Criminals used the personal data of 100,000 civil servants that was swiped in early 2010 in an attack on HMRC around the same time, The Register has discovered. Now, almost three years later, the government is still scrabbling around trying to work out whodunnit... and only recently 'fessed up to the individuals concerned that …
Hushing this up for two years is either gross public malfeasance, or, a sign that this story is much much bigger than is being reported.
I might be confusing this with some other national legislation, but isn't it a requirement of data protection law that any breach is reported to the individuals concerned as soon as it is discovered? If so, any chance of a civil prosecution under data protection act?
Doh, silly me, as if any civil servant will ever be charged over something like this!
Re: prosecutions, ahoy?
Didn't they give themselves immunity when the wrote the law?
This is so not over!
"HMRC has said it can’t comment on the investigation as it is ongoing: so we don’t know the nature of the attack, or whether it was successful."
Additionally, they didn't pick up the phone. At all.
Why the heck .....
... does a football field or gym (or whatever) need someone's National Insurance number to register their membership or usage rights? Name, address and dob; yes (need dob. for certain age related conditions). Is it a case of the Civil Service department just throwing everything at them because they couldn't be bothered to make a decision about what was appropriate?
I can understand not releasing details because a criminal investigation is underway, but this sounds like a cover-up that has fallen apart.
Re: Why the heck .....
Hmmm ... according to the Data Protection Act:
(3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
(7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Epic fail on both perhaps?
Re: Why the heck .....
"does a football field or gym (or whatever) need someone's National Insurance number to register their membership or usage rights? "
Read the article - the Civil Service are reported to use NI mumbers as the payroll number. So a "Civil Servants only, no peasants" sports club might reasonably ask people's NI number as a means of identifying the member for contributions to be deducted from the member's salary.
Having said that, the Civil Service and public sector have a long history of IT incompetence and poor data security. I therefore see it as a delight that the civil servants should find their own data compromised. I'll bet it doesn't encourage any better security practices though.
Re: Why the heck .....
'I therefore see it as a delight that the civil servants should find their own data compromised'
Only an Arsehole would be delighted at anyone's data being compromised.
Nice article Anna...
...for a moment I thought I was reading something from John Leyden's oeuvre.
What are you doing writing articles that aren't slagging off Apple? Have you forgotten your agenda?
Government IT never ceases to underwhelm me ....
Back in 1986, I applied to the CCTA (as it was then) for a position for my sandwich year. Got the interview. Was faced by 5 people, 4 of whom wouldn't have known a computer if it had been paraded through on a carnival float. The fifth was clearly the "staff", and was current up to about 1970 - when I explained I'd studied Pascal, FORTRAN, ADA and Modula-2, he asked about my COBOL.
When they offered me the job, it was £1,000 a year less than had been advertised at. When I queried this, I was told that they paid salary by age band, and I was a year younger than the age band they'd advertised for.
Seems like nothing has changed in 26 years.
Re: Government IT never ceases to underwhelm me ....
Always thought you got payed for what skills and some intrinsic value added you would bring to the company.
"No individual fraud"
Even taking that dubious claim at face value, drawing ghost salaries/benefits in someone else's name would probably affect the victims credit history/tax bill...?
Why they needed the NI Numbers
is already implied in the article - as payroll records are tied to NI Numbers, they needed them to deduct membership fees.
My wife got her letter a couple of weeks ago; it is full of weasel words explaining that they believe that, to the best of their current knowledge, no personal fraud appears to have been attempted, as far as they can tell, given al the facts that they are currently aware of....
The excuse is ful of about as many holes as their security - as far as I am aware, based on the fact that I am currently aware of, excluding those that I may become aware of in the fulness of time or which I may have inadvatently been aware of at some point in the past but have subsequently forgotten. E&OE
But once your name
address, date of birth and NI number have gone, what can you do ? You can't change your date of birth. I really wouldn't recommend changing your NI number (HMRC fuck up enough when you keep the same one all your life, imagine the field day they'd have if you could change them). Changing address is more stressful than divorce. And changing your name is a bit of an imposition.
I would like to think we have a public think tank looking at the problem of re-securing identity after a breach like this, but I bet we haven't. Which means we'll be told how Facebook will solve the problem.
The only solution I can think of (this is my lunch break) is some sort of public registry, with individual records sealed by a PIN. Any organisation wishing to verify a persons ID submits the tokens (name, address, date of birth) and retrieves a token. The person claiming to be whoever they are then uses their PIN on the token. So when (not if) a public body sprays your data all over the interweb, you can change your PIN, effectively revoking the previous ID.
Bigshot to be bagged?
This seems to have all the modus operandi of a big shot or two or more protecting their own ar*es as in the Sheffield football incident.
Were it possible to blame a low level nerd it would probably have been done so quite a while ago?
Fact that it is ongoing suggests usual "sweep it under the carpet and keep quiet" ?
I wonder if this is linked to the massive self-assessment fraud a couple of years back when they brought in the automated submission system...