Thousands of customers of UK insurer Standard Life have been left at risk of fraud after their personal details were lost by HM Revenue & Customs (HMRC). Data on 15,000 pension policy holders, sent in a CD from HMRC offices in Newcastle to Standard Life's Edinburgh headquarters by courier, never arrived. The lost disc contained …
I can't be alone in wondering why anyone would copy such files onto CD and then use physical mail to deliver them. If the volumes aren't sufficient to justify the development of a dedicated electronic transfer mechanism, what's wrong with encryption using reputable software such as PGP followed by e-mail (15,000 records surely can't occupy more than a few MB when compressed)?
Can we have a 'repeatedly bangs head against wall' icon, please?
Name the Courier..
I thought the idea of courier services was that they were quick and efficient... obviously this courier isn't that good.
You have to seriously wonder how they lost a CD - or was it "lost" by a courier who decided to make a nice bit of money on the side.
I've got some funds with Standard life.. I wonder if its possible to sue them (or the courier service) for incompetence
Identity theft mis-information
"The Industry" has done a fine job of nicely avoiding any blame for identity theft.
If you can apply for a loan using a few things like name, address, birthday and NI number then who's fault is that?
1. The naughty criminal for doing what naughty criminals do
2. The person who lost the data (bad person)
3. The provider of the loan for having no real clue who you are?
I think we know 1. will always happen, 2. will take the blame and 3. who pretends to be battling identity theft by refunding credit cards and runs adverts with people rumaging through bins to "steal your identity".
if we put up with lax procedures for validating who we are, then we will end up with the responsibility.
Sort it out
Have these guys never heard of encryption????
No one learns...
These are the same sort of gov organisation jokers that will be running the ID scheme, should that turkey ever fly.
What a prospect :(
At least they're not bankrupted...
...unlike Edward Fowler, who was declared bankrupt when HMRC pulled the plug on his employment agency for owing £37k VAT - which he'd already paid! Four years later, he's still not had a penny in compensation, despite HMRC admitting they screwed up. That's the problem with HMRC - as with the Arctic Systems case, they seem incapable of admitting they've got it wrong.
"HM Revenue has declined to confirm whether the data on the disks was encrypted or not."
That'll mean that it wasn't encrypted then. Muppets.
Maybe they should stop using ParcelForce?
They have a reputation for losing parcels as do CityLink...
A CD... by post??
A CD? ~700 Meg?
Why not just securely deliver it online? <sigh>
Of course, if it were encrypted they would say so, but they also said they refused to answer because of security reasons... my second thought was that they meant the CD is in a mainframe/EBCDIC/Tape/nonISO format which looks unformatted to Windows and encrypted in a storage dump but is perfectly readable if you're keen enough to figure out which.
Security is a process which starts with a single step of getting caught with your pants down.
Whe the hell transfers <700Mb of sensitive data on CD?
This incompetent muppets need to be learned a lesson... quick.
Any number of data transfer methods would have been more secure than a bloody courier. The person responsible for coming up with this genius idea should be fired on the spot.
Even my brother, the artist, would refuse to send me a copy of his latest work in the post. He is not computer expert but he at least wants to have his work behind lock and key online where only he and I can get access to it.
To be honest though, it doesn't surprise me one bit. The people they employ in 'IT' these days are terrifyingly dumb. I worked at a place where software devs were recruited from the call centre?!?!? Putting my long time at university to shame. I need not have bothered learning about software engineering when people who can write some PHP suddenly become software artitects.
"Nothing to hide"
Just repeat after me: we have nothing to fear from these organisations holding information about us if we have "nothing to hide".
I seem to remember...
that a trio of fellows did solve this problem... rivest, shamir, adleman, I believe their work is quite famous.
If the data was encrypted properly, they wouldn't have any need to tell their customers.
@ the "why a CD argument"
It doesn't make sense to say "Why were they sending it on a CD, when they could have sent it as pgp-encrypted emails"; if they had been using pgp, it wouldn't have mattered if they lost the CD in the first place.
The problem is that it wasn't encrypted, not the format or medium in which it was being transferred while not encrypted; for your comparison to be reasonable, you should have said "Why were they sending it on a CD when they could have sent it as plaintext emails".
No suprise there
The amount of clients we have who send us CD's is staggering, they refuse to send via SFTP because they deem it more secure to send an unencrypted csv file on a CD via the Royal Mail more secure, incidentally, all of these clients are major financial corporations and the data enclosed could be used for massive frauds.
I recommend 7-zip (.7z format) to my clients for quick & easy encryption of mailing lists, accounting records etc in just this type of situation. Its free/open source software, has very few options (choose a file, click add, type a password, click OK) and is straightforward enough for admin staff to use without getting in the way. The default AES-256 encryption is government/military grade by the way. I've got to wonder what the responsible HMRC data controller is doing for a day job...
Big companies don't do Internet
Large traditional, non-IT companies still think the Internet is a new thing and don't really understand it, hence they stick to copying data onto physical media.
Take the Royal Mail for example. Until recently they insisted on sending out their address data products by CD or tape(!) to customers. They've made some of their products downloadable via their slow website which requires multiple mouse clicks and user interaction. Whether they'd ever put it onto an accessible (S)FTP server so customers can quickly grab their data is another story. One essential part of their product however is unavailable online, they post all 5mb of it (1.2mb zipped up) on CD each month!
It's not unusual...
I work in the Financial Services/Insurance sector.
A lot of Providers can't handle emails over 5Mb. If you're lucky, you'll get asked to send the data as a password protected .zip...
Some send out CDs that are password protected along with a cover note of "the password is your FSA number". Erm.. If you have the envelope with the company name and address on it, the FSA number isn't hard to find.
The whole thing needs shaking up.
Why a CD (bis)
Of course, it's true that if they'd encrypted the files on the CD there wouldn't have been a problem. The trouble is that folks tend to believe (wrongly) that physical mail is inherently secure and trustworthy - someone using email is much more likely to think of using encryption (even though, unless it's sent to/from someone in a cyber-caff, an email is very unlikely to be intercepted).
My original question of 'why a CD' was equally focused on the admin overhead of burning a CD (why would a security-conscious organization even allow the general use of CD burners?), putting it into an envelope, printing a label and bunging it in the 'post'. Contrast with the electronic 'one click and you're done' approach.
Verb.sap.: if you're responsible for corporate email security, and you decide to block encrypted attachments because they can't be virus-checked, it's *your* responsibility to provide an alternative, secure delivery method.
Still no 'head-banger' icon ...
@ Paul Crawford
You beat me to it! My sentiments exactly.
And it's the same central gov.uk mob that's in charge of the NHS spine, costing 20 billion. Do not use the NHS next time you get the clap. Wifey is bound to receive the leaked report sooner or later.
Why in hell was this information not encrypted? The company should be slapped hard for not doing so, and the government should be slapped even harder for not requiring it. Of course, neither will happen.
I can see why it wouldn't be securely uploaded rather than couriered. There are still many companies out there who think dialup is a perfectly good means of communicating with the outside world. It takes 5 minutes to burn and post a CD. It takes a lot longer for these people to upload 700Mb of data, even assuming that they're uploading it to the correct location in the first place. After all, aren't these the type of people who fax confidential information to unsuspecting scrap yards or something? Who knows what they could do with a mis-typed URL.
...Roy L. Mail who were 'couriering' it (aka, Postman Pat).
Nice job guys
This is the same government which is telling us (at the sharp end of a huge fine) to hand over all of our most personal data and to trust them to look after it?
Is there an icon for hiding under the bedsheets?
I'm with the herd on this one
Quote: "The lost disc contained names, national insurance numbers, dates of birth, addresses, and pension data. Information such as this would easily lend itself to abuse by crooks if it fell into the wrong hands."
A masterly understatement, John.
Like my fellow commentards, my first reaction was to wonder why the fuck are they sending it on a CD; and why by courier? Equally herd-like, my second reaction was that if they refused to confirm whether the data was encrypted, it almost certainly wasn't.
Stories like this convince me I'm right not to do my tax return online; and that I am right to deliver the paper version by hand to the local tax office. It is not IT per se that I distrust - it's the incompetent morons who administer government and public service IT systems who keep me awake at night.
PGP? Pah - you've never worked for HMRC have you?
It was predicted that companies such as Standard Life and Norwich Union could potentially send pretty large amounts of tax information to hmrc, 20,000 people in a group pension scheme multiplied by 20k of data per user, burns into quite a large percentage of a CD.
The delivery mechanism (government gateway) has a strict limit on how big a message can be delivered in one go, anything else gets a http 400 error (i think). In this situation, the pension company would need to negotiate a suitable delivery mechanism to get tax information in and out of hmrc. There was a running joke in the dept that there would be a chapter in the manual entitled "Emergency Procedures" that detailed this situation. Alas the hmrc aren't exactly the military, and it never got wrote. - Either that or there was no funding to such solve problems that may never arise.
I suspect that a middle manager in hmrc decided to use the most efficent and secure delivery mechanism they knew of - burning a cd and putting in the post.
stop blaming the IT department
Everyone here seems to be assuming that this was a (stupid) decision made by HMRC IT. The dull reality is more likely to be that some admin monkey was asked by another admin monkey at Standard Life to send them these records (perhaps suggesting a CD, perhaps not). Admin monkey then dutifully burns a CD and, feeling rather chuffed for achieving this dizzy height of IT competency, proceeds to mail it off to Standard Life.
I'm not saying that HMRC IT are without fault in this scenario for not locking down the CD drive, but lets not assume here that it is necessarily down to a lack of IT knowledge in the IT department.
I seem to remember reading ages ago that you have to pay VAT on services such as accountancy data provided over the internet, so maybe they are penny pinching?
A quick search found http://www.accountancyage.com/financial-director/features/2159231/directive-clarifies-digital-vat but I thought there was an article on this site about it months ago.
I'm an Information Security Professional and a victim
I'm an Information Security Professional and a victim of this, our government (rightly) expect companies to secure people's personal information (DPA), yet here is a government department who has yet again breached our trust.
There are several secure alternatives that the HRMC could of used to transfer this type of data to Standard Life, pretty much all of them are actually cheaper and more efficient that putting non-encrypted data on a CD and shipping by a courier.
Why has it taken so long to disclose? They knew about the lost CD for over a month before telling the folks that were affected.
Finally when I called them on Monday for more info about it, I was completely misled, and was told the data on the CD was encrypted, when it wasn't, which I had confirmed today.
This is just complete incompetence on HMRC's part, and it's not like it's the first time they done this sort thing, if it was a company rather than government I would certainly expect to see a big fine.
Read my Blog blog.itsecurityexpert.co.uk for more details.
Never send unecrypted CD's
The problem businesses have is that no one offers "native" CD encryption. Of course this isnt an excuse BUT I have just completed the worlds largest single domain encryption program with one of the UK's largest banks and along the line we put in place a system of sending encrypted memory sticks to HMRC. Initially they were hesitant to accept this BUT we got there in the end.
There is no excuse for Standard Life, quite simply unencrypted CD's should NEVER have been used in the first place.
The other thing is that direct connect, a system that allows you to send info to the other end securely, costs an absolute bomb. However what is the value of that lost CD? Most organisations wont look at the cost of a cd being lost and in all honesty the cost of that lost CD is probably a lot higher than the costs of direct connect?
Naturally, as Im the worlds leading integrator of security encryption, I remain available for all massively over priced contracts :)