The Labour Government are up to their usual "bury bad news" media manipulation tricks again today.
Chancellor of the Exchequer Alistair Darling has published the final Poynter Review into the lost copies of the entire national HMRC Child Benefit database scandal last October. - Poynter Review final report, 25 June 2008 (PDF file 1.13MB)
As if by magic, and obviously just a complete coincidence, the supposedly independent from Government, Independent Police Complaints Commission (IPCC) has also published its report into the incident today. - HMRC, Washington IPCC independent investigation report into loss of data relating to Child Benefit (144KB .pdf)
Unsurprisingly, the IPCC finds nobody at Her Majesty's Revenue and Customs, or at the National Audit Office, to be criminally responsible for breaching Section 55 of the Data Protection Act 1998.
Perhaps the fact that HMRC got the Director of Public Prosecutions to sign prosecution immunity certificates to the is effect explains this, although this was probably necessary in order to secure the cooperation of the junior and middle ranking staff involved.
Apparently Robert Hannigans's Cabinet Office review of wider Whitehall data handling is also meant to be published today. Whether this takes into account the recent Top Secret Joint Intelligence Committee papers left on a train, or Hazel Blears' Restricted and Confidential Cabinet documents unencrypted on a stolen computer in her constituency office scandals, remains to be seen.
There is also meant to be a Ministerial Statement by Des "Swiss Tony" Browne, the embarrassing Defence Secretary, into the stolen, unencrypted laptop computer with personal details of 650,000 potential and actual military recruits.
Also published today is Sir Michael Pitt's final report into the lack of preparedness for last summer's floods in large areas of the countryside., which obviously must also be of interest to the mainstream media and broadcasters.
It may take some time for the media and for bloggers to comment properly on all of these reports (if they are fully available on line), which is, presumably, a deliberate media spin policy
There is no hint of any of the senior civil servants or of the supposedly politically accountable Ministers actually taking personal, responsibility for the scandals, and resigning with honour.
We are alternating between laughter and fury, at the catalogue of errors displayed by HMRC, which seems to stem from the incompetence of its former boss, the then Chancellor and current Prime Minister Gordon Brown.
We note that neither the Poynter Review, nor the IPCC has properly examined the National Audit Office's lax data handling procedures, especially in regard to their transfers of the unencrypted Child Benefit Data to and from their commercial audit sub-contractors KPMG.
Some brief quotations:
Iv.31 NAO Employee2 recalled, in his interview, that he kept the discs securely at his house over the weekend following collection from WVP, and subsequently, at some point between 16 March 2007 and 20 March 2007, NAO Employee2 handed the discs to external auditors KPMG, who were assisting NAO, to enable them to select a sample for review as part of the NAO audit. NAO Employee2 could not recall whether the discs carried protective markings, but stated that he made KPMG aware of the confidential nature of the information they contained in verbal and written briefings. NAO Employee2 noted that he was provided with the samples of data that KPMG had selected as part of the process and recalls that the bank details were blanked out as part of this process. The discs were subsequently handed to NAO Employee4 on 20 March and stored in a safe at the NAO offices in London, before being returned by NAO Employee2 to EmployeeJ on his next visit to WVP on 16 April 2007.
Nobody seems to have questioned, as we did last year, why it was necessary for the NAO to return the unencrypted CDs which they did receive, back to HMRC ? What use could HMRC possibly have for such by then, out of date data ? This still unencrypted data was put at risk by not one, but two, unnecessary physical data transfers instead of it being securely destroyed at the KPMG premises, once they had extracted the small subset of data needed for their audit.
Production and encryption of the next download of CBCs data
Iv.39 One of the key areas to address in analysing these events, is the process by which the CBCS scan used by CC was created, what data this scan contained, and the levels of encryption applied to the discs onto which the scan data was transferred.
[...]
The URAC document specifically requests that "The serial data to be
extracted by a bespoke process and written to 100 sequential files, fields separated by commas. The data to be written initially in EBCDIC but converted to ASCII, zipped, password protected and put onto CD's which should be despatch by secure means to be agreed" and that the data should be sent to EmployeeR of the TCO National Intelligence Team via the IMS CBCS Asset Management Team.Iv.40 My team has identified an email dated 1 October 2007 from EDS Employee2, another
EDS manager, to EDS (copied to EDS Employee1), informing them that the "6 monthly data compliance scan for Tax Credit Office is due to run...ALS will transfer the 100 files to PC & copy to CD/DVD for the end user". Further, in his witness statement EDS Employee1 confirmed that the "100 files were available to be downloaded" on 2 October 2007, adding that he downloaded half of the files onto his D drive, in a process that "can take anything up to 24hrs", and that the other 50 files were processed by EDS Employee2. On 3 October 2007, EDS Employee1 recalled, he zipped the files and transferred them from the D drive to the network drive adding that "The reason for this process is so that the files are smaller and can be copied onto removable discs. They are also password protected". The following day, on 4 October 2007, EDS Employee1 reported that he burned the files that he and EDS Employee2 had zipped onto two Memorex CD-R recordable 700MB 80 min discs and labelled as "TCO" amongst other markings ("CBCS Discs Set A"), TCO standing for "Tax Credit Office". I conclude from this analysis that CBCS Discs Set A did indeed contain the full records of all child benefit claimants at that time.
If these files were on PC compatible network drives, why, exactly, was it not possible to transfer them electronically to the National Audit Office, perhaps through, for example, the Confidential rated xGSi email system ?
Iv.41 The URAC document issued by HMRC specified that the files should be "zipped", i.e. that WinZip software should be used to compress the files, and password protected. My team notes from its computer forensic analysis work that the version of this software used to package the data on CBCS Discs Set A, WinZip 8.1, provides only low grade encryption. In addition, according to the testimony of various witnesses, each file was password protected with the same seven digit alphanumeric password. This low level of encryption was unsuitable for the transfer of large amounts of sensitive data on a removable medium such as a compact disc.
WinZip incorporated AES strong encryption from version 9.0 onwards, which would have been much more secure cryptographically, but not if they had still used "the same seven digit alphanumeric password" !
IX.2 We derive further evidence of information security not being a priority from observing that:
- The generic policies around information security that were issued from the centre were inadequate and tended not to be translated into Business Unit specific procedures - and no consistent assurance regime was in place to ensure that this translation was completed;
- The S&BC function which was responsible for information security policies was weak in skills and experience and commanded no authority across the business;
- HMRC did not and still does not possess documentation of its data flows at a level which would have allowed it to assess risk;
- HMRC did not employ any information security professionals at the time of the incident; and
- Staff received little or no training in information security.
This is inexcusable !
Perhaps we should not be looking for mere incompetence, but for malicious corruption instead. Is it it in someone's corrupt financial interest to deliberately have such crippled IT security procedures in place ?
IX.8 Some facts that bring this to life. HMRC
- Operates some 650 different systems;
- Has a further 4500 Business Developed Applications (mostly Microsoft Excel & Access), of which 550 have been classified as business critical by Business Units;
- Operates from some 900 sites/offices;
- Sends out some 300 million items of mail a year.
IX.9 Small wonder then, that when the Director of Data Security imposed a ban on non-encrypted bulk data transfers following the data loss incident, several data transfers were uncovered that senior management in HMRC was not aware were happening, including at least three regular downloads of the entire child benefit database - the same information that was reported lost in November 2007. These were regularly downloaded onto non-encrypted media and put into internal mail.
Aaaaaargh ! How many other massive data security breaches have there been, which have gone unnoticed by "senior management" ??
IX.12 The DSSM is held on the HMRC intranet, runs to hundreds of pages, is not easy to navigate and is not tailored to the individual searching for guidance - meaning it is largely unused.
Exactly as we predicted !!! The Security Manuals and Procedures are all there, in exhaustive detail, but nobody actually reads or uses them.
IX.14 Although the volumes have declined a little, HMRC continues to rely heavily on paper- based communications. Last year, for instance, HMRC sent out around 300 million letters and mailings to its customers, an average of 8 per household and 68 per business. The media it uses for data transfer is similarly archaic. For example, the Magnetic Media Handling operation in Longbenton, Newcastle, accepts all media (reel to reel tape, cartridges, floppy discs, CDs etc.) on which employers submit their end of year returns and could be designated a museum if the criteria were variety of media no longer generally used (media, incidentally often associated with systems incapable of creating encrypted data).[...]
The tax gatherers are usually so prescriptive and authoritarian - how did they mange not to phase out old, obsolete removable media as new technology improved ?
Why did they not use their monopoly position to set standards for only accepting encrypted data on removable media ?
Computer Forensic analysisWe obtained and reviewed the contents of the e-mail files for relevant HMRC personnel. However, due to entirely unavoidable circumstances, my team was not able to conduct a full forensic analysis of the email files of two of the witnesses to the events leading to the loss of the CBCS data. The backup data of these two mail files had become corrupted, as often occurs in similar organisations with significant IT infrastructure, rendering the data inaccessible despite my team's best efforts to retrieve it. In addition, certain older email files from other witnesses were not retrieved from electronic archives stored elsewhere within HMRC's IT infrastructure. Taking account of the entirety of the evidence gathered and made available to my team, I do not believe that these minor limitations are likely to have had a material effect on the overall findings.
The fact that not all the email could be examined will fuel conspiracy theories.
http://www.cabinetoffice.gov.uk/newsroom/statements/080625_data_handling.aspx
Hannigan also came out today...
Did you see what the Information Commissioner had to say: http://www.ico.gov.uk/upload/documents/pressreleases/2008/hmrc_mod_data_security_breaches_25062008.pdf
‘I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.'
‘It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them. To comply with the terms of the Enforcement Notices we will require HMRC and the MOD to use their best endeavours to implement all the recommendations outlined in the reports. We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance. Failure to comply with an Enforcement Notice is a criminal offence.'