resulted in anti-terror operation being brought forward. ... A white document marked "secret", which carried details of the operation being planned by MI5 and several police forces, was clearly visible to press photographers equipped with telephoto lenses.

February

2009-02-03 - Contractor UK - Immigration officials admit 17,000 files are lost
Summary: More than 17,000 files containing the personal details of overseas people and families seeking a safe haven in the UK have been lost. Officials at the UK Border Agency, which issued the figure, said they would now decide what to do with all of the affected asylum seekers on a "case by case basis." A spokesman added: "Where we accept that documents have been lost whilst in our care we consider all costs associated with replacing it. Each case is considered on its own merits." An application to stay in Britain typically includes a person's name, date of birth, passport number and address, as well as details of their family and children. It was not stated how they where lost other than "in transit between units".

January

2009-01-30 - Channel 4 - Hospital apology over laptop theft
Summary: Laptop stolen from secure area at Great Ormond Street Hospital containing information on 458 patients, including names and dates of birth
2009-01-27 - The Times - Vast databases 'no longer the answer to social work failures'
Author: Rosemary Bennett
Summary: Much has changed since ministers first thought it would be a good idea to keep sensitive details on millions of children in one place. That followed the death, in 2000, of little Victoria Climbié, who might have been saved had key professionals passed their concerns about abuse to one another. No piece of evidence had been in enough in itself to sound the alarm; taken together they would have built a compelling case for the child to have been removed from harm. But big databases are now distinctly out of fashion. The loss of many big data sets has destroyed public confidence that vast amounts of information should be held together. Five million child benefit records, unencrypted data sticks containing details of 84,000 prisoners and information on three million learner drivers have all disappeared in the past two years. There are simply too many doubts about security for the public to have faith in this ContactPoint project, despite government assurances about PINs and passwords. That is not all that has changed. Voters are questioning why all this information is needed in the first place.
2009-01-25 - The Sun - North patients hit by records loss
Author: Adam Jupp
Summary: North East Strategic Health Authority has lost at least 175 patient records. NHS chiefs admit they do not know the precise number of records - which can include anything from ex-directory phone numbers to a patient's HIV status - that have gone astray. That includes 32 files from the Northumberland Care Trust being "lost in transit", relating to a CD containing the records being lost by Royal Mail.
2009-01-25 - The Sunday Times - Loss of British Council staff data disk stings David Miliband
Author: David Leppard
Summary: British Council has lost a disc containing 2,000 employees bank details, names, National Insurance numbers and salaries. The disk was lost in transit with TNT.
2009-01-24 - BBC - Patient records on stolen laptop
Summary: 5,000 patients medical records have been stolen on a laptop from Singleton Hospital in Swansea. The loss occured last April but only reported today.
2009-01-24 - Wales Online - Outrage over lost patient records at Welsh NHS Trust
Author: Madeleine Brindley
Summary: Tees, Esk & Wear Valleys NHS Foundation Trust have lost a memory stick containing undisclosed amount of patient information
2009-01-12 - The Telegraph - Government failed to clamp down on data loss
Author: Matthew Moore
Summary: Government departments have failed to tighten data handling rules despite losing 30 million personal files in two years, it has been disclosed. Staff are still able to copy unencrypted information from internal databases on to USB sticks, the portable memory devices that have been involved in many of the recent high-profile security breaches. The health and transport departments - as well as the Driving and Vehicle Licensing Agency - have failed to make encryption mandatory despite the recommendations of a Cabinet Office report last year.
2009-01-12 - Financial Times - Loss of 30m files fails to end risky procedures
Author: Rob Minto
Summary: Staff in some of the biggest government departments, as well as the Driving and Vehicle Licensing Agency, can still freely copy unencrypted information from internal databases, in spite of the loss of nearly 30m personal records over the past two years. ... the health and transport departments allow employees to use USB memory sticks to copy unencrypted information. Such items have been the cause of several high-profile losses. Others allow memory sticks if the data are encrypted, such as the Department for Children, Schools and Families, and the Ministry of Justice, but it is not clear whether the encryption is enforced or simply recommended. The Department for Business, Enterprise and Regulatory Reform is one of the few that forces encryption on memory sticks. A Cabinet Office report published in June recommended that encryption be used on all data when transferred to any sort of "removable media", such as memory sticks, discs or laptops.
2009-01-12 - Financial Times - Encryption is key to ensure information remains secure
Author: Rob Minto
Summary: Which departments allow access to USB drives (* data encryption is enforced) Ministry of Justice*; Department for Transport; Department for Business, Enterprise and Regulatory Reform*; Department for Children, Schools and Families; Driving and Vehicle Licensing Agency; Department of Health
2009-01-09 - The Telegraph - Data on more than 6,000 prisoners lost
Author: Tom Whitehead
Summary: Private data, including some medical data, has been lost for 6,360 prisoners from HMP Preston The information was encrypted but a password to get around the security was also attached to the device. It was lost by a member of staff Central Lancashire Primary Care Trust on December 30 2008, but only revealed today.
2009-01-09 - The Register - Revenue pledges data security...by 2011
Author: John Oates
Summary: HMRC's latest report reveals the department hopes to have fully implemented the recomendations of the Poynter review into data security by June 2011. ... If you think this might be a rather leisurely response to the loss of details on almost every UK family in 2007, the report tries to reassure you. The department said it had already made good progress in removing the ability to transfer data to USB sticks and CDs unless "there is a compelling business case".
2009-01-05 - The Register - MoD tops lost security pass league
Author: John Oates
Summary: Ministry of Defence staff are responsible for the vast majority of security passes that have gone AWOL since 2001, research by the LibDems has revealed. Still, Work and Pensions Minister James Purnell is doing his bit, managing to lose his pass over the Christmas break - in November he left confidential documents on a train. Some 48,000 passes have been lost or stolen from government staff since 2001 and the MoD has lost 38,000 of these. Rates of loss have also been increasing. Although 48,546 have been lost since 2001, or 16 a day, since 2004 43,565 have gone walkabout - 23 a day. After the MoD with 37,863 losses comes the Home Office with 2,290 lost passes, then the DoT with 2,033 since 2002.
2009-01-01 - Telegraph - Tenth of personal data held by Government is 'inaccurate'
Author: Andrew Porter
Summary: Government figures show that as many as 3.5 millions records, out of a total of 47 million, were not right. The Conservatives said the revelation has serious security issues and warned that some information is being handed to third parties without authorisation. The data is held on a central database and feeds into other systems including the Treasury's tax records. Justine Greening, a Tory Treasury spokesman, said: "It is shocking that so much of the data the Government holds on us is inaccurate." "The Treasury talk about rigorous security procedures, but in practice these don't seem to be being followed. This lax attitude, combined with so much inaccurate information, creates the worrying potential for major security breaches and questions about the safety of our personal details."

December

2008-12-18 - HMRC - HMRC Autumn Performance Report 2008
Summary: Two key reports into the Child Benefit data loss by HMRC were published on 25 June this year: Kieran Poynter's review of information security at HMRC and the Independent Police Complaints Commission's report. We recognise that we have privileged access to information and a responsibility to protect it. We are therefore absolutely committed to delivering all of the recommendations and data security remains one of our highest priorities. The Data Security Programme was created to take forward all of this work so the Department can comply with the Information Commissioner’s requirement, in his Enforcement notice to the Department, to make best endeavours to implement the Poynter recommendations by 25 June 2011. Good progress has been made in strengthening data security within HMRC and highlights of work completed so far include: removing the ability to save data to portable media such as USB sticks and CDs. This has only been reinstated where there is a compelling business case to do so; ...

November

2008-11-27 - Computing - HMRC data loss was preventable, says government advisor
Author: Phil Muncaster
Summary: A government chief scientific advisor has admitted that last year’s HM Revenue & Customs (HMRC) data loss scandal should have been prevented. Speaking at a privacy conference held by the government-backed Cyber Security Knowledge Transfer Network, Brian Collins, chief scientific advisor at the Department for Transport and the Department for Business, said that the system should have flagged up a warning not to transfer such large amounts of personal data onto unencrypted discs. Collins explained that, just as security software informs the user if they are about to visit a dangerous web site, so government information systems should inform users if they are about to do something which could put citizens’ data at risk.
2008-11-26 - ZDNet - Department of Health beats MoD for device losses
Summary: Figures from the Ministry of Defence show that, so far this year, 59 memory sticks have gone missing and six have been stolen. The loss of laptops is up from a low of 18 in 2005 to 62 this year. The ministry has faired better in terms of theft, with 58 laptops reported stolen, against a peak of 272 in 2004. The number of hard drives lost peaked at 72 this year, up from eight last year, but only two were stolen.
2008-11-26 - The Times - NHS lost patient details 135 times in two years
Author: Kaya Burgess
Summary: A "fundamental re-examination" of how the NHS deals with personal data was demanded last night after research showed that a series of losses and thefts had potentially exposed the private details of 10,000 patients around the country. A total of 135 cases were reported, including the loss or theft of diaries, briefcases, CDs, laptops, memory sticks and, in one case, a vehicle containing patient records.
2008-11-24 - ZDNet - EDS took year to notice loss of prison-staff data
Summary: A Ministry of Justice investigation has found that EDS lost track of data on prison staff a year before the breach was noticed. Show related articles. Jack Straw, the justice minister, told parliament on Thursday that the HP subsidiary is to undergo an annual audit of its security, and pay for costs arising from the loss, including retraining. The ministry's investigation into the data breach, which, when announced in September, was thought to affect 5,000 staff, has shown the hard drive contained "256 items of sensitive personal information" that had the potential to cause damage if leaked. The information included addresses, bank details, national insurance numbers and dates of birth.
2008-11-06 - The Scotsman - Why information leaks are a danger to everyone
Author: Jerry Fishenden
Summary: Barely a day passes it seems without a new headline appearing about how our personal information has been lost from yet another database. Last week, the Information Commissioner, Richard Thomas, revealed that the number of reported data breaches in the UK has soared to 277 since HMRC lost 25 million child benefit records nearly a year ago. “Information can be a toxic liability,” he commented.

October

2008-10-29 - ZDNet - Privacy tsar: 277 data breaches since November
Author: Tom Espiner
Summary: The information commissioner has criticised the mishandling of personal data by the private and public sectors, in the light of hundreds of data breaches reported to his office over the past year. In a speech to the RSA Conference Europe 2008 on Wednesday, Richard Thomas said that 277 data breaches had been reported since last November. Thirty serious incidents, in both the public and private sectors, are still under investigation.
2008-10-29 - The Register - Thomas tells CEOs told to sort out data protection
Author: John Oates
Summary: Information Commissioner Richard Thomas called on CEOs to take more responsibility for data security within their organisation - at the same time as he released figures showing that government is still the worst offender for losing personal data.
2008-10-29 - OUT-LAW - Thirty organisations are under ICO investigation over data breaches
Summary: The UK's privacy watchdog the Information Commissioner's Office is currently pursuing 30 investigations into serious data security breaches, it said. In the past year 227 breaches have been reported to it. The ICO said in April that 94 breaches had been reported to it since the loss of 25 million people's records by HM Revenue and Customs in November 2007. That figure has now risen to 227. It said that 176 of those relate to the public sector
2008-10-29 - The Guardian - Bigger databases increase risks, says watchdog
Author: Alan Travis
Summary: The proliferation of ever larger centralised databases is increasing the risk of people's personal data being lost or abused, the government's official privacy watchdog claims today. The warning from the information commissioner, Richard Thomas, comes as he discloses that reported data losses have soared in the past year. ... Commissioner reveals inquiry into 30 breaches ... Work on giant system goes on, says home secretary
2008-10-14 - Computing - MPs slam MoD loss of 1.7 million records
Summary: MPs have criticised continuing government incompetence over government data handling practices after it was revealed a missing Ministry of Defence (MoD) hard drive could contain information on as many as 1.7 million individuals. Armed Forces minister Bob Ainsworth made the admission in a written statement to the Commons, adding that the disk was unlikely to have been encrypted. His estimate is far higher than those originally given for the loss. Officials had placed the potential tally at a modest 100,000 records.

September

2008-09-30 - Computing - Virgin Media guilty of Data Protection breach
Author: Tom Young
Summary: Virgin Media has been ordered to encrypt all portable mobile devices after it was found to have breached the Data Protection Act in losing an unencrypted disc. The Information Commissioner's Office (ICO) gave the order after investigating the loss of the disc, which contained personal details on customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year.
2008-09-29 - The Register - MoD prays RAF disk thieves aren't data savvy
Author: Chris Mellor
Summary: 50,000 RAF IDs on unencrypted disks. Personal details of potentially all current and ex-RAF personnel and dependents were stored on three USB-connected storage drives which went missing from a Ministry of Defence establishment at Innsworth, Gloucestershire.
2008-09-27 - BBC - Personnel records stolen from MoD
Summary: The Ministry of Defence (MoD) is investigating the theft of computer files with the records of thousands of serving and former RAF staff on. The information was stored on computer hard drives at the Service Personnel and Veterans Agency at the RAF Innsworth site near Gloucester. The theft of the files took place on 17 September, within a high-security area on the base. It said it was treating the breach "extremely seriously". 900,000 personnel. A spokesman for the MoD police said: "We can confirm that an investigation is being conducted by MoD police, with the support of Gloucestershire Police into the apparent theft of three USB portable hard disk drives.
2008-09-27 - The Guardian - RAF personnel records stolen on hard drives
Author: Mark Rice-Oxley
Summary: The government was facing a fresh data loss embarrassment last night after thieves stole files containing the records of thousands of RAF personnel.
2008-09-27 - The Telegraph - Thousands of personal files stolen from RAF base
Author: Jessica Salter
Summary: The details of up to 50,000 serving and ex-service personnel are at risk after three USB portable hard disc drives were stolen from an RAF station, the Ministry of Defence has admitted.
2008-09-17 - BBC - Data on bankrupt directors stolen
Summary: A laptop computer containing personal details of about the 122 company directors of bankrupt companies has been stolen, from the Insolvency Service.
2008-09-17 - ZDNet - NHS trust loses 18,000 staff details
Author: Tom Espiner
Summary: A London NHS hospital trust has admitted to losing almost 18,000 staff details on four CDs. The payroll details were lost on 22 July while in transit between the salaries and wages department of Whittington Hospital NHS Trust and payroll company McKesson, where they were to be stored. David Sloman, chief executive of the Whittington Hospital NHS Trust, said on Tuesday that a staff member had been suspended over the incident, as the discs had been placed in an out-tray in the post room marked 'recorded delivery', instead of being sent by courier. "It is trust policy to send any such information by courier,"
2008-09-16 - Kable - IPCC investigates police data bungle
Summary: The Independent Police Complaints Commission has launched an independent inquiry into the loss of a memory stick from West Midlands Police. The loss of the data stick is being treated as "an extremely serious matter", according to Len Jackson, the IPCC commissioner. West Midlands Police would not comment on press reports that the stick contained information on terror suspects.
2008-09-15 - The Telegraph - Personal details of 18,000 staff 'lost in the post'
Author: Aislinn Simpson
Summary: Four computer discs containing the details of 17,990 current and former staff were lost in July 2008 when they were sent between Whittington Hospital NHS Trust in north London and McKesson, a firm providing IT payroll services. They contained the names, dates of birth, national insurance numbers, start dates and pay details of all staff of Whittington Hospital NHS Trust, Islington Primary Care Trust, Camden Primary Care Trust and Camden and Islington NHS Foundation Trust. They also contained the addresses of some staff.
2008-09-12 - Computing - PA Consulting keeps children's database contract
Author: Janie Davies
Summary: The consulting firm responsible for the loss of personal details on 84,000 prisoners will continue to work on the children's database, sparking fresh concerns about the controversial project. PA Consulting was recently dismissed by the Home Office after losing a memory stick containing information on all prisoners in the UK. The ContactPoint children's database was delayed last year following a separate incident, in which discs containing information on 25 million families were lost.
2008-09-10 - Financial Times - Contract ended over prisoner data loss
Author: Jimmy Burns
Summary: The Home Office on Wednesday terminated its contract with a private company that lost the details of thousands of criminals, in a decision that cast doubt over the company’s continuing advice to government about its identity cards scheme. Jacqui Smith, home secretary, said on Wednesday PA Consulting would lose a £1.5m three-year deal with the Home Office after an employee mislaid a computer memory stick that contained confidential data on up to 130,000 offenders and prisoners. Ms Smith said all PA Consultancy’s contracts with the Home Office - worth an estimated £8m per annum – were being reviewed, as well as those signed with other companies... Tom Brake, Liberal Democrat home affairs spokesman, accused ministers of "making scapegoats out of private companies" to cover up "incompetence at the heart of government".
2008-09-11 - Computerworld - Unencrypted data of 15,000 patients stolen from Winchester GP surgery
Author: Leo King
Summary: The data of 15,000 patients was lost after a thief stole unencrypted backup computer tapes from St Paul’s surgery in Winchester. The tapes were not encrypted but instead had password protection.
2008-09-10 - ZDNet - Home Office axes data-loss firm's contract
Author: Tom Espiner
Summary: The Home Office has terminated one of its contracts with PA Consulting, following the loss of 84,000 prisoners' data.The termination of the contract to administer the prisoner-tracking JTrack system, worth £1.5m, was announced by the Home Office on Wednesday. "The Home Office has terminated the contract with PA Consulting that covered the handling of this data," Jacqui Smith, the home secretary, said in a speech to parliament on Wednesday.
2008-09-10 - Computing - Troop movements found on USB stick
Author: Tom Young
Summary: A USB stick containing details about troop movements has been discovered on the floor of a Cornish nightclub. The storage device contained times, locations and travel and accommodation details on 70 soldiers from the 3rd Battalion, Yorkshire Regiment. The stick was found by a clubber and sent to The Mirror. MoD tally of lost USB sticks or PDAs this year reaches 58
2008-09-10 - The Register - Home Office screws prison data bunglers
Author: Chris Williams
Summary: The Home Office has today terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population. In August the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract to manage the JTrack prolific offender tracking system. The data included names, addresses and dates of birth, and was broken down by how frequently individuals had offended.
2008-09-09 - Computing - The top 10 public sector data losses - so far
Summary: June 2008: One cabinet minister, August 2008: Various children and families, April 2008: Citizens in 13 London boroughs, June 2008: Several thousand NHS patients, September 2008: 5,000 prison staff, December 2007: 6,000 car owners, August 2008: 84,000 prisoners, January 2008: 600,000 military personnel and potential recruits, December 2007: Three million learner drivers, November 2007: 25 million parents and children
2008-09-08 - The Telegraph - Lost prison data disc has not fallen into wrong hands, claims Government
Author: Andrew Porter
Summary: Prison officers believe that their security may have been threatened by the loss of such sensitive information. Unions warned that staff may have to be relocated, at a potential cost of millions to the taxpayer, in order to ensure their safety. Jack Straw, the Justice Secretary, has ordered an inquiry into the lost information. But Michael Wills, the data protection minister, said: "We believe the data is not in the public domain and therefore there are not significant risks to security. ... It is the latest in an embarrassing series of data losses by major Government departments. Last year two discs went missing from a child benefit office in the North East containing the details of 25 million claimants.
2008-09-08 - Computing - 5,000 prison worker records lost
Author: Tom Young
Summary: Justice minister Jack Straw has ordered an inquiry into the loss of a portable hard drive containing the details of 5,000 prison staff. The disc was lost by IT supplier EDS, which has successfully bid to be part of the National Identity Card Programme. "I am extremely concerned about this missing data," said Straw. "I was informed of its loss by the News of the World and have ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved." "I have also asked for a report as to why I was not informed as soon as my department became aware of this issue."
2008-09-08 - The Times - Hunt begins for missing data on prison officers
Author: Dominic Kennedy
Summary: A computer company delivering the national identity card scheme was frantically hunting yesterday for a lost computer drive containing 5,000 personnel files, including the private details of prison officers. The data storage device, little bigger than a paperback book, was last seen more than a year ago in a storeroom of EDS, one of the world’s biggest new-technology consultancies.
2008-09-07 - Liberal Democrat's Press Release - Government cannot handle large amounts of data
Author: David Howarth MP
Summary: Responding to the news that a computer hard drive containing the personal details of up to 5,000 prison staff has been lost, Liberal Democrat Justice Spokesperson, David Howarth said"The Government has shown once again that it cannot handle large amounts of data. Why it is persisting with the ID card scheme is beyond comprehension and it should be dropped immediately." "All departments were asked to trawl their systems and reveal all data losses last year, so this smacks of a disturbing culture of secrecy and cover up."

August

2008-08-26 - Andy Reed MP - Taxpayers' details found on eBay
Author: Andy Reed MP
Summary: Charnwood Borough council is being forced into investigating a report that a computer containing taxpayers' personal details was sold on auction website eBay. Bank account numbers and sort codes of people in the Charnwood Borough Council area were reportedly found after the equipment was sold for £6.99. Loughborough MP Andy Reed said "This is a worrying loss and I will expect a full and thorough investigation into how this may have happened. Already many local people have expressed anger at this loss - one probably containing my own personal details by the sounds of it!" "There have been enough stories of data loss and whilst I am sure we all try our hardest it is time to really step up our routines to make this stops happening. Being a victim of identity theft is not pleasant as I know. I would urge the Tory leader Richard Shepherd to take full responsibility for the actions of the authority and most importantly to communicate with all of us affected as quickly as possible about the potential risks. I want to see quick and effective action - not just warm words about an investigagtion."
2008-08-22 - The Times - Thousands of criminal files lost in data fiasco
Author: Sean O'Neill and Richard Ford
Summary: Confidential records and sensitive intelligence on tens of thousands of the country's most prolific criminals have been lost in a major breach of data security at the heart of Whitehall. Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm. The data had been encrypted for security reasons but was decoded by staff at PA Consulting Group and placed on a computer memory stick that was subsequently lost. The device contains personal details and intelligence on 33,000 serious offenders, dossiers on 10,000 "priority criminals" and the names and dates of birth of all 84,000 prisoners in England and Wales. There is also information on an unspecified number of people enlisted on drug intervention programmes.
2008-08-22 - silicon.com - Prisoner data breach firm paid £100m
Author: Natasha Lomas
Summary: The management consultancy firm at the centre of the latest government data breach storm has been paid almost £100m over three years for its services by the Home Office and its agencies, with individual consultants from the company being charged to the department at an average of more than £1,000 per day. This week it emerged a USB memory stick containing unencrypted data on all the prisoners in England and Wales - some 84,000 individuals - had been lost by PA Consulting. Details stored on the memory stick include names, dates of birth and some expected release data. It also contains the names and dates of birth of some 10,000 individuals who are classed as prolific and priority offenders, as well as the initials of individuals involved with the Drug Interventions Programme.
2008-08-22 - The Conservative Party - Where does latest data loss leave ID cards?
Summary: The Shadow Home Secretary, Dominic Grieve, has demanded Jacqui Smith explain what the loss of thousands of criminals' details by the Home Office means for Labour's ID card scheme. He said the public would be "alarmed" that Labour are planning to entrust their £20bn ID card project to the firm involved in this "shambles". And he stressed that this latest data loss fiasco could be the death knell for Labour’s ID card project: "This will destroy any grain of confidence the public still have in this white elephant and reinforce why it could endanger - rather than strengthen - our security."
2008-08-08 - Computing - BBC confirms loss of children's data
Summary: A laptop and several memory sticks containing personal information about children and their families has been stolen from a vehicle involved with the production of a BBC TV programme. The information included names, addresses and mobile phone numbers of children, and dates when families were planning to go on holiday.
2008-08-01 - Kable - Foreign Office reports five data losses to Info Commissioner
Summary: The Foreign and Commonwealth Office has reported five significant data breaches to the Information Commissioner's Office in the last financial year, in total affecting less than 188 people. The losses have been disclosed within the department's resource accounts for the year ending 31 March 2008. They show that in September 2007, it lost data on 70 people, including their names, addresses, dates of birth and family details, through the loss of a computer, "outside secured government premises". In December information on 36 people, extending to passport number, financial and employment details, was lost on paper, again outside government offices. ... The only serious breach caused by unauthorised disclosure by a contractor ... This appears to refer to vulnerabilities with the UK visas application website, run by contractor VFS in India, potentially making 50,000 people's data vulnerable. ...

July

2008-07-21 - Kable - MoD encrypts laptops following theft disclosures
Summary: The Ministry of Defence has admitted the theft of 658 laptops over four years, with another computer stolen last week in Liverpool. A spokesperson said that the ministry banned unencrypted laptops leaving secure sites without a strong reason in January, and that the laptop stolen on Merseyside was encrypted. The ministry owns around 35,000 laptops, 13,000 having full-disk encryption, 10,000 with partial-disk encryption and 12,000 unencrypted. As of January. those without full-disk encryption cannot leave secure MoD sites without "a strong operational reason" and a waiver from the department's senior information risk owner. ... In a written parliamentary answer on 17 July 2008, the MoD said that 747 laptops had been stolen from, or lost by, staff since 2004. Earlier this year, it had said that only 347 had been stolen in that time
2008-07-21 - Computing - MoD reveals full extent of laptop losses
Author: Tom Young
Summary: Twice as many laptops lost in past four years as previously claimed. More than 650 laptops have been stolen from the Ministry of Defence (MoD) over the past four years, more than twice the number previously claimed. And 121 USB memory sticks have been lost in the same time period.
2008-07-21 - ZDNet - Taxpayer to foot bill for HMRC disc search
Author: Nick Heath
Summary: The taxpayer has been landed with a £473,544 bill for the hunt for the missing HM Revenue & Customs data discs. The Metropolitan Police Service mounted a months-long search for the data discs, containing 25 million child-benefit records, after they went missing in October 2007. Financial minister Jane Kennedy revealed the costs in a written answer to Parliament.
2008-07-18 - The Register - MoD: We lost 87 classified USB sticks since 2003
Author: Lewis Page
Summary: The UK Ministry of Defence has told parliament that it has lost or had stolen some 87 USB sticks holding "protectively marked" - ie classified - material since 2003. However, almost all the devices were marked at the lowest grade of classification, and even the remaining few are unlikely to have contained information of any significance.
2008-07-18 - Liberal Democrats - Loss of more sensitive information shows shocking incompetence
Summary: 121 USB sticks containing sensitive information have been lost or stolen from the Ministry of Defence since 2004, including five containing information classified as 'secret'. The figures were released in response to a Parliamentary question from Liberal Democrat MP, Sarah Teather on data loss in the MoD. Commenting, Sarah Teather said: "It seems that this Government simply cannot be trusted with keeping sensitive information safe. It is frightening to think that secret MoD information can be lost or stolen." "This shows a shocking degree of incompetence across the entire Government." "When different departments are losing sensitive data left, right and centre it is no wonder that people have lost confidence in Gordon Brown and Labour." "How can they expect us to trust them to keep our personal information safe in their unnecessary and expensive ID card scheme?"
2008-07-18 - Computing - HMRC missing disc investigation cost nearly £500,000
Summary: The investigation into the loss of the missing HM Revenue and Customs child benefit records cost nearly half a million pounds. Treasury minister Jane Kennedy revealed the £473,544 price tag in the commons in reply to a question from Independent MP Dai Davies.
2008-07-17 - TheyWorkForYou - Parlimentry Written Answer, Defence, Departmental Computers
Summary: Des Browne (Secretary of State, Ministry of Defence; Kilmarnock & Loudoun, Labour) As a result of the theft of the Royal Navy laptop, the Ministry of Defence has initiated an investigation into the details of all computers lost or stolen since 2003. This investigation is under way and I will write to the hon. Member when the information is available and arrange for a copy of my letter to be placed in the Library of the House. Substantive answer from Des Browne to Mark Pritchard: I undertook to write to you in answer to your Parliamentary Question on 29 January 2008, (Official Report, column 184W) about the number of laptops stolen or lost from the Ministry of Defence since 2004 that had subsequently been recovered. The figure of 347 laptops that you quote can be derived from information provided in answer to Mr Francois on 19 January 2007, (Official Report, column 1363-4W) and Mr Gauke on 10 December 2007, (Official Report, column 58W) and relates only to stolen laptops. Revised figures have been taken from the data collated in the course of the investigation into details of computers and other electronic media lost/stolen since 2003 and provided to Sir Edmund Burton as part of his review. For all years they show an increase in the number of stolen laptops from the numbers previously reported is because the Burton Review investigation revealed anomalies in the reporting process. Instructions have been issued to remedy these shortcomings. Revised figures as at today are ...
2008-07-17 - Computing - Councils to miss data deadline
Author: Janie Davies
Summary: Local authorities will struggle to implement secure data exchanges before a government-imposed March 2009 deadline, and many will be forced to apply for exemptions, say local government chief information officers (CIOs). Government Connect, a £33m secure network for local authorities, will allow secure email and data sharing across government and between councils. But security requirements set out in the programme's "code of connection" are proving to be a major hurdle. "There is no way that the majority of local authorities have the capacity or funding to be able to comply with the code of connection unless central government takes a more pragmatic approach," said one local authority senior IT manager." "The majority have not started their physical implementation of Government Connect services, although they may have signed up. So ubiquitous access is miles away and loads of councils will have to apply for exemptions."
2008-07-16 - Kable - HMRC claims infosecurity improvements
Summary: HM Revenue and Customs is taking a number of measures to strengthen its data security, following its loss of 25m people's data relating to child benefits. The agency has introduced strict physical and technical controls on accessing and moving data on paper, electronic media and digitally, and has appointed an overall director of governance and security and data guardians for all its business areas. "We all share a deep sense of regret at what happened last November, but we also share a determination to put things right and focus on improving the service we provide to all our customers," Dave Hartnett, acting chairman, says in his introduction to HMRC's annual report.
2008-07-16 - The Register - HMRC disc losers still getting paid
Author: John Oates
Summary: Paul Gray departed from his job in November 2007 as the the child benefit database loss story broke and took a lump sum of £137,591. He also receives monthly payments totaling £49,292 until he is 60 - in August 2008. He should retire with a pension pot worth a little more than £2m.
Note: See AccountingWEB for the full story. HMRC's Paul Gray never resigned, Cruickshank did. "Paul Gray didn't resign," "He was pensioned off due to ill-health."
2008-07-11 - HM Revenue & Customs - Departmental Report 2008
Summary: The loss of the Child Benefit data discs, the Capability Review of the department and the creation of the UK Border Agency have come on top of our existing challenges of transforming the performance of HMRC and reshaping our workforce. ... We took immediate action following the loss of Child Benefit data to tighten our data security procedures. Since last November, we have introduced a number of measures to minimise the risk of data loss and to increase oversight of data protection in the department. ... Every area of our business now has a data guardian responsible for the protection of customer data. Data guardians also provide advice on how information can be safely moved around our business and transferred between the department and our customers. ... Following the loss of the Child Benefit data discs, we introduced new, tight physical and technical controls on access to and movement of bulk data on paper, on removable media and through electronic means. ... We have published and distributed clear, simple Data Security Operating Standards and 'Golden Rules' to all staff. ... Every person in HMRC is scheduled to attend a mandatory training course on data security. ... As the Poynter Review makes clear, implementing the suggested changes will take time. Some changes are likely to require extensive alterations to our IT and infrastructure that will need to be planned extremely carefully. We are looking at the report’s findings and recommendations in detail, and we are beginning to incorporate them into our overarching Data Security Programme. We propose to return to the theme of data security in next year’s Departmental Report, and in subsequent reports.
2008-07-11 - The Register - Public sector faces hefty fines for data breaches
Summary: Councils should scrap sales to database marketers. UK state-sector organisations could face seven-figure fines for data breaches, according to the review of data sharing ordered by the prime minister. In a wide-ranging report, which also recommends the scrapping of the edited electoral roll, information commissioner Richard Thomas and Mark Walport, director of medical charity the Wellcome Trust, recommend that the government introduce fines which mirror those made by the Financial Services Authority (FSA) in such circumstances.
2008-07-11 - Open Rights Group - Data Sharing Review
Author: Glyn Wintle
Summary: The Data Sharing Review, commissioned by the Prime Minister last October to look at the use and sharing of personal information in the public and private sectors, published its final report today. The report argues that data sharing is shrouded in confusion and spotlights deficiencies in the organisational culture of those who collect, manage and share personal information. Its authors call for personal data to be handled, like any valuable asset, with respect. We attended workshops with the reports authors and drafted a submission emphasising the risks rather than the benefits associate with data sharing. In the conclusion to our submission, we said, "If customers were to participate fully in the design and decision-making of the public services intended to benefit them it seems to us very unlikely they would come up with the centralised databases and data sharing approach of Transformational Government." The report is 80 pages long (ignoring the annexes, all 112 pages of them) so if you don’t have time to read it all, here are some points of interest.
2008-07-11 - Ministry of Justice - Data Sharing Review
Author: Richard Thomas and Dr Mark Walport
Summary: The report neglects to make specific recommendations on any of the current or future large government databases. This is deeply regrettable as a missed opportunity to encourage respect for personal data and greater trust in the public and private bodies who store our data. Even if all the recommendations are followed, the impact of this report will be minor: a toothless regulator will gain some powers, medical research will become easier, and sale of the edited electoral register will be prohibited.
2008-07-07 - Computing - ICO: we need new data protection laws
Author: Tom Young
Summary: Richard Thomas says data protection laws are seen as out of date and bureaucratic. "It is showing its age and is failing to meet new challenges to privacy, such as the transfer of personal details across international borders and the huge growth in personal information online," he said. "It is high time the law is reviewed and updated for the modern world."
2008-07-07 - The Register - Daily Mail loses employee info
Author: John Oates
Summary: The Daily Mail and General Trust have lost their employee info, names, addresses, bank accounts and sort codes. Yet another lost laptop.

June

2008-06-30 - Computing - Unencrypted NHS laptop lost
Author: Tom Espiner
Summary: An unencrypted laptop containing medical details of several thousand patients has been stolen from the car of a senior Colchester University Hospital manager. The details included names, dates of birth, postcodes and treatment plans.
2008-06-25 - The Scottish Government - Data Handling in Government
Summary: A review of data handling by the Scottish Government. The assessment of the review team was that further measures were needed to improve the security of sensitive information. ... There must be visible and transparent measures in place to demonstrate that the personal data of citizens is treated with sensitivity, care and diligence. ... Scotland's performance in protecting privacy has been recognised by the international group Privacy International. In the 2007 Review of global privacy for the first time Scotland was given its own ranking score and performed significantly better than England and Wales.
2008-06-25 - BBC - HMRC culture 'caused discs loss'
Summary: Mistakes that led to the loss of 25 million child benefit records can not be blamed on a single government official, a report is expected to say. The Poynter report could cast doubt on government claims one junior member of staff was responsible for the breach. It will highlight "cultural failures" at HM Revenue and Customs (HMRC) and say practices were "far from what they should have been," sources say.
2008-06-25 - MOD - Report into the Loss of MOD Personal Data
Summary: Report into the Loss of MOD Personal Data - Sir Edmund Burton Review and MOD's action plan in response to the Burton Report. The stolen laptop, designated TAFMIS-R(H)SQL, was one of a small population of, currently, 512 laptops, which hold a large database incorporating over 600,000 personal records. Investigations revealed that a total of 4 of these laptops have been stolen since 2004 (all from parked cars). Only the recent theft appears to have led to disciplinary proceedings. Although the security instructions for the safekeeping of laptops were clear in prohibiting them from being left in unattended vehicles, they did not dictate that the data must be encrypted.
2008-06-24 - ZDNet - Scottish Ambulance Service loses encrypted 999 disc
Author: Tom Espiner
Summary: The Scottish Ambulance Service has lost a disc containing the encrypted 999 call details of almost one million people. The disc was reported lost last week by courier TNT ... the disc had been encrypted ... included a copy of the record of 894,629 calls made to the ambulance service.
2008-06-24 - ZDNet - Whitehall reports 30 data losses since November
Author: Tom Espiner
Summary: Since HM Revenue & Customs reported in November that it had lost the details of 25 million child-benefits claimants, Whitehall has suffered a further 30 security breaches, the Information Commissioner's Office revealed on Monday. The breaches came to light in a written answer from justice minister Michael Wills to a question from shadow cabinet minister Francis Maude. Wills said Whitehall had reported 30 data breaches to the ICO since November, while local government had reported 17, other public-sector organisations had reported 50, and the private sector had reported 41.
2008-06-20 - The Register - Virgin Media collects customer banking details on CD, then loses it
Author: Chris Williams
Summary: Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost, it emerged today. ... While the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive. Public awareness of the dangers of data loss remains high in the wake of last year's HMRC debacle and its many sequels, and if we can't trust a network operator to shift information securely then who can we?
2008-06-16 - Computing - MPs move against data surveillance
Summary: A House of Commons committee has demanded the government adopt a data minimisation strategy to reduce the risk of Britain becoming a "surveillance society". The committee's hard-hitting report, which warns of growing public disquiet over data practices, is aimed primarily at the Home Office and Cabinet Office. A series of government data security breaches have given extra force to the report's conclusions.
2008-06-08 - BBC - ID cards 'could threaten privacy'
Summary: The government should limit the data it collects on citizens for its ID card scheme to avoid creating a surveillance society, a group of MPs has warned. The home affairs select committee called for proper safeguards on the plans for compulsory ID cards to stop "function creep" threatening privacy. It wants a guarantee the scheme will not be expanded without MPs' approval. The Ministry of Justice said it had to balance protecting the public with protecting a right to privacy. ... The report referred to the loss of two discs containing the personal details of 25m people last year. "The minister's assurances that the government has learned lessons, though welcome, are not sufficient to reassure us or, we suspect, the public," it said.
2008-06-08 - The Register - UK is not a surveillance society, MPs claim
Author: John Oates
Summary: The Home Affairs Committee has called on the government to follow a "minimum data, held for the minimum time" approach to British citizens' personal information in its long-awaited report into surveillance. ... On Home Office use of databases and sharing data the committee said there were three questions to be answered: "Where should the balance between protecting the public and preserving individual freedom lie? How should this balance shift according to the seriousness of the crime? What impact will this have on the individual and on our society as a whole?"
2008-06-08 - Kable - Committee calls for database prudence
Summary: The government should vow to collect only essential data on people and hold it only for as long as is necessary, the Home Affairs Select Committee has recommended The committee says that decisions to create new databases, to start sharing data or to increase surveillance of people should only take place when there is a proven need, in a report issued on 8 June 2008. "In general the government should move to curb the drive to collect more personal information and establish larger databases," the report says. It adds that, as a preliminary risk assessment, privacy impact assessments should be undertaken before the design of a project begins and should then be independently audited.

May

2008-05-28 - Computing - Ministers back web security position
Author: Tom Young
Summary: Baroness Vadera, parliamentary under-secretary of state for the Department for Business, Enterprise and Regulatory Reform (BERR) supported the government's rejection of calls for a data breach notification law. ... the government specifically rejected calls by the Lords to give the ICO powers to spot-check government departments' data protection policies, saying "the government believes that the current enforcement regime for data protection is fit for purpose". Less than a month later HM Revenue and Customs lost the personal details of 25 million families. The data included names, addresses and bank details.
2008-05-21 - BBC - ICO investigates Tories for emailing voting intentions of 8,000
Summary: The Information Commissioner is launching an investigation after the Conservatives accidentally sent details of 8,000 people to a radio station. The e-mail sent contained the names, addresses, telephone numbers and intentions of voters in the Crewe and Nantwich by-election.
2008-05-21 - BBC - CPS criticised over DNA data disc
Summary: An inquiry has found "significant shortcomings" in the Crown Prosecution Service's handling of DNA data linked to serious crimes abroad. ... The inquiry found no evidence that the disc had been copied or ever left the building. Instead, it blamed individual failings and said they were now the subject of disciplinary action.
2008-05-16 - BBC - Review ordered after disc is lost
Summary: A disc containing personal and protectively marked material relating to the Rosemary Nelson Inquiry has been lost.The inquiry said it deeply regretted "this serious breach of secure data handling protocols". The compact disc went missing on 6 May.
2008-05-11 - politics.co.uk - Government slammed over data breach
Summary: The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today. The admission comes from an internal email at the Department for Work and Pensions (DWP) by one of the department's security advisers which was leaked to internet blog Dizzy Thinks. The email reads: "I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. "However, once the data and the separate password are received, staff are then forwarding the data and password on together. This defeats the purpose of the security measure entirely."

April

2008-04-30 - ZDNet - BCS: Gov't data breaches have eroded public trust
Author: Tom Espiner
Summary: The British Computer Society has criticised the government, claiming its high-profile data breaches have eroded public trust. On Tuesday the BCS published the results of a survey of members of the public. Of the 1,025 respondents, 66 percent said their trust in government departments had decreased due to information breaches such as the loss of 25 million personal records by HM Revenue & Customs last year. ..."People inside the public sector know [it] is not terribly surprising that [breaches such as HMRC's] happened, but for people outside the public sector this was a huge shock."
2008-04-28 - silicon.com - House of Lords backs data loss law change
Author: Nick Heath
Summary: Losing personal data took a step closer to becoming a criminal offence after the House of Lords backed a change in the law. Peers supported an amendment to the criminal justice and immigration bill which would make it a criminal offence to carelessly release or lose personal data. The amendment, proposed by Liberal Democrat Lady Miller, would make it an offence for anyone to "intentionally or recklessly disclose information" or "repeatedly and negligently" allows information to be disclosed.
2008-04-23 - OUT-LAW - Privacy chief notified of 94 data breaches since HMRC debacle
Summary: The Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released yesterday. Half of the 28 private sector security breaches were by financial services companies. The problem of the loss of personal information gained in profile in the aftermath of HMRC's loss of two discs containing the entire register of people claiming child benefit last year. The information on the discs included names addresses and banking details of 25 million people, leading to widespread fears of identity theft.
2008-04-23 - Kable - Hold less data says information commissioner
Summary: "Data protection to a large extent is about data minimisation," Thomas told the Infosecurity Europe conference in London on 22 April 2008. "Take the missing MoD laptop (reported in January). The media talk about the military person who left the laptop in the back of his car, but there are more fundamental questions." "Why were 600,000 details being collected in the first place, of casual enquirers about joining the armed forces, and applicants and recruits? Why was it kept for so long? Why was data there for 10 years? What use was it being put to, why was it being collected and retained?" "Then, why was the entire database transferred to a laptop? Then, why was the laptop not encrypted? And only then do you get to the question, why did it get left overnight in the back of a car?"
2008-04-22 - The Times - Top officials to be held to account for data losses
Author: Jonathan Richards
Summary: Senior Whitehall figures are to be held personally responsible if their department loses or mishandles personal information, under a range of measures designed to increase data security. Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection "much more seriously" under proposals due to be laid out by Gus O'Donnell, the Cabinet Secretary. In the coming weeks Mr O'Donnell is expected to present the findings of a report on data security. The report was commissioned by the Prime Minister in the wake of the loss of 25 million child benefit claimant records by the HMRC in November.
2008-04-22 - Kable - Minister seeks to cut £30 ID card cost
Summary: Home Office minister Meg Hillier has said the government wants industry to help drive down the cost of the identity cards to the public. ... Hillier said that some 60% of citizens are in favour of identity cards and that the percentage has remained steady, despite the huge data loss at HM Revenue and Customs. She predicted that as identity cards are rolled out people will realise the benefits of carrying them.
2008-04-13 - BBC - Sensitive data 'lost by councils'
Summary: Personal data about members of the public has been lost or wrongly revealed by 13 London councils in the last year, a BBC survey has found. Some 23 councils replied to the freedom of information request, with more than half saying data had been lost, stolen or inadvertently disclosed. In one instance, sensitive information about children in care was stolen when a youth worker took files into a bar.
2008-04-09 - BBC - Data loss prompts security move
Author: Niall Blaney
Summary: Thousands of "ultra-secure" computers costing £6m are to be bought by the NI executive following a series of embarrassing losses of personal data. About 4,000 high-security laptops and 10,000 new desktop computers are being bought. The BBC has also learned the Civil Service is to launch a secure system which may do away with sending people's details through the post. Discs containing the details of 6,000 NI drivers went missing in December.

March

2008-03-25 - Computing - One in 10 citizens trust government with data
Author: Tom Young
Summary: Only one in 10 people trust the government with their personal data, according to a survey by ICM Research for supplier Data Encryption Systems (DES). The survey highlights the extent to which the government's track record on data security has impacted public opinion.
2008-03-20 - Computing - Public losing confidence in government security
Author: Tom Young
Summary: The recent spate of high-profile data losses has led the public to take more care of their personal information, according to the Information Commissioner’s Office (ICO). Some 85 per cent of people now refuse to give out personal details wherever possible.
2008-03-20 - ZDNet - Public gets more savvy about data security
Author: Tim Ferguson
Summary: People in the UK are becoming much savvier with their personal information, suggesting the recent spate of high-profile data breaches has had an impact. An Information Commissioner's Office (ICO) survey has found eight out of 10 people are now taking more care with their personal information.
2008-03-18 - out-law - Government must take data protection more seriously, says Parliament committee
Summary: The minister responsible for data protection should be more powerful according to a Parliamentary committee which has also condemned the Government for not taking data protection seriously enough. The Joint Committee on Human Rights said that a spate of recent losses of personal data by the Government or its agencies is "symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously … the rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards." "The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector," the Committee said. The Committee was reporting on a series of data protection breaches by public authorities, the most serious of which was the loss of personal and banking details of 25 million people by HM Revenue and Customs last November.
2008-03-17 - ZDNet - HMRC named 'internet villain' of the year
Author: David Meyer
Summary: This year, HM Revenue & Customs (HMRC) won the villain award for losing millions of citizens' personal data.
2008-03-17 - Kable - Data breaches damage trust in government
Summary: Two thirds of Britons trust government less as a result of recent data losses, according to research for the British Computer Society. When asked to describe their level of trust in established institutions, such as government departments, to correctly manage their data following recent data breaches and losses, 66% said their trust had decreased, 31% said it had stayed the same, and 1% said it had increased.
2008-03-14 - ZDNet - MoD admits loss of over 11,000 ID cards
Author: Nick Heath
Summary: The Ministry of Defence has admitted that more than 11,000 military ID cards have been lost or stolen in the past two years.
2008-03-14 - Information World Review - MPs raise fears over data protection for national ID register
Summary: Repeated breaches of data protection laws by government departments raise huge question marks over plans for the national identity register required for ID cards and biometric passport, an influential parliamentary human rights watchdog has warned. MPs and peers on the Lords and Commons Joint Committee on Human Rights said repeated losses of personal information by departments had increased their concern, and announced they "intend to take a close interest in the government's detailed proposals for the national identity register as and when they emerge."
2008-03-14 - Kable - Government's "insufficient respect" for personal data
Summary: MPs have said recent data protection breaches are "symptomatic of the government's failure to take safeguards sufficiently seriously". The report from Parliament's joint committee on human rights says that the problem with government data protection is cultural: "There is insufficient respect for personal data in the public sector."
2008-03-11 - Justice Committee Press Release - Government response to Committee report on private data loss published
Summary: Chairman of the Committee, Rt Hon Alan Beith MP said: "I think it was a shock to the public to find that such sensitive personal data could so easily be accessed and downloaded, and that it was possible for such data to be so easily lost, and of course further examples have come to light since the massive scale of the HMRC data loss was revealed. The public are going to take a lot more convincing that the Government has got a grip on this problem."
2008-03-06 - The Register - Tories call for big changes to cybercrime offences
Author: John Oates
Summary: Civil servants who lose public data could be prosecuted under proposals announced by the Conservative Party. It's one of a number of measures touted, as the Tories call for major changes in how the UK deals with cybercrime and data protection. ... the Tories are also calling for a "breach law" - forcing financial services companies to inform the Financial Services Authority if their systems are hacked or compromised in some way and confidential data is at risk.
2008-03-04 - The Guardian - More than 1,000 government laptops lost or stolen, new figures show
Author: Elizabeth Stewart
Summary: More than 1,000 laptops have been lost or stolen from government departments in recent years, new figures have revealed. Details of departmental losses were disclosed to MPs in a series of written ministerial answers to the House of Commons which reveal that at least 1,052 laptops have gone missing, including 200 in the last year alone.

February

2008-02-28 - BBC - Home Office CD in auction laptop
Summary: A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay. The CD was found between the keyboard and circuit board of the laptop by computer repair technicians in Westhoughton, near Bolton. When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".
2008-02-27 - Kable - Minister defends ID security
Summary: The National Identity Register will have very limited access, stringent security and no risk of 'discs flying around', MPs have been told Home Office minister Meg Hillier defended the government's plans for its controversial National Identity Scheme, as she faced questions about data security from a committee of MPs. Hillier, who has responsibility for identity cards, said it was important to win public confidence in the scheme, particularly following a number of recent cases in which the government had misplaced or lost confidential data. The biggest loss was at HM Revenue and Customs (HMRC). It sent two discs with the details of 25m families to the National Audit Office by courier, which failed to arrive.
2008-02-22 - The Telegraph - Child database 'will never be fully secure'
Summary: Ministers faced calls to scrap a controversial database containing the personal details of every child in England yesterday after warnings that it would never be completely secure. An independent report called for tighter security to be put in place for the £224?million ContactPoint system, which is due to be introduced later this year. Ministers asked the consultants Deloitte to review arrangements for the database after the lost computer discs scandal at HM Revenue and Customs last November. MPs called on the Government to release the report in full after ministers decided to publish no more than a five-page summary for security reasons.
2008-02-21 - NO2ID - Government tries to ignore security risk to millions of families
Summary: A report commissioned by the government following the HMRC Child Benefit data breach last year confirms that the ContactPoint database, intended to contain the details of every child and parent in the country, can never be made secure. This confirms objections that NO2ID and other campaigners have been pressing since the passing of the Children Act 2004. The report by Deloitte and Touche, of which a summary was published this afternoon, says: "It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring." The government has refused to publish the full report, 'for security reasons'. In essence it is trying to ignore the problem. It appears from the Executive Summary that has been published that Deloitte confirms some of the issues identified by campaigners well before the legislation had been passed. Phil Booth, NO2ID’s national coordinator, said: "If the report identifies problems in ContactPoint, then the government should face up to them – not try to keep them secret. Ministers can no longer say, "You’ll just have to trust us". We know we can't." "If the government's own report says no system accessible by over 300,000 people can ever be made secure, the answer is not to ignore it and hope everyone forgets. What will they do when - not if - the system is abused? Hide that too?" "ContactPoint is just one more case where official face-saving trumps the basic rights of the general public. Behind the cosy slogan, 'every child matters' seems to mean putting every child equally at risk. If the government cared about more than sloganising, it would scrap the whole scheme immediately."
2008-02-20 - Finacial Times - MPs deride £5.4bn cure-all
Author: Jim Pickard and Jimmy Burns
Summary: Meg Hillier, Home Office minister, will next week outline details of the next phase of Britain's £5.4bn ID card programme - with the government insisting that the public still wants the scheme. But with MPs yesterday calling for the project to be ditched, ministers have a fight on their hands to justify not only its cost but its scope. ... a series of public data losses have further dented confidence in the scheme.
2008-02-20 - Channel 4 Political Slot - Channel 4 Political Slot: No to ID cards
Author: Nick Clegg MP
Summary: Nick Clegg said "The child benefit scandal has made it crystal clear they can not be trusted with our personnel information. In fact this government has lost more of or private data than any government in history. Your information is simply not safe in their hands."
2008-02-18 - The Sun - 20,000 bank files found in squat
Author: Oliver Harvey
Summary: Sensitive information on 20,000 people – including their bank account numbers and health details – has been found dumped in a hippy squat. ...Documents included names, phone numbers and addresses, dates of birth, pay slips, bank forms and details of private interviews with benefit claimants. ...The Haringey Council files – many stamped "Confidential" - date from the 1980s to 1993.
2008-02-15 - ZDNet - ICO: Data-breach spate 'no worse' than normal
Author: Tom Espiner
Summary: The Information Commissioner's Office has said that the rash of data-breach reports in the past five months is due not to more data breaches, but to more people admitting to them. HM Revenue & Customs' loss of 25 million details of people claiming and receiving child benefit was the catalyst for a surge of data-loss reports, an ICO spokesperson told ZDNet.co.uk on Friday. "More people are stepping forward as they realise the importance of data breaches," said the spokesperson. "We don't think the situation is any worse. Back in July last year we highlighted the need for more data protection."
2008-02-14 - BBC - Medical records laptop is stolen
Summary: A laptop containing the medical records with information on 5,123 patients has been stolen from a Black Country hospital.
2008-02-10 - The Observer - We trusted this country. Look how it treats us
Author: John Gray
Summary: The fiascos of 'e-government' are not anomalies that can be corrected by more rigorous procedures. The billions that have been squandered on unworkable computer networks in the NHS and the repeated loss of data throughout government are signs of a dysfunctional system. The disappearance of millions of learner drivers' details somewhere in the Midwest is par for the course. Nothing that has been announced by Gordon Brown will prevent similar debacles. Inevitably, there will be more such incidents - plenty more.
2008-01-06 - The Guardian - Poll shows growing opposition to ID cards over data fears
Author: Alan Travis
Summary: 25% now strongly against their use, says ICM survey, Majority concerned about sharing of personal details, 50% against 47% in favour. The number of people strongly opposed to the introduction of a national identity card scheme has risen sharply, according to the results of an ICM poll to be published today. Those campaigning against ID cards said last night that the poll, with results showing that 25% of the public are deeply opposed to the idea, raises the prospect that the potential number of those likely to refuse to register for the card has risen. If the poll's findings were reflected in the wider population, as many as 10 million people may be expected to refuse to comply. The ICM survey also shows that a majority of the British people say they are "uncomfortable" with the idea that personal data provided to the government for one purpose should be shared between all Whitehall-run public services.
2008-02-05 - ZDNet - BlackBerrys grounded by Whitehall data ban
Author: Nick Heath
Summary: Government BlackBerry devices and PDAs have been grounded by the Whitehall-wide ban on the movement of unencrypted personal data. The devices have fallen foul of the department-wide ban imposed by cabinet secretary Sir Gus O’Donnell in the wake of the revelations about the Ministry of Defence data loss last month that resulted from a stolen laptop. The Cabinet Office confirmed that any government electronic device, even down to a mobile phone, would have to have any personal data encrypted before it could leave Whitehall premises.
2008-02-04 - Liberal Democrate Press Release - 100,000 families didn't receive letter of apology over lost discs fiasco
Author: Danny Alexander MP
Summary: Over 100,000 families didn’t receive a letter of apology from the Government after their child benefit data was lost last year, according to figures obtained by the Liberal Democrats. After losing the personal details of every child benefit recipient last year, the Chancellor promised to send out a letter informing each of the 7.25 million households of the error and apologising. But 101,500 of the addresses lost were not ‘current’, perhaps because the records had not been updated since a family had moved, so these households have still not yet received a letter. Commenting, Liberal Democrat Shadow Work and Pensions Secretary, Danny Alexander said: "The loss of millions of families’ personal details was beyond incompetent yet the Government has gone one better by failing to contact all the families affected." "It's bad enough that people are now at risk of fraud and identity theft, but the least ministers could do is make a serious effort to contact each family to apologise." "From losing personal records to wrongly paying tax credits, this bungling Government is failing families across the board."
2008-02-01 - OUT-LAW - Expect Government to be interested in your IT security
Author: Dr Chris Pounder
Summary: Disaster has struck and all big organisations should be preparing to pay the price. In the aftermath of the HM Revenue & Customs (HMRC) loss -of personal information and a subsequent flood of data security breaches, large organisations should be ready to prove that they can take care of personal information. Anyone who thought that the HMRC disaster was a one-off could not hold that view for long as a Ministry of Defence laptop, a Marks & Spencer employee database and others have created an ever-growing list of organisations suffering a loss of important or confidential data. ... Already the Government has conceded that it intends to provide increased power to the Information Commissioner to carry out inspections and audits, and has introduced a two-year custodial offence where malpractice with respect to personal data can be linked to staff malfeasance.

January

2008-01-31 - The Guardian - Our state collects more data than the Stasi ever did. We need to fight back
Author: Timothy Garton Ash
Summary: To trust in the good intentions of our rulers is to put liberty at risk. I'd go to jail rather than accept this kind of ID card. ... Today, the people of East Germany are much less spied upon than the people of Britain. The human rights group Privacy International rates Britain as an "endemic surveillance society", along with China and Russia, whereas Germany scores much better. ... All this from a government which, having collected so much data on us, goes around losing it like a late-night drunk spreading the contents of his pockets down the street. Twenty-five million people's details mislaid by Her Majesty's Revenue and Customs; at least 100,000 more on an awol Royal Navy laptop; and so it goes on. ... The Liberal Democrat leader Nick Clegg has said he would go to jail rather than accept an ID card of this intrusive kind. So would I. And so, I believe, would many thousands of our fellow-citizens. (There's a good website called NO2ID where you can join the fray.) Which is why, I suspect, the government won't be so foolish. But we need to draw the line well before ID cards. There are liberties that we have already given away, while sleeping, and we must claim them back.
2008-01-28 - The Telegraph - Online tax system 'too risky' for the famous
Author: Robert Winnett
Summary: Thousands of "high profile" people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk. This provoked anger from consumer groups and accountants who said the same levels of security should be offered to all taxpayers regardless of their perceived fame. HMRC was responsible for losing 25 million child benefit records and the latest admission will concern millions of people entrusting the online system with their confidential financial records.
2008-01-27 - Financial Times - No ID, no problem
Summary: In the two years since legislation for a UK national identity card scheme gained royal assent, the case against the multi-billion pound programme has become overwhelming. ... Ministers argue that ID cards would reduce identity and benefit fraud. But Revenue & Customs’ loss of two computer discs containing personal details of 25m people, including bank account numbers, has instead exposed the opportunity for abuse on an undreamed of scale.
2008-01-24 - Computing - Why personal data loss must not be tolerated
Author: Mike Howse
Summary: In the recent HM Revenue & Customs (HMRC) data debacle (Discgate), employees at all levels of seniority neglected security policies and procedures, copied database information to disks, and sent data unencrypted in the post. In the past few weeks we have seen multiple data loss reports: Northern Ireland drivers’ licence details, Merseyside health workers’ data and HMRC’s admission that its Cardiff office either lost the personal details of more than 6,500 people claiming pensions and/or sent the data to unauthorised recipients
2008-01-23 - The Independent - Court case data discs go missing
Author: Vicky Shaw
Summary: Personal details from court cases contained on four CDs have gone missing in the post, the Government said today. The Ministry of Justice launched an investigation after the information was lost when it was sent recorded delivery. A spokeswoman would not comment on a report that the missing courtroom data discs contained details of at least 55 defendants and other restricted data not released in open court, potentially including the names and addresses of alleged victims and witnesses. ... The MoJ released a brief statement which said: "Her Majesty's Inspectorate of Court Administration (HMICA) confirms that four CD-Roms are missing." "They were sent recorded delivery. Ministers and the Information Commissioner were notified immediately it was recognised that personal data had been lost." "An investigation is under way so it would be inappropriate to comment further at this stage." Yesterday saw a new ban come into place on Whitehall staff removing unencrypted laptops containing personal data from their offices.
2008-01-23 - Computer Active - ID cards to arrive in 2012
Author: Andrea-Marie Vassou
Summary: UK citizens will receive their compulsory national ID card two years after the proposed date, according to documents leaked to the Conservative party. ... Security expert Richard Clayton agreed, attributing the delay to the Government's recent "incompetent handling of private data". Becky Hogge, director at the the Open Rights Group told Computeractive: "It would come as no surprise if the Government was to reconsider its plans for ID cards given its recent record on data protection."
2008-01-22 - The Register - MoD laptop losses expose government data indifference
Author: John Oates
Summary: The latest data giveaway by the UK's Ministry of Defence shows that not even the most basic IT policies are being followed. There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea. Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data.
2008-02-23 - The Scotsman - 'Two-year delay' blow for ID card proposals
Author: Gerri Peev
Summary: Gordon Brown's plans for identity cards were dealt a blow last night after leaked documents revealed the government plans to delay a national roll out of the scheme for at least two years. ... David Davis, the shadow home secretary said: "I should think this scheme is in the intensive care ward." "There are clear faults in the whole government strategy as demonstrated from disc-gate to Birmingham-gate or whatever you want to call it." "There is a clear fracture in public confidence. When we started there were 80 per cent for it. Now I suspect 80 per cent oppose it." "It all amounts to giving the government an insoluble problem." "It is a political nightmare for them which why there have been serial delays."
2008-01-22 - The Guardian - MoD admits inquiry into 69 lost laptops
Author: Richard Norton-Taylor
Summary: Stolen files not encrypted, Browne tells Commons as Whitehall issues staff ban on movement of data. ... two further laptops containing unencrypted information on at least 500 people had been stolen since 2005. A Royal Navy laptop was stolen from a car in Manchester in October 2006 and an army laptop was stolen from a careers office in Edinburgh in December 2005. These losses were on top of the 69 laptops and seven PCs reported stolen from the ministry.
2008-01-22 - Kable - Navy recruiters broke data regulations
Summary: Defence minister Des Browne has told the House of Commons that officials broke Ministry of Defence (MoD) procedures by placing individuals' data on laptops. ... "It's not clear why recruiting officers routinely carry information on a large number of people or why the database should carry all that information at all," he said.
2008-01-22 - ZDNet - MoD lost three unencrypted laptops
Author: Tom Espiner
Summary: Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information.
2008-01-22 - Computing - Whitehall looks to encryption
Summary: Urgent moves to boost the capacity of Whitehall departments to encrypt data are underway following a ban on removing laptops containing unencrypted personal data from government offices. Orders were issued by cabinet secretary Sir Gus O'Donnell as MPs grilled defence secretary Des Browne on the loss of two further Ministry of Defence (MoD) laptops prior to the one containing data on 600,000 recruits nearly two weeks ago. Browne announced that, in addition to the Whitehall-wide review, he has commissioned an investigation into weaknesses in MoD information security by Information Advisory Council chairman Sir Edmund Burton.
2008-01-21 - Three military laptops with secure data missing
Author: Nico Hines
Summary: Three military laptops containing personal details of new recruits have been stolen from Ministry of Defence staff since 2005, Des Browne was forced to admit today. The Defence Secretary was making a statement to the House of Commons explaining the loss of a laptop containing the personal data of 600,000 people earlier this month when he made the embarrassing admission.
2008-01-21 - The Guardian - The national ID register will leak like a battered bucket
Author: Jackie Ashley
Summary: The record of lost data of the past few years should be a warning to us all: our personal details are safe in nobody's hands. ... last year when the child benefit records for a mere 25 million people, including dates of birth, national insurance numbers and bank and building society details, were lost by HM Revenue and Customs (HMRC). ... As it happens, the HMRC had lost details of 15,000 people when they were sent to Standard Life the previous month. Also in September an HMRC laptop was lost with the details of 400 Isa holders on it. ... And there were other similar incidents, going back at least to 2005. Indeed, according to parliamentary answers HMRC had in the previous year been responsible for a modest 2,111 data-protection breaches. ... The government is going to introduce a single system for all our identities. And I promise, you can't trust it. It will leak like a battered old bucket.
2008-01-21 - ZDNet - Government at a loss over data security
Summary: With the Ministry of Defence's loss of more than half a million personal details from a car in Birmingham, the best that can be said is that it's nearly 24.5 million fewer records than HMRC managed. No doubt Gordon Brown will be announcing this as a 97.5 percent reduction in serious stupidity per quarter. Even at this rate, however, the entire country's private information will be in criminal hands by 2012. The Home Office could save time by starting up an RSS feed.
2008-01-21 - ZDNet - MoD loses 600,000 personal details
Author: Tom Espiner
Summary: The Ministry of Defence has admitted losing the details of 600,000 people after the theft of a laptop from a Royal Navy officer in Birmingham last week. The MoD also lost the bank details of approximately 3,500 of those people
2008-01-21 - BBC - More MoD laptop thefts revealed
Summary: Defence Secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts since 2005. The other two laptops held similar data but on fewer people, he told MPs. ... the information was not encrypted. ... Dr Fox said it was potentially more damaging than HM Revenue and Customs' loss of 25 million people's child benefit details. He also said some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004.
2008-01-19 - The Telegraph - MoD under pressure to explain data loss
Author: Robert Winnett and Juliet Turner
Summary: Des Browne, the Defence Secretary, has come under intense pressure to explain the loss of the personal details of 600,000 people interested in joining the Armed Forces. The data was saved on a laptop computer that was stolen from a Royal Navy officer in Birmingham last week on the night of January 9, but the MoD only disclosed it had been lost late last night. ... Simon Davis from the privacy watchdog Privacy International said: "I'm flabbergasted. I cannot believe that our flagship security unit the MOD cannot get the handling of information right. "To think that somebody would have a laptop containing unencrypted information rivals the HMRC data breech." "The problem is that there are so many procedures in place to protect information that nobody knows which one's in place. Junior officials can't remember them and nobody knows what's happening." "We need to slim-down the amount of procedures in place to protect information."
2008-01-19 - The Independent - Ministers face embarrassment over stolen laptop and further data losses
Author: Nigel Morris
Summary: Ministers faced further questions over data security last night after a laptop computer containing the details of 600,000 people was stolen and hundreds of documents listing personal data on benefits claimants were found dumped at a roadside. The disclosures - three months after computer discs listing child benefit records of 26 million people vanished – left the Government facing fresh embarrassment over the security of personal data
2008-01-19 - The Scotsman - 600,000 armed forces files lost – but MoD takes nine days to admit theft of laptop
Author: Russell Jackson
Summary: The goverment was at the centre of another data-breach row last night after revealing a Royal Navy officer's laptop containing the details of 600,000 people had been stolen. ... Information experts immediately asked why the sensitive information was not encrypted. The government has been dogged by information breaches since October when it admitted losing the entire child-benefit database after two CDs went missing from HMRC.
2008-01-18 - Accounting Web - HMRC's Paul Gray never resigned, Cruickshank did
Summary: "Paul Gray didn't resign," it went. "He was pensioned off due to ill-health. He had two slipped discs." Boom boom, as Basil Brush would add. But the joke came far closer to the truth than any journalist did. Paul Gray, for those of you with short or just very selective memories, was chief executive of HMRC, who resigned when the missing CDs were formally announced. The action was lauded as a rare example of professional honour in an age where most politicians and senior civil servants carry on regardless. But is that what really happened? On closer inspection, it appears that Gray never really resigned at all. ... When Cerberus spoke to HMRC, a press officer confirmed the truth: Gray retired, he did not resign.
2008-01-18 - ZDNet - HMRC letters of apology cost £2.25m
Author: Nick Heath
Summary: The government has admitted it cost £2.25m to send letters of apology to people affected by the loss of 25 million child-benefit records by HM Revenue & Customs.
2008-01-15 - Web User - HMRC up for web villain award
Summary: The Internet Service Providers Association (ISPA) has named the candidates for its Internet Villain of the Year 2007 award. ... HM Revenue and Customs (HMRC) was nominated for the Villain of the Year award for "failing to take the protection of peoples' personal data seriously and highlighting bad practice in protecting data by losing computer disks containing confidential details of 25 million child benefit recipients," ISPA said.
2008-01-15 - ZDNet - Police demand HMRC foots bill for disc search
Author: Nick Heath
Summary: Scotland Yard will demand HM Revenue & Customs foots the record bill for the police force's hunt for the missing data discs containing 25 million child-benefit records. ... A spokeswoman for HMRC said the department has agreed to pay the costs that "we have triggered as a result of the police investigation into the disappearance of the child-benefit data".
2008-01-15 - The Guardian - Personal data is as hot as nuclear waste
Author: Cory Doctorow
Summary: We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back
2008-01-13 - The Telegraph - Hunt for data discs lost in post is called off
Author: Richard Edwards
Summary: Police have given up the search for the missing Customs and Revenue discs containing personal details of 25 million people after an operation costing the taxpayer tens of thousands of pounds. Scotland Yard sources said the six-week operation was the "most expensive lost property inquiry ever known". Officers found other mislaid documents "stuffed away in cupboards" during a forensic search of the Government department at the centre of the fiasco, but now believe the discs will never be found.
2008-01-10 - Accountancy Age - Bonus payouts for HMRC staff that lost benefit discs
Author: Penny Sukhraj
Summary: The HMRC department that caused the blunder which saw the personal details of 25 million families go missing, has been given £19m in performance-related bonuses. ... Conservative chairman of the Treasury sub-committee, Michael Fallon, described the scale of the payout as 'staggering'. 'Given the over-payments of tax credits and data loss mistakes, constituents might be surprised to learn that a third of staff at HMRC shared a performance-related bonus,' said Fallon.
2008-01-08 - BBC - Clarkson stung after bank prank
Summary: Jeremy Clarkson revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs. He wanted to prove the story was a fuss about nothing. But Clarkson admitted he was "wrong" after discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK. ... Clarkson now says of the case: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."
2008-01-07 - The Telegraph - Government's record year of data loss
Author: David Harrison
Summary: A record 37 million items of personal data went missing last year, new research reveals. Most of the data was lost by government officials but councils, NHS trusts, banks, insurance companies and chain stores also mislaid or published personal information about staff or members of the public. Many losses were caused through CDs going missing in the post, laptop thefts, and inadequate security systems that failed to stop hackers reading information stored on computers.
2008-01-05 - BBC - Teachers 'put pupil data at risk'
Summary: Teachers in nearly half of England's primary schools back up pupil data on CDs and memory sticks, which they then take out of school, research suggests. RM blamed a lack of clear guidance, but the government said it published advice for schools on the issue. The warning comes after a string of data security breaches by government departments and associated agencies.
2008-01-03 - The Guardian - MPs say losing computer data should be made a crime
Author: Tania Branigan
Summary: Recklessly or repeatedly mishandling personal information should become a criminal offence, a committee of MPs urges today in the wake of the child benefit fiasco. A report from the justice select committee says there is evidence of a widespread problem within government and expresses concern that further cases of data loss are still coming to light, adding that concerns about systemic failings were raised two years ago by the man now in charge of the government's review of security. The committee says that companies should be obliged to report information losses.
2008-01-03 - The Register - MPs call for stronger data protection laws
Author: John Oates
Summary: The Commons Justice Committee recommended the introduction of new offences so that a data controller could be charged for recklessly or intentionally disclosing, or obtaining, personal data. MPs echoed fears raised by Information Commissioner that there could well be further data breaches. The committee also noted that government departments cannot currently be held responsible for data breaches.
2008-01-03 - BBC - Tougher data laws needed, say MPs
Summary: Reckless or repeated breaches of data security should become a criminal offence, a committee of MPs has said. Currently, government departments cannot be held criminally responsible for data protection breaches. But a report on the "truly shocking" loss of 25m people's personal details by HM Revenue and Customs, the Commons justice committee demands tougher laws.
2008-01-03 - The Times - Whitehall should be prosecuted over data loss, say MPs in call for new law
Author: Greg Hurst
Summary: MPs are calling for new offences to allow Whitehall departments to be prosecuted for data security blunders such as the loss of child benefit records for 25 million people. The cross-party Commons Justice Committee says that the criminal law must be strengthened to close loopholes and reflect the gravity of offences involving the theft or loss of personal data. Ministers are already planning to toughen sanctions for data protection offences. Government sources suggest that penalties will include up to two years’ imprisonment rather than fines as at present.
2008-01-03 - Computing - Government data needs attention
Summary: The government must balance moves to join up services with the risk of data privacy problems, say MPs. The Commons justice committee report published today re-emphasises the need for wider powers for the Information Commissioner in the aftermath of the HM Revenue & Customs lost discs fiasco.
2008-01-03 - Justice Select Committee - Protection of Private Data
Summary: We are gravely concerned that this incident is not an isolated example

December

2007-12-31 - BBC - Clegg pledging to fight ID cards
Summary: The new Lib Dem leader has pledged to campaign "tirelessly" against "expensive, invasive" ID cards in 2008. Nick Clegg said the recent data loss "scandals" had created a lack of public confidence in the government's ability to look after personal information. His comments were made in his New Year message to the Lib Dem party.
2007-12-30 - The Guardian - Doctors revolt on patient records
Author: Eileen Fairweather
Summary: SENIOR doctors are encouraging a mass revolt against the government’s £12 billion national health database by supporting a campaign to urge patients to opt out. Activists in the British Medical Association (BMA) have produced a pro forma letter that people can send to their GP to stop their records going onto the database. The doctors fear that patients’ records could be misused if they are made available to health workers across the country, as is planned under the Connecting for Health system.
2007-12-30 - The Sunday Times - Beware the state’s ID card sharks
Author: David Davis MP the shadow home secretary
Summary: If Gordon Brown picks one failure from his first six months to learn from, it should be the loss of 25m people’s personal details. If he makes one resolution for 2008, it should be to scrap his reckless plan to introduce compulsory ID cards. "Discgate" was the result of ministerial incompetence, but also flawed policy. As chancellor, Brown relentlessly pursued his forlorn vision of a "joined-up identity management regime" across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a "single source of truth".
2007-12-27 - The Guardian - Primary school pupils' personal data 'at risk'
Summary: Personal details of 2 million primary schoolchildren in England are being put at risk by staff taking home unprotected data. A survey of almost 1,000 primary schools found that 49% were backing up pupil data on to discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft. IT experts RM School Management Solutions, which carried out the survey, said that only 1% of respondents encrypted the data. A further 4% of schools were leaving sensitive and unprotected data at unsecured locations on the school premises.
2007-12-24 - The Independent - PM in new pledge to secure databases
Author: Andrew Grice
Summary: Gordon Brown has accepted that the Government will need to bring in new safeguards to restore public confidence in the huge databases held by state-run services. ... His pledge came during a telephone conversation with Nick Clegg in the past week.
2007-12-24 - The Financial Times - Concern over data handling grows in UK
Author: Jimmy Burns
Summary: The Department of Health confirmed that nine National Health Service trusts in England and Wales had admitted losing patients' records. The loss, thought to involve data on hundreds of thousands of adults and -children, emerged as part of a government-wide data security review following security breaches in other departments. ... Andrew Lansley, the opposition home affairs spokesman, said the latest loss underlined the case against the government developing centralised data bases. It also raised serious questions over how the planned electronic patients database in the NHS would be able to protect sensitive medical records, he said. "For over two years we have argued for data to be held locally, with networking rather than one central database. The government should accept that this would offer us greater protection," Mr Lansley said.
2007-12-24 - The Guardian - Primarolo admits ignorance over data losses by nine NHS trusts
Author: Patrick Wintour
Summary: The health minister, Dawn Primarolo does not know exactly what is has been lost by nine NHS trusts. Ministers will be worried that the loss will further undermine confidence in the department's plans for a new computer database of all NHS patients' records. ... The data losses appear to have emerged locally, with potentially the biggest loss by City and Hackney Primary Care Trust in London, which has reportedly mislaid the details of 160,000 children after a computer disc failed to arrive at its destination at St Leonard's hospital. ... The campaign group NO2ID, which opposes ID cards and moves to centralise all NHS records, said: "We are now starting to see the consequences of the government obsession with information 'sharing' and centralised IT in the NHS. If you care about your privacy, then keep your medical records between you and your doctor, and out of the hands of the Department of Health, if you can."
2007-12-23 - Yahoo! News - NHS trusts lose patients` details
Summary: Nine NHS trusts have admitted losing patients' information in the aftermath of the HM Revenue and Customs (HMRC) data loss scandal, it has emerged.
2007-12-23 - The Sunday Mirror - Data scandal is a sickener
Summary: Today the Sunday Mirror reveals that medical records have been lost by nine separate health service trusts. Once again, the incompetence is staggering. The most personal details of thousands of people have been treated with scandalous disrespect.
2007-12-23 - The Sunday Mirror - 9 trusts lose files
Author: Vincent Moss and Justin Penrose
Summary: Hundreds of thousands of Health Service patients' details have gone missing in a new data scandal. Sensitive details about adults and children were lost in 10 incidents at NINE separate NHS Trusts. Health Secretary Alan Johnson's department last night confirmed details - kept on computer discs or memory sticks - had gone missing. But the Department of Health refused to reveal how many patients were involved or the exact nature of the blunders. Cases include the loss of a CD holding 160,000 children's names and addresses by a Trust in East London and the loss of 244 cancer patients' details by the Maidstone and Tunbridge Wells health trust in Kent. In one case, in Norfolk and Norwich, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. ... THE TRUSTS: Bolton Royal Hospital, Sutton and Merton, Maidstone and Tunbridge Wells (two incidents), Sefton Merseyside, City and Hackney, Mid Essex, East and North Herts, Norfolk and Norwich, Gloucester Partnership Foundation Trust
2007-12-20 - ZDNet - The lonesome death of data protection
Author: Tom Espiner
Summary: Discgate as Bob Dylan would have song about it.
2007-12-20 - The Guardian - Chattering classes deserve a debate about e-government
Author: Michael Cross
Summary: In the continuing fallout from the child benefit disc disaster, the government's IT chiefs can draw one small consolation: the "transformational government" programme to join up public services through IT is now on the chattering classes' agenda. The chattering is mainly hostile, of course, with a consensus that e-government will create a snooper's paradise or a permanent milch cow for IT consultancies. Or both. ... It involves an old IT management technique called the "scream test": the way to find out what a rambling old IT system is really being used for is to turn it off and see who screams. To kick-start the e-government debate, we should do the same. That's right: turn it all off, from your council's webcam to NHS Healthspace to the DVLA's car tax online service. The whole shooting match, off. The screams, I suspect, will be louder than the chattering classes would have us believe.
2007-12-19 - The Economist - Learning the embarrassing way
Summary: For many years Britain's tiny band of civil libertarians have been trying to alert their countrymen to the danger of proliferating government databases, which allow bureaucrats to share citizens' information among themselves with the minimum of fuss. A string of recent blunders have made their case more powerfully than years of lobbying. The latest to emerge has been the loss earlier this year of 3m driving-test records held at a data centre in Iowa. ... Others see a more fundamental problem. The Foundation for Information Policy Research points out that data losses are an inevitable consequence of the government's determination to build massive databases to keep tabs on its citizens. And despite the embarrassments of the past few weeks, it shows no sign of abandoning the biggest project of all: its plan to introduce identity cards for everyone.
2007-12-19 - The FT - The price of trust
Author: Sue Cameron
Summary: Public trust in HMRC has come in for a further battering this week. First came the progress report on what happened over the missing discs containing half the nation's bank details and what urgent measures should be taken. The report, by Kieran Poynter, chairman of PwC, tells Alistair Darling, the chancellor: "I have seen no evidence thus far that would lead me to conclude that the statement given by you to parliament was inaccurate." Hm. Very guarded. Mr Poynter, whose work is "far from complete", has called for the download function on all HMRC laptops and PCs to be disabled, among other moves, but has shown heroic reticence about criticising HMRC.
2007-12-18 - The Times - Millions more ID records go missing
Author: Philip Webster
Summary: The records of more than three million British learner drivers have gone missing from a "secure facility" in the US, an embarrassed Government admitted last night. Labour’s dismal autumn hit another low as, minutes after ministers admitted that they still did not know the whereabouts of two discs holding sensitive information on 25 million people, they were forced to confess they had lost the details of all candidates for the driving theory test between 2004 and 2007.
2007-12-18 - ZDNet - HMRC did breach data laws
Author: Tom Espiner
Summary: The organisation responsible for administering the UK's data-protection legislation has said the government breached data laws when millions of records were stolen in the data debacle at HM Revenue & Customs.
2007-12-17 - foundation for information policy research - The Government misses the point on Poynter
Summary: The Foundation for Information Policy Research (FIPR) believes that the Government's response to the interim Poynter report shows that they just don't understand what has gone wrong. Their refusal to abandon the headlong rush towards Transformational Government -- the enormous centralised databases being built to regulate every walk of life -- is not just pig-headed but profoundly mistaken. Both Alasdair Darling, commenting on the HMRC fiasco, and Ruth Kelly, telling the House about the loss of 3 million people's personal information, told us that once 'lessons have been learned' and 'procedures tightened' the march to ever-larger database systems will continue. Before Transformational Government came along, only small amounts of data were lost -- but as the new databases cover the whole population, everyone's affected now, not just a few unlucky people. Transformational Government means putting all of the eggs into one basket and it is creating: The multi-billion pound identity card scheme, to hold data on the whole population. The National Health spine, which will make everyone's health records available for browsing by a million NHS workers. ContactPoint which will record details on every child in England, with details of their parents, carers and indicators of whether they have any contact with social services. Three hundred thousand people can look that information up. A universal pensioner's bus pass scheme which will hold the data on 17 million people, and in principle will let any bus driver learn your age and address -- when all that it should record is an entitlement to free travel. Ross Anderson, Chair of FIPR and Professor of Security Engineering at the University of Cambridge said, "the Government believes that you can build secure databases and let hundreds of thousands of people access them. This is nonsense -- we just don't know how to build such systems and perhaps we never will. The correct way to design such systems is to localise the data, in a school, in your local GP practice. That way when there is a compromise because of a technical failure or a dishonest user then the damage is limited. "You can have security, or functionality, or scale -- you can even have any two of these. But you can't have all three, and the Government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don't work, and that place citizens' privacy and safety at risk when they do." Richard Clayton, FIPR Treasurer said, "Personal data ought to be handled as if it were little pellets of plutonium -- kept in secure containers, handled as seldom as possible, and escorted whenever it has to travel. Should it get out into the environment it will be a danger for years to come. Putting it into one huge pile is really asking for trouble. The Government needs to completely rethink its approach and abandon its Transformational Government disaster."
2007-12-17 - Downing Street Says - Data Security
Summary: Asked if the new measures re data security related to Government or just to HMRC, the Prime Minister's Spokesman said that they related to Government; the O’Donnell review was about looking at all departments.
2007-12-14 - Kable - Police call off discs search
Summary: UK police are to stop searching for the missing child benefit CDs early next week
2007-12-13 - The Register - Brown quizzed on gov IT failures
Author: John Oates
Summary: Prime Minister Gordon Brown admitted this morning that the government has "a long way to go" to a coherent IT strategy. Asked by MP Edward Leigh about systemic failures at the HMRC, which led to the loss of two CDs containing the entire child benefit database, Brown said there was a difference between rules not being followed and failure of procedures and systems. He also said no one had lost any money.
2007-12-12 - Evening Standard - Children's data discs lost in hospital blunder
Author: Mark Prigg
Summary: The personal details of 160,000 children have been lost at a London hospital in a fresh blunder over confidential information. A computer disc containing the data was sent to St Leonard's Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. The disc contained their names, dates of birth and addresses.
2007-12-12 - BBC - Loan application forms go missing
Summary: 800 budgeting loan applications containing personal and confidential information about members of the public were lost by the Department for Work and Pensions. The forms contained applicants' names, addresses, dates of birth, National Insurance numbers and bank details.
2007-12-12 - The Register - Six in ten UK punters fear what gov will do with private data
Author: John Oates
Summary: Research sponsored by Symantec reveals that six out of ten UK citizens do not believe their data is safe with government departments.
2007-12-12 - Ministory of Justice Press Release - Consultation launched into the use and sharing of personal information
Summary: A consultation into how personal information is used and shared in the public and private sectors has been launched today by Richard Thomas and Dr Mark Walport. The consultation forms part of an independent review into the use and sharing of personal information announced by the Prime Minister on 25 October. It asks how and why information is shared and used; whether the Data Protection Act offers sufficient safeguards; what impact technological advances have had on the protection of personal information; and whether there are lessons the UK can learn from other countries.
2007-12-12 -Scotsman - Government under fire after three new data mix-ups
Author: Angus Howarth
Summary: Confidential personal details of dozens of prisoners, including their criminal records, have been delivered to a private company instead of going to Norfolk Police.
2007-12-11 - The Times - Northern Irish driver data discs lost in post
Author: Hannah Fletcher
Summary: Two computer discs containing personal details of more than 6,000 Northern Irish drivers have been lost, a leaked letter from the Northern Ireland Department of the Environment has confirmed. The discs, which contain the names and addresses of the motorists and the licence plate numbers of their 7,685 vehicles, went missing at a sorting centre in Coventry.
2007-12-11 - BBC - Thousands of driver details lost
Summary: The Driver and Vehicle Licensing Agency in Northern Ireland has lost the personal details of 6,000 people, on two discs after being sent to the agency's headquarters in Swansea. The information was not encrypted. Shadow Transport Secretary Theresa Villiers said "It looks like it has failed to learn anything from the HMRC catastrophe,"
2007-12-10 - The Register - Brown knew data loss was disaster waiting to happen
Author: John Oates
Summary: The loss of the child benefit was a disaster waiting to happen and the Prime Minister was warned about inadequate data protection procedures years ago. Internal auditors examined procedures in March 2004. "Fraudulent/malicious activity was not being detected... Live support staff had root access and could do anything without being detected with obvious risks." ... "no encryption between certain elements in the system".
2007-12-10 - Information World Review - Lost HMRC data sounds wake up call for security pros
Author: Clement James
Summary: At the CSO Interchange - a forum for chief security officers – held in London recently, 60 per cent of senior security professionals present professed to having only "some idea" as to where their customer data is stored and "limited controls" over it. ... Speaking at the event, cross bench peer, Lord Erroll, a member of the House of Lords Science and Technology Committee, described the recent HMRC data breach as a "godsend". "With luck the missing CDs have ended up in a landfill site but this fiasco will force the government to start taking security seriously and the powers of the Information Commissioner's Office will be strengthened," he said.
2007-12-10 - ZDNet - CIOs: Encryption only part of data-security solution
Author: Andy McCue
Summary: Policies, processes and a "corporate ethos" of care of data are more important in securing sensitive information than using encryption technology. Two-thirds of a 12-strong CIO Jury IT user panel, said technologies such as encryption need to be part of a more holistic approach to security, including training for staff and strict enforcement of policies.
2007-12-10 - Kable - PM failed to heed data warning
Summary: Gordon Brown was told three years ago that weak data protection procedures governing the child benefit database made fraud or mistakes more likely and potentially undetectable. Obvious holes in working practices, such as the ability of junior officials to download the whole database and the use of unencrypted discs, were also highlighted. Internal auditors examined procedures in March 2004. Their findings were written up by Treasury risk manager Richard Fennelly.
2007-12-11 - The Independent - Discgate: Treasury was told of dangers
Author: Andrew Grice
Summary: Gordon Brown has been accused of ignoring a warning by Whitehall computer experts that could have prevented personal data on 25 million people being lost.
2007-12-09 - Liberal Democrat Press Release - HMRC letter shows Brown to blame
Author: Vince Cable MP
Summary: Commenting on reports that HMRC was warned in a letter three years ago about both junior staff accessing databases and weak procedures which meant that mistakes and fraud were unlikely to be detected, Liberal Democrat Acting Leader and Shadow Chancellor Vince Cable said "How can people have confidence in Government databases holding personal information when Departments like the HMRC have taken such a cavalier attitude?" "These reports also show that the blame for lost discs lies with Gordon Brown, as he should have acted on the worries of his auditors while he was Chancellor."
2007-12-09 - This is London - Disc security warning years ago
Summary: The Government was warned three years before 25 million people's records were lost in the post. Internal auditors raised concerns that junior staff had access to the database and information was not being encrypted. They also told Whitehall bosses that weak procedures meant mistakes and fraud were unlikely to be detected. A letter circulated by Treasury risk manager Richard Fennelly in March 2004, "Fraudulent/malicious activity was not being detected...Live support staff had root access and could do anything without being detected with obvious risks." There were also worries that there was "no encryption between certain elements in the system".
2007-12-07 - The Guardian - In the age of leaky data, there is no such thing as a secure online computer
Author: Simon Jenkins
Summary: This week Britain's information commissioner, Richard Thomas, confessed that "a stream" of sheepish data custodians had formed outside his door "on a confessional basis" after last month's Revenue & Customs child-benefit data leak. They had all lost material that the public had entrusted to their care. They had taken it home, posted it somewhere, left it on a bus, dumped it in a bin or sent it to some government department. ... The groups most eagerly awaiting the government’s ID computer are criminals and terrorists. The home secretary, Jacqui Smith, will supply them with detailed, supposedly confidential identification, including digitised biometrics, of every British citizen and visitor passing through immigration.
2007-12-07 - BBC - Better data protection 'required'
Summary: A report by Demos warns that people are losing control of their private data and are not sufficiently aware of how many bodies hold their information. The report comes less than a month after HM Revenue and Customs lost discs containing 25 million people's details. ... "The government must urgently develop a more coherent strategy around the way personal information is held and used," the report says. It adds: "Government departments should have a responsibility to tell individuals how their information is used and how that affects them."
2007-12-06 - Accountancy Age - Apology for disc blunder costs the taxpayer £3m
Author: Richard Brooks
Summary: A grovelling letter of apology sent to as many as seven million families over the loss of child benefit data cost the government £3m. A HMRC spokesman admitted this week that the cost was actually £3m.
2007-12-06 - Forbes - UK's Brown at odds with HMRC chief over 'systemic failure' claim
Summary: Gordon Brown is at odds with the acting head of HMRC over claims that the loss of benefit claimant details was part of wider systemic failure within the department.
2007-12-06 - The Register - HMRC coughs to more data losses
Author: John Oates
Summary: David Hartnett told the House of Commons Treasury Select Committee that HMRC was aware of seven other data breaches since Revenue and Customs merged in 2005.
2007-12-06 - The Telegraph - HMRC boss admits to more data losses
Author: Andrew Porter
Summary: HMRC has admitted there have been seven other significant data losses in recent years. ... Yesterday, the Telegraph revealed that the names of up to 350 people who are on the witness protection scheme were on the two discs that were lost in October. Despite the Ministry of Justice claiming last night that they had been "assured" by HMRC that witnesses were not at risk, the Telegraph can reveal that both the Met Police and the Association of Chief Police Officers (Acpo) have been involved in the matter and are "concerned". And a furious behind the scenes row erupted over the HMRC's attempt to calm fears. Officials at the Ministry of Justice who are aware of the concerns had prepared a statement which said there were possible “risks” and were at loggerheads with their counterparts at HMRC.
2007-12-06 - Kable - HMRC offers lost discs reward
Summary: HM Revenue and Customs is offering a reward of £20,000 for information leading to the recovery of the lost child benefit data discs. The Metropolitan Police investigation has now been reduced - 47 detectives were involved in early searches, but this has fallen to 32.
2007-12-05 - Action on Rights for Children - Babes in the Wood
Author: Terri Dowty
Summary: The DWP recently wrote to all local authorities advising them to password-protect Housing Benefit data, regularly copied on to CD-Roms and sent by courier to Newcastle. What data are we talking about? It includes: Name, Address, NI Number, Date of birth, Ages of children, Employment and housing status, Any other benefits applied for/received, Details of income, Whether they have a partner, Whether they are currently in prison, Whether they have been referred to fraud investigators. The password that would allegedly guard this data was sent to every local authority in an unsecured, unencrypted email. It was the same password for each LA, and they were advised that they should use it on each occasion (pdf) that they submitted their Housing Benefit return.
2007-12-05 - The Guardian - HMRC admits seven security breaches
Summary: HM Revenue and Customs have suffered seven breaches of security of "some significance" involving the loss of personal data, the organisation's new acting chairman has disclosed. Giving evidence to the Commons Treasury sub-committee, Mr Hartnett acknowledged that the losses could represent a "systemic failure" by the organisation.
2007-12-04 - Pulse - A spine waiting to snap
Author: Phil Peverley
Summary: Despite the loss of the disks by HMRC the government is continuing with its plans to upload the medical records of the entire population to another national database. What’s it for? What’s the point? And just who, in their right mind, would consent to their private medical records being logged on to a system to which tens of thousands of incompetent New Labour work-experience buffoons theoretically could have access? Not one of the patients I have discussed it with, that’s for certain. My personal medical records will not be joining this ludicrous Keystone Cops experiment. Neither will those of any of my patients. It is simply not possible that our government can give us any sort of guarantee that some berk in Birmingham will not download the lot and send it to his DVD rental club by accident
2007-12-05 - BBC - £20,000 reward offered for discs
Summary: A reward of £20,000 is being offered for the return of two HM Revenue and Customs CDs. Meanwhile, the acting head of the HMRC said there had been seven incidents of "some significance" involving data security breaches since April 2005. These "may well" indicate systemic failure, David Hartnett added.
2007-12-05 - Liberal Democrat press release - More lost discs show appalling lack of attention to people's security
Author: Vince Cable MP
Summary: Commenting on news that there have been seven incidents of lost discs in the HMRC in the last two and a half years, Acting Liberal Democrat Leader and Shadow Chancellor Vince Cable said: "This shows an appalling lack of attention to people’s security, inexplicable failure to encrypt data and a chaotic method of dealing with transportation." "The Government is investigating the errors in the HMRC but it should be looking at how widespread such practices are across government departments including the Department for Work and Pensions and Department of Health."
2007-12-05 - The Guardian - Government offers reward in hunt for lost data
Author: James Sturcke
Summary: The government today offered a £20,000 reward for the safe return of two missing CDs containing personal details of half the British population. ... In a statement, the Met said its primary search had been concluded without recovering the discs, which hold the details of more than 25 million people.
2007-12-05 - Telegraph - Lost data discs 'endanger protected witnesses'
Author: Andrew Porter
Summary: Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records. The missing data discs are understood to contain both the real names and the new identities of up to 350 people who have had their identities changed after giving evidence against major criminals.
2007-12-05 - Computing - ICO warns of more breaches
Author: Tom Young
Summary: More cases of public information lost by central government departments have come to light since the HMRC fiasco, Information Commissioner Richard Thomas told the Commons Justice committee yesterday. ... Thomas also described the HMRC breach as "the worst the ICO has encountered" and said it called into question the security of the entire system of data sharing in government if information was not being encrypted.
2007-12-04 - BBC - More firms 'admit disc failings'
Summary: Several firms have admitted security failings in the wake of the loss of two discs containing 25 million people's details, MPs have been told. ... The Information Commissioner Richard Thomas told the justice committee that, since October, "quite a number of organisations, both public and private sector, have come to us saying that they think they have found a problem... almost on a confessional basis, bringing to our attention problems they have encountered with security in their own organisations." "I would question whether anybody should be allowed to download an entire database of this scale without going through the most rigorous pre-authorisation checks." "It was a really shocking example of loss of security."
2007-12-04 - The Register - Ex-HMRC boss gets shiny new civil service post
Author: John Oates
Summary: Paul Gray will work on special projects for the Cabinet Office after less than two weeks' gardening leave. Gray quit as chairman of Her Majesty's Revenue and Customs on 20 November - he took responsibility for the loss of two CDs containing the entire child benefit database.
2007-12-04 - OUT-LAW - Privacy chief given another chance to seek new powers
Summary: This afternoon Commissioner Richard Thomas will appear before the House of Commons Justice Committee to give evidence about data protection and his powers, which he is known to believe are too limited. ... In the aftermath of that crisis Thomas was given a small measure of the extra power he has been seeking, but he is known to believe that a tougher data protection regime is essential. "In the light of the admitted mishandling of private personal data by Her Majesty's Revenue & Customs, the Committee will hold a one-off evidence session with the Information Commissioner," said a statement from the Justice Select Committee.
2007-12-03 - The Telegraph - Poll shows more people now oppose ID cards
Author: Philip Johnston
Summary: More people now oppose Labour's proposed ID cards than support them, a poll for The Daily Telegraph has found. Just 43 per cent of those questioned said they favoured the introduction of a national identity scheme compared with 48 per cent who were against. It is the first time YouGov has found more against than in favour. ... Since then, there has been a gradual erosion in support for ID cards and the recent loss of the country's entire child benefit records on two CDs seems to have tipped the balance. ... Phil Booth, of the campaign group No2ID, said: "Clearly a majority no longer trust that the Government can secure their personal information.
2007-12-03 - Computerworld - Government computers keep going missing, ministers admit
Author: Tash Shifrin
Summary: The latest figures, revealed by justice minister David Hanson, show that a desktop computer and 26 laptops with a total replacement value of £50,000 were stolen from the department’s offices in 2007. Hanson said there had been "no reported security breaches". But HMRC has in fact lost dozens of other laptops. In answer to parliamentary questions, Treasury minister Jane Kennedy was forced to admit that 41 laptops had been stolen between October 2006 and September 2007, 16 of them during a break-in at one of HMRC's offices.
2007-12-03 - Computing - £50k-worth of computers lost by Department of Justice
Summary: Days after the HMRC missing disks scandal, the Ministry of Justice (MoJ) has revealed that a desktop computer and 26 laptops worth £50,000 have gone missing this year. Days after the HMRC missing disks scandal, the Ministry of Justice (MoJ) has revealed that a desktop computer and 26 laptops worth £50,000 have gone missing this year. ... Gauke said he is sceptical of minister of justice David Hanson's claim that despite the losses "from a variety of locations" across England and Wales "there have been no reported security breaches".
2007-12-03 - The Telegraph - Housing benefit details latest to be lost
Author: Chris Hastings and Jasper Copping
Summary: At least 45,000 names and personal details are known to have gone missing from one council, with the DWP admitting last night that more authorities have lost discs. ... In the first week of August, Kirklees Council, in West Yorks, sent two discs containing the details of 45,000 residents to the DWP via the delivery firm TNT, which was also involved in transporting the child benefit records. ... On September 2, the DWP contacted officials at Kirklees to say the information had not arrived but was reassured when the council produced a TNT receipt. On November 23, two days after the news that child benefit records had been lost was confirmed in the Commons, the council was told the discs were still missing. The DWP abruptly suspended data record exchanges. A source at Kirklees Council, said: "The frightening thing is that when it happens, other councils are simply told, 'don't worry, just send us another disc'."
2007-12-03 - The Times - Websites sell secret bank data and PINs
Author: Alexi Mostrous and Dominic Kennedy
Summary: The Times found: More than 100 websites trafficking British bank details A fraudster offering to sell 30,000 British credit card numbers for less than £1 each A British “e-passport” for sale, although the Government insists that they are unhackable. ... The News of the World disclosed yesterday that it had been handed two discs mislaid by the Department for Work and Pensions containing the national insurance numbers of 18,000 claimants. ... Mr Thomas will address the Commons Justice Committee tomorrow on the additional powers that he says are needed to prevent breaches of data protection. ... Detective Chief Inspector Charlie McMurdie, of the Metropolitan Police e-crime unit, said: "At the moment people report internet crimes to a local police station but no one locally has the resources to investigate properly."
2007-12-02 - MSN - Investors' details stay in the post
Summary: Confidential information on millions of investors is regularly being sent through the post to HM Revenue and Customs without proper security. Investment managers in the City are required to mail personal data on their clients to HMRC on unencrypted computer disks in spite of the recent outcry over the disappearance of two disks containing information on 25 million child benefit claimants. HMRC said encrypting the data would be a "recipe for chaos", as it would not be practical to decrypt information from thousands of different financial institutions using different coding programs.
2007-12-02 - The Guardian - Woman kept benefit discs 'for more than a year'
Author: David Smith
Summary: A woman had two computer discs with thousands of benefit claimants' details in her possession for more than a year after forgetting to return them, the Department for Work and Pensions admitted last night. ... The DWP discs contain names, addresses, dates of birth and National Insurance numbers. They were part of a project aimed at encouraging people to switch from a giro to a credit transfer system. It is believed there could be up to 9,000 names on each disc.
2007-12-02 - The Times - More financial data discs lost
Author: Jon Ungoed-Thomas
Summary: A new fraud alert was issued by the government this weekend as it confirmed that it had lost another computer disc containing the personal financial details of 40,000 housing benefit claimants. ... In a separate incident, it was disclosed this weekend that another disc containing the bank details, salaries, National Insurance numbers and home addresses of more than 6,500 public sector workers has also been lost.
2007-12-02 - BBC - Benefit data lapse 'disturbing'
Summary: The Conservatives have described reports of a new government data security lapse as "disturbing". An ex-contractor at the Department for Work and Pensions had two discs with thousands of benefit claimants' details for more than a year, it has emerged.
2007-12-01 - BBC - Fresh benefit data lapse admitted
Summary: An ex-contractor at the Department for Work and Pensions had two discs with thousands of benefit claimants' details for more than a year, the DWP says.
2007-12-01 - BBC - Police search tips in disc hunt
Summary: It is believed police fear the discs may have accidentally been thrown out as rubbish. Police have visited several tips around London to check what waste was delivered there. A spokesman for Scotland Yard said: "We can confirm that police have been making inquiries at a number of rubbish tips."

November

2007-11-30 - Computing - New data procedures at HMRC
Summary: Minimal data transfers, director-level authorisation and maximum encryption introduced. HM Revenue and Customs staff have been ordered not to transfer taxpayer data outside their offices unless it is " absolutely unavoidable". The emergency security procedures following the lost disks scandal affecting 25 million personal records were detailed by Treasury Financial Secretary Jane Kennedy.
2007-11-29 - Evening Standard - Data blunder stops with ministers, papers show
Author: Jason Beattie
Summary: Treasury ministers were ultimately responsible for the blunder that saw the personal data of 25 million people go missing, according to restricted papers obtained by the Evening Standard. The document — the manual of protective security — states ministers had sole charge for ensuring security at HM Revenue & Customs. The organisation was responsible for Britain’s biggest security breach when two discs containing the country’s entire child benefit records were lost in the internal post between HMRC and the National Audit Office in London on 18 October. They have yet to be traced. Chancellor Alistair Darling blamed the loss of the data on a junior civil servant and said security procedures had not been followed. But the manual — produced by the Cabinet Office — shows final responsibility rests with ministers. "Each department and agency is responsible, under its Minister, for maintaining its own appropriate levels of protective security," the document states. No ministers have followed the example of Paul Gray, the civil servant in charge of HMRC, who resigned once the blunder emerged. Conservative MP Ben Wallace said: "This government document clearly points the finger at ministerial responsibility having broken down."
2007-11-29 - ZDNet - Lost HMRC data 'worth £1.5bn to criminals'
Author: Andy McCue
Summary: Liberal Democrat acting leader Vince Cable ... "We are therefore considering a stock of criminal value of around £1.5bn, which makes the Brinks Mat robbery the equivalent of stealing the church collection. An enormous amount remains at stake." ... Alistair Darling said: "The police inform me that they still have no evidence or intelligence that this data has fallen into the wrong hands and no evidence of fraud or criminal activity." ... Cable said: "Encryption is simply not happening. What are the reasons for that? My understanding, from talking to some of the specialists involved, is that IT specialists, mostly freelancers, are needed to encrypt data. The big IT companies are not interested in using them and the civil servants who oversee them do not understand the problem, so encryption is not happening."
2007-11-29 - BBC - Data disc report 'in three weeks'
Summary: An interim report into how two discs containing the personal details of 25 million people went missing is expected in December, the chancellor has said. Alistair Darling also said some other missing discs would also be looked at as part of the Keiran Poynter inquiry. ... Lib Dem MP John Hemming asked why discs were still being sent from the HMRC offices "time to time and only encrypted when necessary" - which he said was the "worst possible way of doing this".
2007-11-29 - Spy Blog - HMRC data security scandal debate - still no mandatory use of encryption
Summary: In the opposition debate on the ongoing scandal at Her Majesty's Revenue and Customs (HMRC). Chancellor of the Exchequer Alistair Darling admitted that the missing CD discs have still not been found or accounted for. He seems to be obsessed with the review of the data security and privacy procedures at HMRC. ... The junior Financial Secretary to the Treasury, Jane Kennedy , who appeared so clueless on Newsnight opposite Professor Ross Anderson, did give some more details about the current changes to procedure at HMRC prior to the results of the review. ... This policy change still says nothing about mandatory encryption of all sensitive data on say, laptop computers or USB memory devices or via email, or extending such encryption policy to third parties like the KPMG sub-contract auditors to the National Audit Office. ... Why, exactly, on a letter of apology, was it necessary to print anyone's National Insurance Number (NINO) and Child Benefit Number? ... George Osborne also reminded us that the previous review into the cockups and criminal fraud at HMRC regarding tax credits, i.e. the Cosby Review, is still being kept secret.
2007-11-29 - The Guardian - Darling promises report into data fiasco next month
Author: Haroon Siddique
Summary: An interim report into how CDs containing the personal information of 25 million people were lost will be ready next month, Alistair Darling said today. ... "We will have his interim report in about three weeks' time... I intend to report to the house," Darling told MPs. ... The chancellor said the full report into the loss of data would be ready by next spring. "We do need to have a thorough look at how information is transferred, ask ourselves if it needs to leave a building in the first place, and if it does need to, what is the necessary security encryption or other security measure appropriate,"
2007-11-29 - New Statesman - It could happen again
Author: Becky Hogge
Summary: Biometrics are definitely not the answer to the HMRC debacle. For technologists, the most chilling development since HMRC's data debacle has been ministers' attempts to use it as an excuse to push for the roll-out of biometrics as a means to "secure" identity. The logic, one imagines, is that spoofing someone's fingerprints is much harder than typing a stolen National Insurance number into a computer. But the facts tell a different story. As biometric experts wrote to the Commons joint committee on human rights on 26 November, the government holds "a fairy-tale view of the capabilities of [biometric] technology". ... So how do you design a system that is safe from insider breach? Well, if you want to aggregate data about the population centrally, then the short answer is, "You don't." As Professor Ross Anderson, the UK's leading computer security expert, explained on BBC2's Newsnight: "If you take 50 million medical records and make them available to 300,000 people there's no way you can create procedures that will protect that. It's too valuable an asset to which too many people have access."
2007-11-28 - House of Commons debate - Opposition Day — (2nd Allotted Day) HM Revenue and Customs
Summary: Second day of debate in the House Of Commons on Diskgate. ... Jane Kennedy MP "All bulk transfers of sensitive data using CDs are being encrypted and password protected where necessary." ""HMRC has removed the facility for staff to use CDs and other removable media, and only in exceptional circumstances and on approval at director level are staff given access, HMRC is also investigating the electronic transmission of data. It is consulting with the British Bankers Association and currently undertaking further talks to agree standards for and methods of deploying electronic transfers."
2007-11-28 - BBC - Discs 'worth £1.5bn' to criminals
Summary: Two missing computer discs containing the personal details of 25 million people could be worth up to £1.5bn to criminals, say the Lib Dems. Acting leader Vincent Cable told MPs an "enormous amount" was still at stake, after discs containing the entire child benefit database got lost in transit. ... Mr Darling said that security changes had been made at HMRC so that "bulk data transfers" would now only be made when "absolutely necessary" and with written authorisation by senior managers. He added that "clear instruction" would have to be given regarding the protection of such a transfer.
2007-11-28 - The Register - UK database of children delayed
Author: John Oates
Summary: The UK's proposed child database has been delayed after "feedback from stakeholders" and not obviously in response to the government's loss of the UK's child benefit database on two CDs. ContactPoint will contain details on every child in the UK including name, address, gender and a unique identifying number. The database will contain information on every organisation involved with the child.
2007-11-28 - The Register - Tories: Europeans could get access to UK ID database
Author: Lewis Page
Summary: News emerged yesterday of a mysterious international ID card plan, described by the Tories as "a European-wide identity card project called Project Stork". The Conservatives suggested in Parliament that Stork was a huge Europe-wide extension to the planned UK National ID card with its associated databases and biometrics. "How," asked the shadow Home Sec David Davis, did the government intend to "prevent a repetition of the disaster of the past few weeks when sensitive personal data are held not by one Government but by 27?" ... The Home Office, asked about this, said that proposals had indeed been submitted but they didn't expect any EC decision before next April. Even then, they were at pains to emphasise that "this is purely a research effort". When it was pointed out that the Belgians were calling Stork a "large-scale pilot", the Home Office spokesman said "well, we're calling it a research project."
2007-11-28 - The Times - Taxman's apology causes more ID fears
Author: Andy McCue
Summary: The Government was accused of a fresh security blunder yesterday after Britain’s top taxman sent millions of parents an apology letter containing sensitive personal data. Anti-fraud experts and police urged people to destroy the letters, which contain each claimants’ name, address, national insurance and child benefit numbers. Criminals use such information to open bank accounts, claim benefits and apply for passports. Nigel Evans MP, chairman of the All-Party Parliamentary Group on Identity Fraud, said that the taxman’s latest error would come like an early Christmas present to conmen.
2007-11-28 - Kable - HMRC breach prompts ContactPoint delay
Summary: The government is postponing the launch of the children's database ContactPoint to allow time for a security review and introduce changes to the system. The move to delay implementation by five months follows the loss of 25m child benefit records from HM Revenue & Customs, which has raised alarm bells about the safety of personal data in other government databases. But an announcement of new funding for implementation shows the government is not about to scrap the programme. The government says that ContactPoint is aimed at helping professionals who work with children provide more coordinated support to young people. It will list details of every child in England, including their name, address, gender, date of birth, plus basic identifying information about parents and carers. It will not, however, contain any financial details or case sensitive information, such as case notes, medical records or subjective observations.
2007-11-28 - ZDNet - ID cards: Data-protection minister calls for review
Author: Andy McCue
Summary: Plans for a national ID database must be reviewed following the data blunder by Her Majesty's Revenue & Customs, according to the government's own data-protection minister. Speaking at a joint House of Commons and House of Lords select committee on human rights, the data-protection minister Michael Wills admitted he was not informed about the data breach at Her Majesty's Revenue & Customs (HMRC) before Alistair Darling's public statement last week. Wills said it was "perfectly acceptable" he had not been told in advance about the lost CDs containing 25 million child benefit records, according to The Guardian. But Wills admitted the breach now raises questions about the security of the government's National Identity Register and biometric ID cards. Wills said: "I think we are obviously going to have to look at the National Identity Register again in the light of this."
2007-11-27 - The Guardian - Data protection won't help once all the data is gone
Author: Christina Zaba
Summary: Last week's loss of confidential child benefit records has been a wake-up call to 25 million people about the reality of the government's handling of our personal information. But few realise the extent of what lies ahead. The Identity Cards Act, which slipped, barely noted, on to the statute books in 2006, is the jewel in the crown of a wholesale and well-advanced government commitment to "share" data about each of us between departments on an unprecedented scale. Already some 265 government departments are data-sharing. Electronic identity management in the UK is deeply entrenched in government policy, and yet no one can guarantee that such a data-sharing system can be secure. All we can do is hand over our information, cross our fingers, and hope that it won't happen to us. ... The Home Office isn't hearing the clamour of concerned voices in the international internet security community, who are saying one thing clearly: this is very dangerous. Putting all our private details into identifiable electronic databases that will be linked, transferable online, and visible to hundreds of thousands of government agency staff is dangerous.
2007-11-27 - The Register - Biometrics won't fix data loss problems
Author: John Oates
Summary: Six leading academics have written to a Parliamentary committee to express their dismay at the way biometrics has been used as a magic wand which would have supposedly stopped Darling's great data giveaway. The six said of claims by the Prime Minister and his Chancellor: "These assertions are based on a fairy-tale view of the capabilities of the technology and in addition, only deal with one aspect of the problems that this type of data breach causes."
2007-11-27 - Daily Mail - Lost disc fiasco could scupper ID card scheme
Author: James Slack
Summary: Leading academics have rounded on the Government's "fairytale view" of the technology needed to make the scheme work on its introduction in 2009. In a letter to MPs, Professor Ross Anderson and Dr Richard Clayton warned lives would be ruined if information from the ID database went missing. The Cambridge computer experts said that if iris or fingerprint scans fell into the wrong hands the victim would suffer a lifetime of fraud. Unlike with bank accounts, the individual would have no way of changing their details. Ministers claim the biometric data will protect against fraud, crime and terrorism.
2007-11-27 - Liberal Democrat press release - Review should ask whether child database is fit for purpose
Author: Annette Brooke MP
Summary: The Liberal Democrats have called for a security review of the ContactPoint database, announced today, to be expanded to investigate whether the entire project is ‘fit for purpose’. On Monday, the Liberal Democrats called for a review of the security of the controversial online database that will hold personal details of every child in the UK. Commenting, Liberal Democrat Children, Schools and Families Spokesperson, Annette Brooke MP said "It is a shame that it has taken the disastrous loss of HMRC data to convince ministers to reconsider this vast database." "The announced review of security should be expanded to ask whether ContactPoint will actually help to coordinate children services better rather than creating another expensive bureaucratic mess." "The ease with which local government employees can access personal details of any child in the country is only one reason why this database simply isn’t fit for purpose."
2007-11-27 - Telegraph - Coming next... an even bigger database
Author: Rachel Sylvester
Summary: The Northern Rock crisis, Disc-gate, the defence funding issue and now the party donor row are all landing firmly in the Prime Minister's lap. It is not just Blairites and Tories who are turning on the Labour leader, some of his most loyal supporters in the Commons have started to ask, four months into his premiership, "Is this it?" ... It is not just ID cards that will be jeopardised by the loss of 25 million people's bank details. What has not so far been noticed is that Mr Brown's entire strategy for improving the public services is based on the Government getting more power over personal data. ... The parents whose information has been lost may not be happy to hear that their medical history, benefits statements, education details, criminal record, tax information and driving licence facts could all potentially be accessed through a central computer.
2007-11-26 - Spy Blog - Biometrics - Labour Government are still clueless about the technology
Summary: Several eminent academics who do actually know about information security, cryptography, software engineering etc .... These Labour Ministers still keep clinging on to their self deluded, irrational belief, that somehow "biometrics" are a technological magic fix to their problems. Why do they not take the opportunity of the HMRC data security and privacy disaster reviews. to save political face, and to admit that, after due consideration, the centralised compulsory biometric database National Identity Register is too risky,
2007-11-26 - Blogzilla - Biometrics are not a panacea for data loss
Author: Ian Brown
Summary: Copy of the letter sent to Parliament's Joint Committee on Human Rights. The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured'. These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes. ...
2007-11-26 - The Register - Civil service apologises for HMRC data loss
Author: John Oates
Summary: Everyone whose information was included on the two CDs of child benefit recipients which the government lost should have received a written apology this morning. The letter - from Dave Hartnett, acting chairman of Her Majesty's Revenue and Customs - apologises for the loss and claims: "The copy of the data is still likely to be on Government property. The police are now conducting a search, there is no evidence that it is in the possession of anyone else."
2007-11-26 - Spy Blog - How many Reviews will it take to sort out the HMRC and other UK Government data privacy and security scandals?
Summary: The data security and privacy disaster involving the lost CDs containing the entire Child Benefit Award database by Her Majesty's Revenue and Customs and the National Audit Office, seems to have spawned several Reviews and Inquiries, at least two of which are due to report in mid December 2007. ... We will therefore be extremely surprised if any actual direct criticism or blame emerges from these soon to be censored, "must be seen to be doing something" Reviews. ... Will our personal data really be any safer from abuse by criminals , terrorists, spies or officious bureaucrats, after these Reviews have been completed? Will the Data Protection Act actually be strengthened with proper criminal penalties which apply to Government departments as well to the private sector? Will there be a Californian style Data Privacy Breach Notification law?
2007-11-26 - ZDNet - Review begins into HMRC data loss
Summary: The Poynter Review on the loss of benefits data by Her Majesty's Revenue & Customs is under way, with a report to the chancellor of the exchequer due in December
2007-11-26 - The Ideal Goverment Project - ISO27001, protective marking, and lessons from HMRC
Author: Chris Smith
Summary: It is clear that pushing responsibility for data protection downwards to front-line level has not worked effectively. It is also clear that guidelines are needed at a systems level so that front-line staff are not put in a position where these mistakes are likely to happen. Even the best working procedures are useless unless staff are aware of them and they "buy-in" to the value they bring to their organisation. Unless both occur then they just will not be followed. Security awareness training for staff is fundamental in any robust IA policy. ... These issues are at the heart of any good Information Security Management System (ISMS) e.g. ISO27001 (previously BS7799). An ISMS does not provide the solutions – it ensures you think about risk to inform the solutions you do adopt.
2007-11-26 - OUT-LAW - HMRC debacle puts data protection officers in the spotlight
Author: Dr Chris Pounder
Summary: Discussion is no longer confined to aficionados at group get-togethers; for a few exciting days data protection and security has been headline news and the topic on everyone's lips. And so it should be. Our privacy is important and organisations which process our personal data have to show them respect. The fallout from this event will continue for some time: more powers for the Information Commissioner, more penalties for transgressors, more bad press for HMRC (and possibly HMG and other public bodies) and, hopefully, higher status for those who toil at the data protection coal-face.
2007-11-26 - The Ideal Goverment Project - HMRC loss: some fair comment from the Scots, but the penny still hasn’t dropped
Author: William Heath
Summary: Here’s how the First Minister of Scotland Alex Salmond wrote to the UK Chancellor Alistair Darling in the wake of the lost HMRC disks ... i think the penny still hasn't dropped. Too many public servants have access to personal data. This is a systemic problem, rooted in culture and built into technology architecture and procedures. I just don’t get this “everyone connected to the GSI is a good guy and everyone outside is scary” stuff. Don’t they read the endless reports that spell out again and again and again that the main threats come from insiders, whether corrupt or incompetent?
2007-11-26 - The Times - Judges’ details ‘posted on unencrypted discs’
Author: Rajeev Syal and Ben Quinn
Summary: An investigation into how personal information about the judiciary came to be sent by post began last night as further details emerged about lost discs containing taxpayers’ details. The Times has been told that at least ten discs holding personal information about millions of people — not two discs as originally suggested — have yet to be accounted for after they had been sent from Revenue and Customs’ offices. ... Frank Milford, whose company was hired in 2006 by the Department of Constitutional Affairs to overhaul its administration, said he had asked for a list of its suppliers. He received a package from a firm called Liberata, which handled the department’s finances, containing two discs listing personal details of every person, business or company paid by the department over the past five years. He told The Sun newspaper that the discs were neither encrypted nor password-protected. ... there are actually ten missing discs, including the two sent from offices in Washington, Tyne and Wear, to the National Audit Office in London and six lost in transit from tax offices in Preston
2007-11-26 - BBC - Data minister 'not told of discs'
Summary: Data protection minister Michael Wills has said he was not told that two discs containing 25 million people's data had been lost before an official statement. ... He also denied knowing anything about other data breaches reported in the newspapers - but said he had yet to ascertain all the facts. ... Michael Wills added: "We are going to obviously have to look at the national identity register in the light of all this. We are going to have to learn the lessons. Everything will have to be scrutinised and then we will assess it again."
2007-11-26 - Liberal Democrat press release - New multi-million pound database puts children at further risk
Author: Annette Brooke MP
Summary: The Liberal Democrats have called for a review of the security of a new database containing the details of every child in the country. Information about every child’s name, address, their parents or guardians, as well as contact details for each government service they use, will be on the ContactPoint database, available online, by next year. The security of the database has come under fresh scrutiny following the loss of details of child benefit recipients by HMRC. Commenting, Liberal Democrat Children, Families and Young People Spokesperson, Annette Brooke MP said "The Government has proven itself not to be trusted with large databases containing personal details." "The failure of security procedures by HMRC has left millions of parents extremely worried and raises questions about the safety of other records stored by the Government." "Ministers must urgently review the security of the ContactPoint database as its highly sensitive information could be extremely dangerous in the wrong hands." "The Government has said that extra unspecified safeguards will be put in place for children of celebrities but why shouldn’t everyone enjoy this privilege?" "There could be more than financial costs if the addresses of vulnerable children from a family separated because of domestic violence, for example, are not kept secure."
2007-11-25 - Telegraph - We have all the details we need
Author: Jenny McCartney
Summary: We now know, of course, that the bungling went right to the top, and a series of meetings by senior Whitehall officials authorised the dispatch of data in highly insecure form. But when the scandal first broke - and before anyone had time to dig - the Chancellor thought it appropriate to hold Junior Civil Servant X, slogging away on his reputed £12,500 per annum, publicly and solely accountable for the mother of all cock-ups that has left half of Britain vulnerable to identity theft. It was Junior Civil Servant X, after all, who reportedly downloaded the data of 25 million people onto two unencrypted discs and dispatched it by internal mail to the National Audit Office. Witless, yes: but such data had been sent that way before. For the Government to blame a low-level employee for this fiasco is a bit like allowing a teenage work experience girl access to the nuclear button, and then bleating that she had "clearly not followed strict rules" when she reached for her skinny latte and accidentally wiped out Tajikistan.
2007-11-25 - The Guardian - A mass movement is needed to tackle the state's snoopers
Author: Henry Porter
Summary: These people will not be deterred by the calamity of last week. They are shameless. In a month or two they will bounce back. The ID card scheme will be relaunched and Jacqui Smith will continue with her plans to demand 53 pieces of information from people before they travel abroad. The Children's Index, the Children's Assessment Framework, the National Health database, the ever-expanding police DNA database will all continue to scoop up information. Why? Because the control of the masses is coded in the deepest part of Labour's being.
2007-11-25 - The Register - Running queries on the HMRC database fiasco
Author: Mark Whitehorn
Summary: I was told not to use precious words outlining my feelings of rage and bafflement that a government body can be so cavalier with so much data because, presumably, we all feel the same. ... (I actually designed and teach on the database course at Dundee University) So, unless there are some very odd circumstances to which we are not privy, I find it impossible to believe that removing the bank and other details would have involved significant cost. .. Assuming 25 million CSV records, I would estimate half a day's work to subset by column. If I was familiar with the data structure and had done the job before, maybe an hour. Any competent DBA/DBA could do it in the same time. Now DBAs are expensive, but not £10,000 per day. I'd do it for £500. ... Assuming 25 million CSV records, I would estimate half a day's work to subset by column. If I was familiar with the data structure and had done the job before, maybe an hour. Any competent DBA/DBA could do it in the same time. Now DBAs are expensive, but not £10,000 per day. I'd do it for £500.
2007-11-24 - Privacy International - Privacy International to pursue data breach legal action against UK government
Summary: More than 300 members of the public have contacted Privacy International since the revelation this week that Her Majesty’s Revenue & Customs unlawfully processed, and subsequently lost, personal details relating to around 25 million individuals. Most of these complainants have requested that PI undertakes, on their behalf, legal action against the government. Accordingly, this organisation has over the past four days consulted a range of legal experts. The overall conclusion is that there is most likely a case that can be asserted. However, we must concede that not all lawyers are presently optimistic about a positive outcome. Nevertheless, given the unprecedented severity of this case we feel it is important to take some form of action on behalf of the many distressed and vulnerable families that have contacted us. It is even more important to assert the rights of the individual in the face of such circumstances. We have therefore decided to pursue legal action against the government directly on behalf of the complainants and of course indirectly on behalf of all those people affected by the unlawful disclosure from HMRC. Our current intention is to pursue a claim for a general (not statute-based) breach of a duty of care on the basis of negligence. We have been made aware that there are cases in which public authorities have been found to be very seriously at fault and where the courts seemed concerned not to impose liability where the claimant was one of a large and indeterminate class of people who might be affected by the careless conduct. The position would be different if the public authority actually created the danger itself or knew or ought to have known about the risk of harm resulting. It appears that courts are more willing to find “proximity” if a smaller group of persons is at risk than the public in general. Three key issues remain to be resolved in the next few days. 1) We need to decide whether a specific "class" of individuals should be selected from amongst the complainants (for example, those who are in a particularly vulnerable situation). This will possibly help the issue of "proximity". 2) We need to determine which individual or what department will be the target of the action (a named individual within the government or a section of HMRC), and, 3) We need to agree which law firm will handle the case. We are currently in discussions with potential companies. Simon Davies, Privacy International’s Director, said: "In seventeen years as a watchdog we have never received so many complaints over a single privacy issue. People are angry and distressed. They are deeply anxious over the potential threat to their children." "Governments have hidden behind legal protection over negligence claims for many years. Now it is time to finally resolve the question of liability and duty of care so the citizen can enjoy a remedy against such blatant disregard for personal security." "We believe there is a case to be heard and it is a case that can be won. However we realise we're going to face an uphill struggle winning that case, but we would be abandoning our responsibilities if we failed to take action."
2007-11-24 - The Guardian - Now for ID cards - and the biometric blues
Author: Ben Goldacre
Summary: The leak last week wasn't because of unauthorised access, it couldn't have been stopped with biometrics; it happened because of authorised access which was managed with a contemptible, cavalier incompetence. The damaging repercussions for 25 million people will not be ameliorated by biometrics.
2007-11-23 - The Times - Senior civil servants ‘authorised disc transfer’
Author: Ben Gurr
Summary: The decision to blame a junior official for the loss of 25 million child benefit records was unravelling after e-mails showed senior managers were consulted on how the data should be sent. ... Angela Knight, chief executive of the British Bankers’ Association, the industry body, denied this. "We do not recognise the Chancellor’s statement," said Ms Knight. "It is not a correct description of the situation. The banks were extremely quick to act."
2007-11-23 - Cabinet Office - Review of Data Handling procedures in Government
Summary: The terms of Reference of the Review of Data Handling procedures in Government
2007-11-23 - HM Treasury - Terms of reference for the Poynter Review
Summary: The Treasury has published terms of reference for the Poynter Review, which will investigate security processes and procedures for data handling in Her Majesty’s Revenue & Customs.
2007-11-23 - BBC - Do you know what they know about you?
Author: Mark Ward
Summary: Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The scandal of the 25 million missing records has highlighted the vulnerability of data. ... Ms Gallagher at Demos "You are not going to get people complying with data protection on the basis of good will," she said. "Data is just too valuable."
2007-11-23 - Kim Cameron's Identity Blog - Childrens' birthdates, addresses and names revealed
Author: Kim Cameron
Summary: Last year Terri Dowty co-authored a report for the British Information Commissioner which highlighted the risks to children’s safety of the government's policy of creating large, centralised databases containing sensitive information about children. But he says the government chose to dismiss the concerns of the report’s authors. Dowty’s experience is a clear instance of my thesis that reduction of identity leakage is still not considered to be a "must-have" rather than a "nice-to-have".
2007-11-23 - Finacial Times - Crisis of identity
Summary: The government has claimed that the cards would combat identity fraud. But the opportunity handed to fraudsters with the loss of the Revenue discs demolishes that argument. Few will trust Whitehall to manage such sensitive data again. There are grave problems with introducing even a well-managed ID card system. Instead, we are being asked to accept one that will drain taxpayers’ money and yet leave no-one sleeping better at night. Mr Brown has displayed relish in tearing up some of his predecessor’s pet schemes. He should now add ID cards to the scrapheap.
2007-11-23 - Silicon - Can biometrics secure the public's data?
Author: Paul Bentham
Summary: With the furore over 25 million missing child benefit records, the public sector's use of personal data has never been under greater scrutiny. Biometrics may be hailed as the ultimate security measure - but the technology is not without hazards. ... If an individual's biometric information is compromised or stolen, that individual could no longer use those biometrics to prove his or her identity. Therefore, unless stringent security measures are put in place, the digital storage of biometric data could present a real security risk for facilitating identity theft. The use of biometric systems must comply with the European Convention on Human Rights and the Data Protection Directive. The relevant legislation in the UK is the Human Rights Act and the Data Protection Act (DPA). Under the Human Rights Act each of us is entitled to respect in our private life, including our life at the workplace. Under the DPA personal data is required to be processed fairly and for specific limited purposes. Two key principles come into play. First, the principle of proportionality, which means the interference with the private life of the individual must be justifiable by the benefits. Second, the principle of transparency - which means it must be clear how and why information is being used and it must not be used beyond this without prior agreement.
2007-11-23 - ars technica - UK government loses financial data on 25 million citizens
Author: Jonathan M. Gitlin
Summary: This past week has seen a crisis brew in the UK following the news that a government department managed to lose a copy of a database containing highly personal information on 25 million citizens. ... The time line of this cock-up is as follows: Last month, a junior civil servant at HMRC copied the Child Benefit database onto a pair of CDs and sent them through internal mail to another government department, the NAO. Five days later, the NAO informed HMRC that they had not received the data, and another copy was created and sent, this time via registered post. Earlier this month, senior civil servants at HMRC, the government minister responsible, Alistair Darling, and Prime Minister Gordon Brown were finally notified about the data loss, and an investigation was conducted to try and find the missing discs. Two weeks later, Alistair Darling announced the loss in Parliament, and Paul Gray, chairman of HMRC, resigned. HMRC has written to the seven million families involved in an attempt to reassure them that the database is "likely to still be on government property," although since no one really knows, who knows how comforting this news might be?
2007-11-23 - BBC - Treasury denies discs 'cover-up'
Summary: The Treasury said there was nothing in e-mails released on Thursday to contradict the chancellor's account. The e-mails suggest a senior manager was involved - something not mentioned in Mr Darling's statement to MPs. ... The e-mails showed the NAO had only asked the HMRC to send limited details from its database - stripping out information such as bank account numbers. A covering letter confirmed a senior HMRC manager was copied in to another e-mail rejecting the request to remove the data as this would involve additional costs.
2007-11-23 - Money Week - Discgate: what does it mean for Brown?
Summary: The Government will have a hard time pushing its half-baked ID card scheme on the British public now
2007-11-23 - The Times (Leters) - Security needs more data, not less
Author: David Blunkett MP
Summary: Sir, A great deal of heat has been generated by what is undoubtedly an astonishing breach, not only of basic security, but of common sense in relation to the “loss” of the revenue discs. Three significant issues arise from this and it is important to separate them and deal with them head-on.
Note: There are several responses to this letter for example Is Blunkett dishonest or incompetent?
2007-11-23 - The Guardian - Revenue email rejected call to filter out data
Author: Will Woodward
Summary: The official who lost discs containing the personal details of millions of child benefit claimants ignored a plea from the government's spending watchdog to ensure the safe passage of the information, emails released last night show. ... A Treasury spokesman said the emails were "entirely consistent" with assurances from Darling that the decision to send the discs containing personal details of 25 million people was made by a junior staff member at the benefit office in Washington, Tyne and Wear. However, the Tories said the correspondence suggested several officials, some at senior level, had been notified about what was going on. They said the emails also backed the charge that Revenue & Customs was sending all the information on its database - including bank account, names and address details - because it would be too costly and inconvenient to strip out the details the NAO did not want.
2007-11-22 - Kim Camerons's Identity Weblog - Britain’s HMRC Identity Chernobyl
Summary: Meanwhile, in parliament, Prime Minister Gordon Brown explained that security measures had been breached when the information was downloaded and sent by courier to the National Audit Office, although there had been no "systemic failure". This is really the crux of the matter. Because, from a technology point of view, the failure was systemic. We are living in an age where systems dealing with our identity must be designed from the bottom up not to leak information in spite of being breached. Perhaps I should say, “redesigned from the bottom up”, because today’s systems rarely meet the bar. ... There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.
2007-11-22 - Spy Blog - National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless
Summary: The National Audit Office (NAO), is strenuously trying to distance itself from the Her Majesty's Revenue and Customs (HMRC) Child Benefit Awards database data privacy and security breach disaster, involving the loss of copies of 25 million people's sensitive personal data records. ... The NAO appear to have admitted to returning to HMRC the CDROM discs obtained in March, containing a copy of the unencrypted, full Child Benefit Awards database, including the sensitive personal data which they had, commendably, asked not to be included in the data extract. Once they had extracted their 1500 or so records for audit, why did the NAO not securely destroy these CDROMS, instead of risking them again in transit, unencrypted, by sending them back somehow to HMRC, who had no possible use for them anyway? Why did they not raise a Security incident when they received so much unencrypted personal data the first time in March?
2007-11-22 - The Ideal Government Project - What should we recommend to avoid more HMRC-style data losses in future
Author: William Heath
Summary: Let’s work out and feed into Blindside a constructive response from external "critical friends" about the HMRC data loss. This is an extremely sensitive matter. Blindside is trying to be helpful to a part of government in a way that involves a delicate ecosystem of listening and exchange. We want to keep that dialogue open. So we’ll have the conversation over here at IdealGov.
2007-11-22 - The Times - Police step in as staff reveal other CDs have gone astray
Author: Rajeev Syal, Francis Elliott and Andrew Norfolk
Summary:At least two more CDs that could leave thousands of people open to identity fraud have been reported missing by staff at HM Revenue & Customs this week ... The loss of these files are in addition to a series of recent blunders by HMRC, including the announcement this month that a CD-Rom that contained information on 15,000 Standard Life customers had been lost. ... The police investigation may be expanded as detectives search for at least four missing CDs. ... Shawn Williams, of Rose, Williams and Partners, a legal firm in Wolverhampton that deals with tax fraud cases, said his firm frequently received discs that contained personal data from the HMRC with the password included. 'Sometimes there is no security at all, sometimes there are instructions telling you how to access the data, sometimes the password is just written on a compliments slip and included with the disc'.
2007-11-22 - The Guardian - Data fiasco forces ministers into ID cards review
Author: Patrick Wintour and Will Woodward
Summary: Ministers are to look at scaling back plans for identity cards in response to the catastrophic loss of the personal information of 25 million people, including their bank records and addresses. The information commissioner, Richard Thomas, urged ministers yesterday to review the amount of data they intend to amass on the national identity register, and Labour backbenchers previously supportive of ID cards backed his view. Gordon Brown will come under further pressure from the think tank Demos, which will shortly publish a report on privacy. It is expected to urge the government to reopen the debate on ID cards before pressing ahead.
2007-11-22 - The Telegraph - Ministers 'ignored data security warnings'
Author: Gordon Rayner, Christopher Hope and Andrew Porter
Summary: Gordon Brown has been dragged into the centre of the lost personal data crisis after it emerged that ministers ignored a series of warnings that security procedures in Government departments urgently needed to be reviewed. ... HMRC has had 2,111 data protection breaches in the past year, according to the Tories. Customs refused to disclose details of what these were. A government review of security in 2003 identified "serious risks" of information going astray and recommended data should be encrypted. The chairman of HMRC who resigned over the fiasco is still on full salary and will receive a full pension package. The junior official who posted the missing CDs has been suspended pending disciplinary action. ... An almost identical breach of security involving CDs happened in September 2005, when the names, addresses, dates of birth and bank details of UBS customers were lost in the post after being posted by HMRC. At the time, HMRC admitted that it was "not sure it is the best way to receive information" but that it was "urgently reviewing procedures to make sure this type of incident does not happen again". Yet similar breaches have happened several times since. ... The Daily Telegraph has also seen a Treasury memo from an e-government working group meeting dated December 9, 2003, in which the department was told that a review of security by the NAO had found "serious risks" of messages being intercepted and a "risk of hacking".
2007-11-22 - The Telegraph - Who would trust Labour on ID card security?
Summary: The catalogue of security lapses at HMRC is hair-raising. In the past year, there have been 2,111 reported breaches of security, including the theft of 41 laptops. As long ago as September 2005, an unencrypted CD with sensitive financial information was lost in the post; in May this year, 42,000 tax credit and bank details were posted to the wrong people; earlier this month, a CD with the personal details of 15,000 people went missing. In the light of such serial incompetence (and these are just the ones we know about), Whitehall appears incapable of securing computerised information.
2007-11-22 - Spiked - After 'Discgate': what now for liberty?
Summary: After ‘Discgate’, what next for ID cards? According to the Tories, the New Labour government’s loss of two compact discs containing the personal and banking details of 25million Brits has driven ‘the nail in the coffin’ of the ID cards scheme. After all, if we can’t trust the government with our addresses and banking details, why should we trust it with all of our personal information, and a scan of our irises to boot? Newspaper commentators argue that if one good thing comes from Discgate, it will be the scrapping of the ID cards scheme as the British population finally realises that we cannot ‘blithely trust in the benign power of the state’
2007-11-22 - The Guardian - Revenue refused to omit personal data
Author: Haroon Siddique, Peter Walker
Summary: A Revenues & Customs official told the National Audit Office it would not filter the data of 25 million people to omit personal details because it was too costly, it was revealed today. The NAO released email correspondence between the two organisation.
2007-11-22 - The Guardian - Tell the whole truth about data loss, Tories tell Brown
Summary: The Tories have demanded that Gordon Brown reveal the "whole truth" about the loss of the personal information of 25 million people after it emerged that senior Revenue & Customs officials authorised sending the sensitive data to the National Audit Office. ... Sir John Bourn, the outgoing comptroller and auditor general, told a secret session of the public accounts committee yesterday that a senior business manager at Revenue & Customs had authorised the information to be released in its full form.
2007-11-22 - ZDNet - Watchdog: Protecting data is not 'rocket science'
Author: Tom Espiner
Summary: In the wake of the largest-ever data breach to hit the UK, the Information Commissioner's Office has criticised the apparent lack of technological safeguards in government departments and called for "privacy-enhancing technologies" to be built into future projects. "This is the biggest privacy disaster by our government," said assistant information commissioner Jonathan Bamford. "How you can have a system which allows you to copy a whole database onto a disk is of concern," "Clearly there are issues about when the data was accessed and by whom. They should have had access controls and authorisation levels to make it physically impossible to burn a disc of the database without the say-so of the chairman of HMRC. Why isn't the technology there to do that? It isn't rocket science."
2007-11-22 -The Times - Watchdog's claims over lost data sparks row
Author: Sam Coates
Summary: The Government has questioned the account of Sir John Bourn, the head of the National Audit Office, who claimed that senior managers at HM Revenue and Customs were involved in a practice that led to the personal details of 25 million people being lost in the post. Sir John has alleged that senior managers at the Revenue not only knew of, but approved the policy of sending whole unedited databases of sensitive personal details through the post. HMRC senior staff had even justified the practice to him by saying that it was "too expensive" to edit out the sensitive details from the database, leaving only the basic details that his officials had asked to see, Sir John is believed to have told the Chancellor.
2007-11-21 - LSE - LSE Identity Project Summary Briefing about Security Concerns relating to the National Identity Register
Summary: Following yesterday’s announcement in Parliament that personal data about 25 million individuals has gone missing1, a number of commentators have highlighted the similarities between the records held by HMRC about recipients of child benefit and the proposals to hold details about all UK citizens on the National Identity Register as part of the Identity Cards Scheme. The purpose of this LSE Identity Project briefing is to review the ongoing concerns with the security of the NIR.
2007-11-21 - The Guardian - Lost in the post - 25 million at risk after data discs go missing
Author: Patrick Wintour
Summary: The government was forced to admit the most fundamental breach of faith between the state and citizen yesterday ... Last night the information commissioner, Richard Thomas, conducting a broad inquiry on government data privacy, told the Guardian he was demanding more powers to enter government offices without warning for spot-checks. He said he wanted new criminal penalties for reckless disregard of procedures. He also disclosed that only last week he had sought assurances from the Home Office on limiting information to be stored on ID cards. "This could not be more serious and has to be a serious wake-up call to the whole of government. We have been warning about these dangers for more than a year." ... "I simply do not know why so much information was disclosed or why it was transmitted by post twice."
2007-11-21 - Steve Webb MP's Blog - Data going missing
Author: Steve Webb MP
Summary: Yesterday's fiasco over the missing Child Benefit data raises an awful lot of questions. One of the most obvious in my mind is if one junior official had the authority to download the entire Child Benefit data and send it in the post, how many other people had access to that data? More worryingly, if this is true in HMRC with Child Benefit, what is going to happen when all our medical histories are on a single NHS computer that can be accessed by tens of thousands of people up and down the country? Of if a national ID database is set up which gradually acquires more and more personal data of every single person in the country? Don't get me wrong - I'm a great fan of technology! But surely where government is going to be run on the basis of huge databases of this sort, the security processes involved must be absolutely watertight, and given how difficult that is, we should be wary of any unnecessary accumulation of all our personal data in one place. As for sending the data in the internal post on a couple of unencrypted CDs......
2007-11-21 - The Times - New data law 'urgently needed'
Author: Rhys Blakely
Summary: Security experts called for an urgent review of the law following the loss of the personal information of 25 million Britons by HM Revenue & Customs. Most damning, they said, was the apparent revelation that the data lost was not encrypted but merely password protected. "A criminal could break into these files in a matter of minutes," Simon Davies, a senior visiting fellow at the London School of Economics who specialises in data security, said. One senior executive at a high street bank called the breach a "fiasco". He said: "You would never see a bank send data in the slapdash way HMRC did. To say we are disappointed is an understatement".
2007-11-21 - The Guardian - The sheer gormlessness of Discgate threatens Labour's claim to power
Author: Jonathan Freedland
Summary: The chancellor himself said it was a "huge, massive, unforgivable" mistake that had led the personal details of 25 million people, every child benefit recipient in the land, to have got lost in the post. The name and date of birth of every British child, along with their parents' national insurance numbers and bank details, had been placed on two unencrypted CDs which a junior employee of HM Revenue & Customs had simply popped in a TNT courier's envelope. ... Osborne illustrated the political potency of the competence question when he declared that Discgate should mark the death blow to the government's identity card scheme. After all, ministers had shown "they simply cannot be trusted with people's personal information". There would have been plenty of nods to that, and not only on the opposition benches.
2007-11-21 - Kable - Studies stress data trust challenge
Summary: In the aftermath of HMRC's 'Datagate' loss of child benefit information, two reports have highlighted public fears about information security. A major paper funded by the EC argues that governments must build and maintain trust between the citizen and the state by achieving a balance between security and identity concerns. A second comparative study of adults in Britain, conducted by research consultancy YouGov and software company CA, also reveals that an increasing number of people are placing the responsibility for identity theft in the hands of the organisations which require their personal information.
2007-11-21 - BBC - Brown orders data security checks
Summary: Gordon Brown has ordered security checks on all government departments to ensure data is properly protected after the loss of 25m child benefit records. Under the plans, the Information Commissioner will be given powers to carry out spot checks - a move previously rejected by ministers. ... Mr Leigh said the reason given for turning down the NAO request was that desensitising information would require an extra payment to data services provider EDS.
2007-11-21 - BBC - Brown apologises for records loss
Summary: Prime Minister Gordon Brown has said he "profoundly regrets" the loss of 25 million child benefit records. He apologised in the Commons for the "inconvenience and worries" caused and said the government was working to prevent the data being used for fraud. But Conservative leader David Cameron said the government had "failed in its first duty to protect the public". The Revenue and Customs data on the two missing discs includes names, dates of birth, bank and address details.
2007-11-21 - Computer Weekly - HMRC's missing Child Benefit CDs - what went wrong and lessons for NPfIT and ID cards
Author: Tony Collins
Summary: Why was HMRC sending sensitive data through the post? To avoid security controls on online transfers. ... Seven months before the CDs went missing, HM Revenue and Customs had already established a practice of transferring onto CD, for despatch by post, insecure, though password-protected, files on millions of child benefit claimants. ... That was when the insecure practice began of HMRC sending unencrypted files to the NAO. No alarm bells were raised over the practice in March 2007. In October this year, when the NAO wanted to do an audit of HMRC’s 2007/8 Resource Accounts, it again asked the department for its child benefit data.
2007-11-21 - The Times - Second-class and lost in the post
Author: Alice Miles
Summary: All those lectures from government and authorities about keeping our personal data safe; every statement ever made about the security of the proposed NHS database of everybody's personal medical records; each claim that the Children's Database containing all their personal details will somehow make our kids safer; and of course each and every promise about the safety of the national identity register — exposed as quite, quite worthless. Because as soon as you put it on a computer, a bloke in an office can download it and stick it in an envelope and send your most personal details and mine and our children's across the country with a dodgy courier. ... it betrays a total and arrogant carelessness about the privacy of the individual.
2007-11-21 - The Guardian - Brown apologises for data blunder
Author: Deborah Summers and Allegra Stratton
Summary: The government has apologised to the country for the loss of two CDs containing the personal information of 25 million people. Gordon Brown, the prime minister, today faced down loud barracking and made an official apology for the loss of the discs. The CDs are still missing. His apology followed a round of morning interviews by the chancellor, Alistair Darling, in which he admitted his confidence had been shaken. ... Brown announced a wide-ranging review of the procedures for ensuring such information remains safe and that he had asked Sir Gus O'Donnell, the cabinet secretary, and security experts to work with the government departments to check those procedures. Brown also said the information commissioner, Richard Thomas, would be given the power to spot-check government departments.
2007-11-21 - The Times - ID fraud alert leaves Darling looking vulnerable
Author: Peter Riddell
Summary: Alistair Darling will survive as Chancellor but he and the Brown Government have been seriously damaged. ... The test then is preventing any repeat of the loss of data, and there have been several previous instances, while ensuring rapid recompense if there is fraud. That requires the banks and the Treasury to be more customer-friendly than they have often been.
2007-11-21 - Computing - HMRC breach warning to all departments, says watchdog
Author: Tom Young
Summary: The HM Revenue & Customs (HMRC) data loss fiasco is a warning to all government departments, according to Information Commissioner Richard Thomas. ... "We are already investigating two other breaches at HMRC – the alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly," said Thomas.
2007-11-20 - Conservative Press Release - "Systemic failures" behind benefit records debacle
Summary: David Cameron has blamed "systemic failures" in the HM Revenue and Customs Department for the loss of 25 million child benefit records. He highlighted a string of failures going back over a number of years, and held Gordon Brown, who was in charge of HMRC for 10 years as Chancellor, responsible. "The Prime Minister tries to control everything, but can't run anything." David stressed that the Labour Government had "failed in its first duty to protect the public," and said that this "appalling blunder" meant the Prime Minister had to rethink his identity card scheme. "People will find it truly bizarre, they will find it weird that the Prime Minister does not want to stop and think about the dangers of a national identity register."
2007-11-21 - Liberal Democrat Press Release - Now Treasury unfit for purpose
Author: Vince Cable MP
Summary: Following the statement by the Chancellor on the loss of CDs containing detailed information of all child benefit recipients, Acting Liberal Democrat Leader and Shadow Chancellor, Vince Cable MP said:"The Treasury and its agencies have replaced the Home Office as the department in government which is most 'unfit for purpose'." "It was the Prime Minister who created the dysfunctional organisation and systems which the Chancellor inherited." "After a similar breach in September, the HMRC announced that they reviewed their arrangements and introduced safeguards to prevent this happening. Why should people have any more confidence in these most recent assurances?" "Why does HMRC still use CDs for data transmission in this day and age? The ancient museum pieces it is currently using for computing must be replaced." "After this disaster how can the public possibly have confidence in the vast centralised databases needed for the compulsory ID card scheme." "Where does the buck stop after this catalogue of disasters?"
2007-11-21 - The Times - Enough information to steal hundreds of millions of pounds
Author: Adam Fresco
Summary: The personal information of 25 million people stored on the missing computer discs is enough for criminals to steal goods and money worth hundreds of millions of pounds, experts said yesterday. ... With social engineering – where criminals ring up a bank’s staff and pretend not to remember their password – they can also hack into the accounts of the people whose details have gone missing. .... Mr Hill, who is the former head of Gwent CID and was commander of the western area of the National Crime Squad "To simply send this information through the post is grossly incompetent. There are 25 million people whose details have been lost – imagine if criminals get this information and only take £10 from each person." ... Neil Munro, external affairs director of Equifax, the credit reference agency, said: "This is probably the biggest incident of its kind we’ve ever come across – it’s a security breach on a stellar scale. If names, addresses and dates of birth fall into wrong hands then that is a problem – but this includes bank account details as well, and that is even more dangerous."
2007-11-21 - The Times - Government under pressure over taxman's giant blunder
Author: Nico Hines, Sean O'Neill and Rhys Blakely
Summary: The Prime Minister today issued a deep apology to the public for the data protection fiasco that has seen the bank and employment details of 25 million people - including his own - lost in the post. ... he announced that, the Information Commissioner - who acts as watchdog for the way personal information is handled – would be given extra powers to carry out “spot checks” of Government departments. ... The Information Commissioner’s Office has gone even further today, however, demanding new powers to prosecute organisations that lose personal details and the ability to raid the premises of organisations suspected to have broken data laws. Mr Thomas has been one of the most vocal critics of the latest error, labelling it a "shocking case" and suggesting that the law has been broken. "I am at a loss to find out what happened in this situation. It is not just about the law. It is about retaining the trust and confidence of the population where so much information is entrusted to government," he said.
2007-11-21 - The Times - 25 million exposed to risk of ID fraud
Author: Philip Webster, Sean O’Neill and Rhys Blakely
Summary: The sensitive personal details of 25 million Britons could have fallen into the hands of identity fraudsters after a government agency lost the entire child benefit database in the post. A major police investigation is being conducted after Alistair Darling, the Chancellor, admitted yesterday that names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country had gone missing. The Chancellor and the Prime Minister have known about the loss since November 10 but there were concerns last night that the police were not told for a further five days and the banking industry was not alerted until last Friday. ... Bankers reacted angrily to a suggestion by Mr Darling that he had delayed his announcement because the financial sector was "adamant" it needed time to prepare. A senior City source said: "By 9.30 on Monday we were ready to run. It is hard to fathom why any suggestion was made that any delay was down to us."
2007-11-21 - The Times - Tories provide a scream soundtrack to Darling’s mother of all grovels
Author: Ann Treneman
Summary: Everyone knew something bad must have happened before the Chancellor made his statement, though no one knew how bad it was. But gradually, as members of the Cabinet filed in, we realised it must be very serious. It’s normal for one or two Cabinet ministers to be there for moral support but never more than four or five. Yesterday, however, nine members of the Cabinet were there.
2007-11-21 - ZDNet - Government 'bang to rights' over HMRC fiasco
Author: Tom Espiner
Summary: The Information Commissioner's Office has said that, on the facts known, the UK government is "bang to rights" over the loss of 25 million personal records. ... "This is the biggest privacy disaster by our government," said Jonathan Bamford, assistant information commissioner. "There is no doubt that [chancellor of the exchequer] Alistair Darling and others will have to deal with the fact there are legally enforceable [privacy] standards. In Britain we have the phrase 'bang to rights'. Someone is bang to rights over that breach. Clearly on the facts available there appears to be a major contravention of data-protection laws."
2007-11-20 - House of Commons debate - HM Revenue and Customs
Summary: Debate in the House Of Commons on Discgate.
2007-11-20 - BBC - Pressure on Darling over records
Summary: Alistair Darling has apologised for the "extremely serious failure", which has exposed all Child Benefit recipients to the threat of identity fraud. ... He blamed a junior official at HM Revenue and Customs' offices in Washington, Tyne and Wear, who he said had broken rules by downloading the data to a disc, then sending it - unrecorded - by courier to the National Audit Office in London for auditing.
2007-11-20 - Action on Rights for Children - Children's Rights Organisation "stunned" by HMRC data loss
Author: Terri Dowty
Summary: Action on Rights for Children is stunned to learn that HMRC has lost computer disks containing the details of the UK’s 15 million children. Terri Dowty, Director of ARCH said: "This appalling security lapse has placed children in the UK in immediate danger especially those who are already vulnerable. Child Benefit records contain every child’s address and date of birth. We are not surprised that the Chair of HMRC’s Board has resigned immediately." Last year Terri Dowty co-authored a report for the Information Commissioner which highlighted the risks to children’s safety of the government’s policy of creating large, centralised databases containing sensitive information about children. The government chose to dismiss the concerns of the reports authors. "The government has recently passed regulations allowing them to build databases containing details of every child in England. They have also announced an intention to create a second national database containing the in-depth personal profiles of children using services. They have batted all constructive criticism away, and repeatedly stressed that children’s data is safe in their hands." "The events of today demonstrate that this is simply not the case, and all of our concerns for children’s safety are fully justified."
2007-11-20 - Channel 4 News - Data security risks
Author: Cathy Newman
Summary: Link to video of channel 4 news. 6 mins 42 seconds. Peter Sommer Visiting Research Fellow and established expert on computer security advising stock exchanges and insurance companies on systems risk. "Any first year student could have stopped this. Its not a technology problem. Its the culture." "Spot checks are needed."
2007-11-20 - BBC - UK's families put on fraud alert
Summary: Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible. He added: "If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result."
2007-11-20 - ZDNet - Trust in government tech lost on two CDs
Summary: It's hard to believe that a body charged with the personal details of 25 million people could allow that entire database to be downloaded to discs, and lost. Harder still to believe is the government's fumbling explanation of such a mind-numbingly huge loss of data. ... Alistair Darling's comment that people are not at risk from ID fraud is at best naive and at worst negligent. ... One thing we do know: this fiasco makes the claim of the Home Office that it is a safe pair of hands for the national ID cards scheme look as empty as an HMRC CD pouch.
2007-11-20 - Conservative Press Release - 25m child benefit records lost
Summary: Reacting to the news that 25 million benefit records have been lost, George Osborne said the security and safety of "every family in the land" had been compromised. Reacting to the news that 25 million child benefit records have been lost, George Osborne said the security and safety of "every family in the land" had been compromised. The Shadow Chancellor questioned how the Government had allowed this to happen "Let us be clear about the scale of this catastrophic mistake - the names, the addresses and the dates of birth of every child in the country are sitting on two computers discs that are lost in the post. The bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing." George described the crisis as the "final blow" to the ID card scheme, as it showed the Government "simply cannot be trusted with people's information." "And he told Chancellor Darling to "get a grip and deliver a basic level of competence."
2007-11-20 - ZDNet - ID cards under fire after HMRC debacle
Author: Tom Espiner
Summary: The shadow chancellor, George Osborne, attacked the government on Tuesday following its disclosure of the loss of the details of 25 million child-benefit claimants, and called into question its competence to safeguard data collected for the controversial national ID cards scheme. ... Chancellor Alistair Darling denied that this would put paid to the ID cards scheme, however, insisting that, had the compromised data been linked to biometrics, it would have been more secure. "The key thing with ID cards is that information is protected by personal biometric information," said Darling. "The problem is we do not have that protection [on the lost HMRC information]. ID cards match up biometric information with information held — there would be a biometric lock with the ID cards system."
2007-11-20 - The Guardian - Personal details of every child in UK lost by Revenue & Customs
Author: Deborah Summers
Summary: The personal details of virtually every child in the UK has been lost by HM Revenue and Customs, the chancellor, Alistair Darling, admitted today. ... Earlier this month, BBC Radio 4's Money Box programme reported that a CD containing the personal details of thousands of Standard Life pension holders had gone missing.
2007-11-20 - ZDNet - Government loses 25m confidential records
Author: Tom Espiner
Summary: In a speech to parliament on Tuesday, the chancellor of the exchequer, Alistair Darling, said that two discs containing the details of everybody in the UK who claims and receives child benefits had been lost. ... The discs were lost during a National Audit Office (NAO) investigation in October. A junior official in HMRC sent the unencrypted discs to the NAO, but HMRC were not informed that the discs had not arrived to be audited until 8 November. Darling himself was informed of the loss on 10 November — three weeks after the discs had failed to arrive at the NAO. ... When Darling was informed on 10 November, he ordered searches for the data. When nothing had been found by 14 November, Darling asked the Metropolitan Police to become involved.
2007-11-20 - Computer World UK - HMRC data loss was theft, claims ex-con Frank Abagnale
Author: Siobhan Chapman
Summary: HMRC's loss of 25 million records is evidence that the government can not be trusted with biometric information, and the UK national ID scheme is untenable, according to FBI fraud expert and world renowned ex-con artist Frank Abagnale. ... "It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch me if you can and a fraud expert who has worked extensively for the FBI over the past 32 years. "The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."