Alistair Darling told the House of Commons this afternoon that a police investigation has been launched into how Her Majesty's Revenue and Customs has lost child benefit records relating to 25 million people. Records for 25 million people, relating to child benefit payments for 7.25 million families, were sent using the HMRC's …
Had the NAO..
got the data, what would they be doing with it? Sending it off to Synectics Solutions?
and to follow up
Lets be completely complacent about this
From the Guardian reportage
Details of 25 million individuals and 7.2 million families are on the discs, including national insurance details, dates of birth and bank details.
He says that the information on its own does not provide enough information to access bank accounts as it does not contain passwords and so on.
Mmm - notice he didn't publish his own NI Number, DoB and Bank Account number to show how secure it is to leave these lying around
"Banks have been informed and are monitoring relevant accounts"
All 25m of them?
And these clowns want to run a National Database..?
are the clowns who want us to trust them with a national ID database. Fsckwits!
How many parents???
"Records for 25 million people, relating to child benefit payments for 7.25 million children, ..."
That's 3.44 parents per child. How does that work? I know from filling out the benefit forms for my son that it only goes to one person.
At least the discs were password protected. It doesn't mention how strongly encrypted though.
And these muthers want an ID database containing all sorts of info on everyone in the UK.
I would piss myself laughing if this wasn't so serious.
So let's get this straight, I've just watched the Chancellor stand up in Parliament and state that it's all OK, they don't think a bad man [sic] has my details.
I've just heard how some cretin in HMRC stick a couple of CD's in the post (That's the post, not a courier) and e only found out they didn't showup when he called someone at NAO.
Does he think - there might be a risk here - no, he sticks another couple of CD's in the post, but this time sticks his hand in the pocket and gets registered post.
But, hey ID cards can still go ahead because apparently they will prove who you are via biometrics. Bugger the fact that if someone gets your details, sticks their own bio ID on the card and boom bash bish - when plod pull him over for speeding he's now you.
Think of it working like chip and pin - your card validates your pin, not any calling back to the bank.
All in all, I wouldn't trust this lot to run a raffle, they would end up paying £2 million in some weird contract to CrapGemini and end up with three people all winning 2nd prize
watchdog last nite
after seeing that last night i dont think we can have much confidence in any government department to keep our records safe!!! ... shame we cant opt out and find someone else to look after our records
Good To See The Electronic Era Has Hit HMRC
So they burn the stuff to CD / DVD and mail it...
VPN? Electronic transfer?
Why weren't these details strongly encrypted?
Does anyone know if HMG and its employees are subject to the Data Protection Act - other than being able to drag it out whenever it suits them as a shield?
Because if they are, I'd say they are in very deep water here. IF the Act actually has any meaning...
25 million parents for 7.25 million children? That's more than three parents per child, so unless there's something they didn't tell me...
About time the eyebrowed one resigned. And his puppet-master boss too...
Next years headlines
And we can already predict next years headlines.
ID fraud is becoming an epidemic in the UK and the government are going to launch a massive public education campaign to stop the public leaving their details where fraudsters can get to them as it is ofc the public leaving these details and not the government losing them that causes this rise. And ofc being this government they are going to introduce an id fraud tax so that you pay tax if you get defrauded or commit fraud.
If you haven't registered your support yet, now is the time. Strike whilst the iron is hot and all that.
Wherever this current load of lost details ends up, it will be as nothing compared with the inevitable breaches of security which will befall the national identity register.
Popped it in the Post
Their own courier service lost it. Scary enough. Somehow they don't have any internal tracking system (thinks: chap with a clipboard ticking parcels off), and the best, most secure system to use when theirs failed was registered post?!?
Why they can't transfer electronically is beyond belief. The news stories said that they were confident that the original discs sent had not fallen into the wrong hands. Since they don't know whose hands now hold them, how do they know?
As has been said above: and these are the people who want to run a national ID card system. Given this, we'll either all be in prison or totally, totally safe, except from those selling dodgy stocks and goldmines and Latvian girlfriends.
So is this really a problem for every organisation or just the complete incompetent tosspots at HMRC? How is it that this Government can throw OUR money at the Civil Service year after year in ever larger amounts, yet the people employed seem to get less competent as their numbers go up? The bureaucracy of this country needs a sodding enema, with the hosepipe inserted via Downing St.
Password protected discs
How is the mentioned password protection supplied? I have a feeling if it was encrypted they would say so.
Password protected discs....
....but what's the bet that the password was on a stip of paper inside the envelope?
It gets worse, or at any rate larger
I'm told the discs were lost by a well-known parcel delivery company, such as the one that lost my Amazon order.
If you missed your chance to pinch them, don't despair: every month the DWP collects minute details about every benefit claimant in the country, from hundreds of local authorities on discs sent by parcel company. They even have a procedure for sending them again if the first one gets lost.
The DWP have just started to talk about password-protecting the discs.
until people end up in jail nobody will care
has nobody heard of scp?
still - other questions need to be asked:
1) who has unrestricted access to prepare a report like that
2) who burned the cds?
3) who put them in the post?
4) who else has access like that?
5) how many of them have been properly security vetted...
Maybe Gordon might what to have another look at that E-Petition against a national ID scheme. I seem to remember his predecessor trying to allay fears about security, with the words, 'rigidly controlled'.
Who's gonna be the first MP in Parliament to stand up, point at the big commie and shout 'HA! Told ya!'?
I'm not too worried about the physical layer - electronic or physical, it's all just a bunch'o'bits at the end of the day. They can go astray on the interweb as easily as in the post.
I am much more worried about the bland assurance of "password protected". What does this mean?
Is the data just on a CD with an autorun.inf that asks for a password? Or is it a pass phrase for a 1024-bit RSA-encrypted compressed database snapshot?
And even if it is the latter, is the password a nice, secure 64-character random string or the word "p455w0rd"?
We should be told.
Poacher turned GameKeepers
"As has been said above: and these are the people who want to run a national ID card system. Given this, we'll either all be in prison or totally, totally safe, except from those selling dodgy stocks and goldmines and Latvian girlfriends."
Seems like those could build a secure system with many safeguards/traps.
What do expect from a bunch of over paid, over pensioned Civil Servants?
What a bunch of idiotic tossers.
This will surely be the death of the ID card. Thank god.
"the information on its own does not provide enough information to access bank accounts as it does not contain passwords and so on."
Plenty for opening fraudulent credit card accounts etc though.
Outsource the lot of em
That way the discs would never get round to getting posted.....
Oh hold on thats exactly what cap Gem are going to do...
And if HMRC reimbuses any losses, well its your money anyway.
Welcome to Britain, wipe your feet on the way out....
... is probably "password".
Honestly, I have greater security connecting to my PC at home from work, and I'm not lobbing around millions of pages of bank details, I'm transferring MP3s and photos.
Stupid is too tiny a word.
When questioned Darling more or less said that the data was not encrypted - saying that encryption will be 'considered' in future. I bet the password was 'password'. Nice to see that the second lot of disks sent by recorded delivery post got there. What idiots !
... ni numbers are belong to us. :)
I'm sure the reg reported on this last week? Or was that another loss?
I bet its in someones inbox, they're probably on holiday and all will be found in a few days.
My questions are
a) is the government wan not good enough to send two cd's worth of data across it?
b) how can a junior clerk be able to dump such a large number of records out of the system?
c) will the National ID scheme embrace similar comprehensive security?
If they have fallen into the hands of some wrong'uns, they'll be able to find addresses of all the celebrities with kids! :) I bet Britney's good that she doesn't live here!
Why does the knowledge that the discs were "password protected" fill me with dread rather than make me feel a little better?
Maybe it's because if the discs had the appropriate levels of strong encryption the government would have said so.
I bet it's just an eXcel spreadsheet with a password.
Burn, baby burn
"So they burn the stuff to CD / DVD etc"
It would be amusing to mock up a 1.4gb zipfile called "child support (10-11-07)" and share it via eMule. And make a separate text file that reads "the password is "childsupport1"". Perhaps even mock up a database with quasi-randomly-generated names and national insurance numbers etc. Now that would be an exploit.
This isn't (just) about losing disks, or not encrypting them...
It's about what kind of absolutely incompetent business process design (never mind the technology) allows a "junior official" to get at all that really quite sensitive data without *someone* wondering why, and stopping it (or at least asking questions).
One also has to wonder what the question from the NAO was; it's hard to imagine what kind of question had this as the appropriate answer. Always assuming that there was an NAO question, obviously.
Incompetent, outsourced, PC-centric business-critical IT is bad enough, but combine it with cluelessly bad business process design such as we appear to have here and disaster has always been the inevitable result, the only surprise is that it's taken this long for a disaster to reach the public eye.
Still, looking on the bright side, if the public and our representatives have any sense, there'll be no more money wasted on ID cards, though doubtless some of the vested interests in the ID card business will view this as a marketing opportunity.
Keep 'em peeled.
What exactly was the NAO doing with raw data?
Either they should be carrying out in-depth work on a sample OR they should be content with anonymised data records. This is BASIC stuff... ...but then we are dealing with molluscs.
I work for HMRC
And can tell you that are IT systems are sh*t.
I am not surprised that this has happened because its not the first incident of this kind : http://news.bbc.co.uk/1/hi/uk/7103911.stm
Remember these are the same people who brought you that wonderful success called Tax Credits !.
And like the rest of you I fear the introduction of the ID card.
I would like to serve my country by setting up a system to prevent this sort of thing recurring. It is very complex which is why I will ask a whopping £1million for the work.
Actually this kind of imcompetence is rife and not just in Government. Banks and other large organisations are like this too. They're just too big and unwieldy and plain inefficient to get things right on more than an occasional basis. A top-tier bank, when sending money to my account in another top-tier bank, lost this money. Turns out they put it in second class post. The threat of legal action chivvied them along nicely though. :)
A Public Service
So how about setting up a website where people can check if their names are on the list - just type in their full name and address, date of birth, NI number and bank account details and it will tell them whether their details have been stolen. For extra security they can also put in their bank account PIN, they wouldn't want just anybody knowing their details are stolen.
BBC says it was TNT
re: lost by a well-known parcel delivery company, according to the BBC, they were sent and lost by HMCR's internal postal service which is operated by TNT.
"Contrary to all HMRC standing proceedures two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the National Audit Office by HMRC's internal postal system operated by the courier TNT.
They just reported in news that...
It was TNT Courier who is responsible for all the deliveries that have gone missing. Hardly inspires me to use TNT Courier for anything, and why did HMRC not sack them after the first few losses of data ??
Where to I sign up for my royalties?
Based on it's massive selling potential for number of copies likely to be sold, where do I sign up for my royalties/earnings? As one of the 25million having ownership and distribution rights, this could be lucrative, but then again any income will probably be stolen from my account, I wonder if FACT will act on our behalf to enforce distribution now its out in the open, if the distro ends up on peer to peer networks.
(ID Cards pretty much dead and buried me thinks, or should I say ID Cards well are truely 'poll taxed' into obscurity)
To put the brilliance of our government into context Golden Brown wanted Fiona Philips to be a minister for children.
Yes, that one, the simple minded woman that's only got a job because her husband is one of GMTV's bosses..
For those who can't count...
7.25 millions of families, 25 million people: that's about 3.4 folks per family, so probably 1.5-ish kids/family, not 3.4 kids per family.
2.1 > 1.5 so it looks like the Brits are on the verge of extinction, but it's ok because they can't count anyway.
Where's the Darwin icon anyway?
Why has the HMRC CIO Steve Lamey not quit ?
Surely Data security is his responsibility as much as Gray's and he has been in his job much longer than the resigning Chairman?
What role did HMRC's IT partner's Capgemini and Fujitsu have in this fiasco ?
Is n't it their responsibility to build systems that are intrinsically secure not just to rely on some civil servant in an office following the correct procedure ?
Lots of unanswered questions.
We can be certain that the cases reaching the attention of the media probably represent only a small proportion of all the potential breaches.
Re A Public Service...
AH, you surely know one end of a telescope from t'other. There will be NO prizes for guessing what the next big phish is gunna look like. Brilliant!
"Does anyone know if HMG and its employees are subject to the Data Protection Act "
Government offices are usually covered under part 4 - exemptions, or at least that's the going assumption.
If you can read it without falling asleep:
There's a mea culpa for you.
And I thought government execs here in the States had brass.
1. Does HMRC fail it's IT audit for this year?
2. Who decided it was a good idea to have a private contractor run a government postal system anyway?
As for the "senior official" whose job it is, after all, to supervise those "junior officials", I'd suggest taking a page from IT management's playbook:
Have him escorted from the building with the suggestion that he contact HR later in the week for an exit interview.
Only real consequences for those in charge are going to change the behavior of this particular beast.
Facebook will steal your identity!!!
"MISSING DATA INCLUDES...
National insurance number
Name, address and birth date
Names, sex and age of children
Bank/savings account details"
BUT Thankfully this is not enough to steal money from us!!!
W T F!!
How come we here daily how Facebook will expose our personal info and we should avoid it at all costs. But releasing the above into the public domain is perfectly OK?
I think it is about time for a clear out - no Conservatives, Labour or Lib Dems - we need a new way of government. Old incompetent fools just doesn't cut it anymore.
Looking on the bright side...
that should finish off the possibilty of ID cards anytime soon.
To echo many other commentators why did the NAO need this data ? Just what were they planning to do with it , who had access at HRMC etc ? This is not just incompetance , this is so far beyond that words just fail me.
Symptomatic of a bigger problem
The chancellor blamed mistakes by junior officials at HMRC.
Why aren't there safeguards enforcing high-level review and authorization for this type of access?
Of course junior officials must have access to *individual* records but what on earth are they doing with unmonitored access to the *entire* database?
Does this mean any junior official could just walk off with the entire database in their pocket?
What it really shocking
This data was (reportedly) downloaded by a "junior official", if this is true, and I really hope it isn't, this means that some random temp has uncontrolled access to everything. This means that if you want to find out where your, say, estranged wife lives, you know, the one that has a restraining order out on you, after that time you tried to kill her, you get a temp job at the Revenue and Bob's your uncle. Frightening, truly frightening.
I have and do work for large financial companies, at all of which, if someone tried to run such a query would (and do) send security round to your desk with a black bag and a P45. They also monitor for people 'just browsing' and actively sack call centre ops for trying to browse 'celeb' accounts etc. In fact, we aren't even allowed to move tapes between data centres without two people to escort the tape.
Case 66545 - Mr Darling vs Information Commissioner
How can we trust a government that announces this fiasco and then says they've informed the banks. Shouldn't they be informing the credit reference agencies as well because fraudsters use these details to open bogus accounts and sign-up to mobile phone contracts. At the end of the day it's the consumer that has to sort out the mess when id-theft occurs.
I wonder how I'd get on prosecuting HMG if I suffered id-fraud? I hope the Information Commissioner throws the book at HMRC.
http://www.cabinetoffice.gov.uk/csia - for a hypocritical laugh.