National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless
The National Audit Office (NAO), is strenuously trying to distance itself from the Her Majesty's Revenue and Customs (HMRC) Child Benefit Awards database data privacy and security breach disaster, involving the loss of copies of 25 million people's sensitive personal data records.
NAO have published some censored emails and other correspondence, which mostly, and correctly, shifts the blame onto HMRC middle and senior management:
See child_benefit_data.pdf
.
N.B. this is the usual sort of .pdf file image scan, with various bits censored i.e. deliberately not possible to cut and paste, or to be indexed word for word by web search engines. This is a tactic used by organisations with something to hide from the public.
[hat tip to Ray Corrigan B2fxxx]
However, the National Audit Office are not entirely blameless, and despite their claims that:
The NAO attaches the highest priority to data security
and
...we will continue to ensure that our processes are in line with best practice. We shall review our arrangements accordingly though we have found no defects in them.
We beg to differ:
The NAO appear to have admitted to returning to HMRC the CDROM discs obtained in March, containing a copy of the unencrypted, full Child Benefit Awards database, including the sensitive personal data which they had, commendably, asked not to be included in the data extract.
Once they had extracted their 1500 or so records for audit, why did the NAO not securely destroy these CDROMS, instead of risking them again in transit, unencrypted, by sending them back somehow to HMRC, who had no possible use for them anyway ?
Why did they not raise a Security incident when they received so much unencrypted personal data the first time in March ?
That does not seem like "best practice"or "no defects" to us.
The HMRC email exchange saying that it was somehow too expensive to filter out the sensitive data :
From [censored] (Benefits and Credits) [censored]
Sent: 13 March 2007 15:23
To: [censored]
Cc: [censored]@nao.gsi.gov.uk; [censored] (Benefits and Credits); [censored] (Benefits & Credits); [censored] (KAI Analysis)
Subject: FW: URGENT Extract from Compliance scan
Importance: High
Sensitivity: Confidential
[...]
Your original request was for 100% scan of the data, and fortunately a scan was complete earlier this year, and we have shared this with you at no additional cost to the department. I know you are meeting Compliance and KAI colleagues on Wednesday and all your issues regarding data extracts etc. should be taken up with them. I must stress we must make use of data we hold and not over burden the business by asking them to run additional data scan/transfers that may incur a cost to the department.[...]
[...]
From [censored]@nao.gsi.gov.uk
Sent: 12 March 2007 14:41
To: [censored] (Benefits & Credits)
Subject: RE: URGENT Extract from Compliance scan
Sensitivity: ConfidentialThanks for this, I have tried to understand it ans put it into my testing requirements. From my review of the extract and our telephone conversation, I think it is possible to use the live data dump but need to segregate it into two files:
1) Starters
The file should segregate [censored]paragraph contains sensitive technical information
2) Leavers
The fle should segregate [censored]paragraph contains sensitive technical information
A few queries
a) Is the above possible to do before handling it over or do we have to take the entire file with all of the data ? If this is not possible, how big is this file which I assume will be zipped. I might still be able to make use of the data as it stands but I will need to check. I will need to know the total number of records as a check to ensure that I have downloaded from the CD dsk(S) the right number of records.
b)I do not need address, bank or parent details in the download - are these removable to make the file smaller ?
c) Would the file have initial headings or would it be necessary to insert these? It is easier with headings but this is not essential.
d) How much lead time do I need to give if the segregation actions are possible?
e) How much lead time do I need to get records out of archive ?
[...]
From: [censored] (Benefits & credits) [censored]
Sent: 13 March 2007 13:11
To: [censored]
Cc: [censored](Benefits and Credits)
Subject: FW:URGENT Extract from Compliance scan
Importance: High
Sensitivity: Confidential[censored]
Please see attached extract from the Compliance sample as requested. I hope you make sense to you than us however: this is the format the extract arrived in so it will give you an idea of style for future reference. [censored]has also provided a URAC document which should provide a brief explanation of the data in the extract.
Best of luck!
[censored]
From: [censored] (CBO Washington 1)
Sent: 13 March 2007 08:20
Ro: [censored] (Benefits & Credits)
Cc: [censored] (CBO Washington 1); [censored] (CBO Washington 1)
Subject: FW: URGENT Extract from Compliance scan
Impaortance: High
Sensitivity: Confidential[censored]
Please find attached the [censored] data scan [censored] and a sample of the data extracted by EDS based on those requirement. The [censored] should help NAO decipher the information. The scan is run against the old [censored] Awards section and I have randomly selected and attached part of the [censored]
The use of the word "decipher" does not mean that there is any strong cryptography being used, simply that the raw data extract files needs to be broken into understandable fields.
[...]
HM Revenue & Customs
[censored] (Personal Tax and Credits)
Cild Benefit Office
Mainframe Systems
The October request from NAO:
From: [censored]
Sent: 02 October 2007 09:56
To: [censored]@hmrc.gsi.gov.uk"
Cc:[censored]
Subject: NAO request for data scans being carried out for Compliance
[...]
Please could we have a copy of the data scans being carried out in early October 2007 and erly February 2008. We require this data for our audit. Last time we had a 100 zipped files on 2 CDs. Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content.
[...]
Please could you ring [censored] when you have safely received the two CDs, his number [censored] [censored] has requested this so that he can pass on the password(s) in an email
regards
[censored]
Audit Principal
[...]
However, the National Audit Office are not entirely blameless, and they are not being completely frank and transparent (note our emphasis):
Briefing for Chancellor of the Exchequer on the NAO's request for discs of information[...]
2. On 13 March 2007 NAO emailed HMRC explaining what data we wanted and what we intended to do with it. We requested the more sensitive elements to be removed including bank details and addresses. HMRC stressed to us that they would prefer to use the data that they held and not run additional data scans/filters that would incur a cost to the department. Therefore they provided the data scan in full on 16 March. The NAO returned the Compact Discs (CDs) to HMRC on 16 April.
[...]
4.HMRC told the NAO that on 18 October they had sent to the NAO, via TNT, two CDs containing a scan of the Child Benefit Awards database in a sealed envelope contained in a tax post wallet. This wallet does not require a signature from the recipient when it is delivered. On 24 October NAO contacted HMRC to say the discs had not arrived and in order to avoid delaying the audit, asked for a second set of the discs. Despite searches of the relevant offices there is no evidence that the tax post wallet had arrived at our offices at 157 - 197 Buckingham Palace Road.
5. HMRC sent a second set of data on 24 October which arrived on the 25 October - this was by registered overnight courier by TNT. Again the NAO did not need the sensitive data including bank details and addresses but HMRC supplied the full data as in March 2007.On 25 October we confirmed receipt of the second set of CDs and that we had still not received the first set of CDs. HMRC contacted the NAO by email about the missing discs on 5 November.
[...]
9. The NAO attaches the highest priority to data security and so the NAO's Security Officer has been fully involved and we will continue to ensure that our processes are in line with best practice. We shall review our arrangements accordingly though we have found no defects in them.
" best practice" ? "no defects" ? - We beg to differ:
Where is the staff training and procedures which would have allowed even a junior NAO staff member to have raised a Security Incident report, without prejudice to their own career, when the vast amount of unencrypted data was sent insecurely by HMRC the first time ?
Why did the NAO auditors not insist on the use of UK Government Approved Cryptography in order to protect these data CDROMs in transit ? Are they simllarly lax with other data ?
They could have insisted on the used of, say, CESG/ GCHQ approved Kilgetty software, which used to use a proprietary CESG algorithm (Red Pike), but which nowadays uses the commercially available 256 bit AES encryption, which would have been sufficient to protect this data in transit.
How and why exactly were these two CDROM discs, containing over 100 presumably password protected files which had been zip compressed, returned to HMRC on April 16th 2007 ?
Were these unencrypted CDROM discs returned to HMRC in April the same way they came, presumably using the same method employed later in October i.e. via the TNT run internal mail ?
Why did NAO need to return these discs to HMRC at all ? They were not original paper documents, they were digital copies of data which HMRC still held on their systems.
Why could they have not been shredded (there are shredding machines which can deal with CDROMs, or it can be done by hand with, say, tin snips) and incinerated in the presence of NAO and HMRC witnesses, at the NAO headquarters in London once the first audit checks had been done in March / April 2007 ?
This seems to imply a fourth insecure data transfer via CDROM, which endangered the privacy and security sensitive data in transit, one which was completely unnecessary.
This does not, constitute either "best practice" or "no defects" in the data handling and security procedures.
What have HMRC done with this first set of returned CDs ? Did they securely destroy them, or are they still being handled or stored insecurely?
What has happened to the third set of CDROMs which the NAO received successfully by registered overnight delivery via TNT courier (not registered Royal Mail as the Chancellor's Statement implied) on 25th October ? They have presumably by now extracted the 1500 or so records which they intend to audit.
Have the original 25 million record CDROMs now been securely destroyed ?
Have they been seized, sealed as evidence and held more securely i.e. handled with the Protective Marking of Secret or Top Secret ?
Remember, that despite all the fuss about the risks of financial fraud in the media and in Parliament, the data privacy and security loss is much more serious than that - it definitely constitutes
...a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism,...
as per Terrorism Act 2000 Section 58 Collection of information) if a copy (not necessarily the original CDROMs themselves) were ever to fall into the hands of terrorists or foreign intelligence agencies or serious orgnaised criminal gangs.