« Massive potential data privacy and security breach at Her Majesty's Revenue and Customs | Main | HMRC 25 million personal records scandal - no encryption »

25 million people's records at risk from HMRC scandal

The statement in the Commons by Alistair Darling reveals that the massive data privacy and security breach by Her Majesty's Revenue and Customs, is even worse than the initial TV reports.

The breach seems to have been instigated by the supposed auditing process by the National Audit Office (NAO)!

The potential data privacy and security breach involves:
25 million individuals (out of about 60 million people in the UK) including

  • 7.25 million families
  • names of all Child Benefit recipients i.e. the parents
  • names of their Children
  • dates of birth
  • addresses
  • Child Benefit Numbers
  • National Insurance Numbers (NINOs)
  • Bank or Building Society account details

Why was one junior civil servant allowed to have access to download the full database, when the National Audit Office didn't even request all of that data, only a small sample for audit purposes e.g. a dozen records ?

The two CDROM were sent initially in the internal mail, which is subcontracted to TNT couriers.

The two discs are supposedly "password protected" but that rather implies that they are not actually encrypted to normal commercial or Government approved cryptographic standards.

When the initial two discs failed to arrive at the National Audit Office, the "junior official" then sent another two copies via registered post, which did arrive ok.

It is irrelevant that this was all against the complicated HMRC Standard Operating Procedures, which had been supposedly strengthened after the previous incident which "only" affected 15,000 records being sent to an insurance company at the end of September.

Why was it possible for any one single junior civil servant to obtain a complete copy of the entire database ?

Alistair Darling only mentioned the financial risks of this massive potential data breach, but he ignored the confidential name and address information which could be life threatening to, say, battered wives and their children, victims of stalkers, people in witness protection schemes, families of Judges, police officers, prison officers, armed forces. intelligence agencies etc.

The Chancellor unconvincingly tried to claim that somehow Identity Cards would have prevented the risks of this data breach, because of the magic of "biometrics" - which is, of course, utter rubbish !

Surely this must affect public opinion and trust in the "database state" centralised databases such as the National Identity Register / ID cards, the National Health Service centralised patient records ("Data Spine") etc.?

The non-partisan NO2ID Campaign has been trying to raise public and political awareness of the risks of such "all your eggs in one basket" systems, which are so vulnerable to incompetent or corrupt authorised insiders.


"The breach seems to have been instigated by the supposed auditing process by the National Audit Office"
This doesn't surprise me. On a discussion forum for public sector folks, there's been talk for a while about the NAO getting councils to send them complete bank account details of all employees, unencrypted, through courier / registered post.

Post a comment