February 15, 2008

HMRC intercept, snooping and surveillance powers commence today

Hat tip to Rob Lewis from who reminds us that "HMRC gets bugging powers" which commence today 15th February 2008.

These are under amendments to the Regulation of Investigatory Powers Act 2000 (RIPA), brought in by under the Serious Crime Act 2007 Schedule 12, and brought into force through the The Serious Crime Act 2007 (Commencement No.1) Order 2008 No. 219 (C. 5)

As Rob writes

HMRC has stated that all surveillance will be conducted in compliance with the Regulation of Investigatory Powers Act and the Wilson Doctrine, and subject to checks by the Office of Surveillance Commissioners and the Interception of Communication Commissioners Office. However, the department will not need to seek external authorisation for any of its surveillance activities.

The move flies in the face of assurances given when the Inland Revenue and Customs and Excise merged in 2005 that integration would not necessitate an alignment of powers. Professional bodies such as the Institute of Chartered Accountants of England and Wales will be further disappointed that HMRC has yet to draw up its own code of conduct regarding the new powers.

We expressed our worries last January: Is SOCA so useless, that HM Revenue & Customs really needs "bugging and phone-tap powers" ?

We have still seen no coherent justification for the extension of the snooping powers of the former Customs & Excise side, to infect the former Inland Revenue side of the HM Revenue & Customs mongrel Department.

If tax investigations (not drug smuggling) are on a scale and seriousness, so as to justify telephone intercepts and intrusive surveillance (i.e. legalised burglary into homes and offices to plant bugging devices), or to recruit Covert Human Intelligence informers, then surely the Serious Organised Crime Agency should be involved in a joint operation, and they can authorise and audit the necessary surveillance under RIPA ?

How can the Labour government justify allowing tens of thousands more faceless HMRC bureaucrats, to have access to our most sensitive personal data, through the most intrusive snooping powers, when they still have not restored any public confidence and trust following their appalling betrayal after the Child Benefit database scandal and other failed IT management and training privacy and security disasters ?

Remember that the Poynter Review and the Hannigan Review etc. etc. are being used as an excuse not to do anything effective about these scandals until after the May 1st 2008 Local Elections.

January 28, 2008

HMRC try to divert attention towards their secure online tax return web front end system, and away from their back end offices

HMRC have published some media spin to try dampen down the furore over their special categories for Westminster Politicians and Celebrities, which tries to divert attention from the inadequacies of their back office systems,

See our previous blog article:
HMRC tax record security only for a minority of the privileged, but not for the rest of us
for some background and Obvious Questions about this.

HMRC Online Services - secure and safe to use

Some newspapers and broadcast media have claimed that HMRC's online filing systems are not secure because Members of Parliament and a small number of other taxpayers cannot use the Self Assessment service.

This is completely untrue. A small minority of taxpayers, including MPs, cannot currently use online services because the additional internal safeguards on their records mean that their taxpayer reference numbers are not recognised on the authentication system.

This therefore has nothing to do with the security of our online services. HMRC online services use the highest levels of encryption generally available and authentication processes similar to online banks.


The security of the encrypted web session segment of the online tax return workflow process was not in question ! It is what could happens to everyone's tax returns once they are within HMRC shared infrastructure of back offices, internal postal courier and internal electronic networks, accessible by large numbers of low paid staff, that is the problem.

Focusing on just the encrypted web front end, and not examining the whole end to end workflow, is deliberate media manipulation by the HMRC spin doctors, which, unfortunately, may well bamboozle some of the mainstream media journalists and editors.

By adding an extra digit to the tax code of people in these Celebrity / Westminster Politician special categories, and, perhaps also to categories of people who are actually at more risk of physical danger if their home addresses are revealed, HMRC are making things less secure not more so.

If the various Poynter / Hannigan / Thomas and Walport / Burton and other Reviews, bother to look into the depths of the voluminous Ventral Government Departmental Standard Operating Procedures and Security Procedures, they will see, that it is standard practice to make sure that sensitive data does not stand out when it is being transported along common office or electronic network infrastructure, along with allegedly less sensitive data or documents.

This even extends to instructing, say, British Telecom, not to specially label data cables in their exchanges, as carrying Central Government Departmental data.

This is a common sense approach to reducing the risk of casual snooping or opportunistic thievery by internal staff who have potential access, if they make an effort, to specially marked or easily identifiable "juicy" VIP or Celebrity documents or data records, or highly Protectively Marked Material,

These HMRC special categories should be abolished, on the grounds of equality and actual security.

January 26, 2008

HMRC tax record security only for a minority of the privileged, but not for the rest of us

The Daily Telegraph reports on another disturbing Soviet style bureaucratic practice of Her Majesty's Revenue and Customs: they seem to have two classes of tax record - one for the ruling elite of "celebrities, Members of the Royal Family and Members of Parliament", and then another, less secure category for all the rest of us.

This does not appear to be on any physical risk based criterion e.g. protected witnesses, members of the Special Forces or Intelligence Agencies, undercover policemen, or victims of stalkers etc, but simply on vague notions of celebrity or political office.

N.B. it should be made clear to terrorists, that Members of Parliament, even members of the Government, who are supposedly serving the Public, not just themselves, are not a worthwhile target, since we, as a society will simply replace them democratically, whilst mourning any individual casualties.

This is not the first time that such creepy and sycophantic behaviour has been detected with centralised national bureaucratic databases - it seems that there are similar plans afoot to exempt "celebrities" and possibly others, from having to register their details on the Children Database / ContactPoint , as well.

Why have Labour politicians instituted and approved such institutional discrimination ?

Online tax system 'too risky' for the famous
By Robert Winnett, Deputy Political Editor
Last Updated: 2:04am GMT 26/01/2008

The security of the online computer system used by more than three million people to file tax returns is in doubt after HM Revenue and Customs admitted it was not secure enough to be used by MPs, celebrities and the Royal Family.

Thousands of "high profile" people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.

This provoked anger from consumer groups and accountants who said the same levels of security should be offered to all taxpayers regardless of their perceived fame.

The word "anger" does not come close to the level of fury and hatred which this policy will provoke amongst the majority of the public who are being treated as inferiors by the HMRC bureaucrats and Labour party politicians.

Continue reading "HMRC tax record security only for a minority of the privileged, but not for the rest of us" »

December 17, 2007

Poynter and Hannigan review reports fail to reassure anyone about UK Government data security and privacy issues - final reports delayed until after the May 2008 Local Elections ?

The Labour government has published the two Interim Reports announced by Gordon Brown and Alistair Darling following their admission of incompetence and betrayal of public trust on November 20th regarding the scandal of the lost CDs containing the entire Child Benefit Award database for the whole country by Her Majesty's Revenue and Customs.

Neither of these reports shed any new light on what disasters have happened or on what detailed steps are going to be taken to prevent them happening again.

We suspect that the final versions of these reports, and all the other investigations and inquiries, will magically and conveniently for the Labour government, not actually be published until after the May 2008 Local Elections for the Mayor of London, Greater London Assembly, English local government authorities and mayors, and the local unitary local government in Wales, when these electorates will have the rare chance to express their disgust with the Labour regime politically.

Continue reading "Poynter and Hannigan review reports fail to reassure anyone about UK Government data security and privacy issues - final reports delayed until after the May 2008 Local Elections ?" »

December 12, 2007

Data privacy and security breaches still continuing despite the HMRC scandal publicity

Another week, and there is still no sign of the missing unencrypted CDs containing personal details of 25 million people, which were lost by Her Majesty's Revenue and Customs (HMRC).

It is clear that even the massive publicity over the HMRC affair has still not had any effect on the culture of incompetence, which has infected public sector organisations, who are continuing to betray their duty of trust and confidentiality when dealing with people's data , the protection of which they merely pay lip service to e.g. The Scotsman summarises::

First, it emerged two computer discs with details of more than 7,000 Northern Ireland motorists had got lost in the post after being sent to the DVLA in Swansea.

Then it was disclosed that confidential personal details of dozens of prisoners, including their criminal records, had been delivered to a private company instead of going to Norfolk Police.

And trade unions on Merseyside revealed that personal details of 1,800 health-authority staff, including their salaries and pension details, had been accidentally sent out to a number of private firms.

This is in spite of the Cabinet Office Review, of all Government Departments and Agencies, chaired by Robert Hannigan, the newly appointed Head of Intelligence, Security and Resilience, which was supposed to have reported on Monday 10th December 2007.

Will politicians and the media be pressing for this to be published, or will the Government spin doctors try to supress it until the New Year ?

See - How many Reviews will it take to sort out the HMRC and other UK Government data privacy and security scandals ?

The other Review, resticted to just Her majesty's Revenue and Customs, by Kieran Poynter, the senior partner at accountants PricewaterhouseCoopers (note the stupid "brand name" capitalisation) is due to report this Friday.

There do seem to have been some "locking the stable door" diktats at HMRC::

Continue reading "Data privacy and security breaches still continuing despite the HMRC scandal publicity" »

December 5, 2007

HMRC offers 20,000 pound reward for the missing CDs - Spy Blog offers to act as a secure anonymous proxy go between

The BBC reports that Her Majesty's Revenue and Customs have now, belatedly, offered a reward of £20,000 for the return of the missing unencrypted CDs containing the personal details of 7.25 million families / 25 million people.

Spy Blog was just at the point of offering a small reward for these CDs ourselves.

For the greater public good, Spy Blog now offers a free, "no questions asked" secure, anonymous channel of contact for anyone who might actually be in possession of the CDs, but who does not, for obvious reasons, want to contact the authorities or even the mainstream media, directly.

Please contact us via email: blog@spy[dot]org[dot]uk
with or without the use of our PGP public encryption key or via the comment section of this blog if you know or suspect that you have the missing CDs in your possession.

There are a few obvious and not so obvious details about the CDs which we will ask for, simply to to weed out hoaxes.

If you are in possession of the CDs, or even if you are willing to reveal more of the background story to this scandal, then you might also wish to read our hints and tips for whistleblowers article, which will be relevant if you wish to remain anonymous.

We do not want a share of the reward, we only want to reduce the data security and privacy risk to the public (including our own families and friends), although we suspect that the chances of this happening are very slim.

£20,000 reward offered for discs

Last Updated: Wednesday, 5 December 2007, 15:13 GMT

A reward of £20,000 is being offered for the return of the HM Revenue and Customs CDs containing the personal details of 25 million people.

It comes as the main searches end for the discs lost after being sent from the HMRC office in Newcastle to the National Audit Office in London.

Police say they are now extending the searches to "rule out" other locations.

And they are appealing to HMRC, NAO and Treasury staff to check "in case the package or discs have turned up".


The data on those discs could be worth millions of pounds to criminals, and far more than that to terrorists or foreign intelligence agencies.

£ 20,000 is a reasonable carrot to offer the civil servants and courier staff, to re-double their efforts to check that the CDs have not just been misplaced.

There does not, however, seem to be any offer of immunity from prosecution.

Even if this reward offer succeeds in getting the CDs found and returned, there can never be any proof that the data has not been simply copied from these discs.

Will HMRC now change all the affected National Insurance Numbers and Child Benefit Numbers ?

HMRC data scandal - 350 people in witness protection scheme at risk

The Daily Telegraph has a report which confirms our initial fears about the scandal involving unencrypted data transfers of the whole Child Benefit Award database by Her Majesty's Revenue and Customs and by the National Audit Office. This involves far, far more than just the risk of financial fraud:

[hat tip to UK Liberty]

Lost data discs 'endanger protected witnesses'

by Andrew Porter, Political Editor
The Daily Telegraph
Last Updated: 10:36am GMT 05/12/2007

Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records, The Daily Telegraph can reveal.

The missing data discs are understood to contain both the real names and the new identities of up to 350 people who have had their identities changed after giving evidence against major criminals.

The development is one of the most serious so far in the missing data discs scandal, in which the child benefit records of 25 million people - including their names, addresses, birth dates, national insurance numbers and bank account details - were lost by HM Revenue and Customs.

The new identities of protected witnesses would be valuable property on the criminal market and, if they fell into the wrong hands, could place their lives and those of their families in jeopardy.

It will cost taxpayers hundreds of thousands of pounds to provide the witnesses with yet another identity.


A senior police source said: "This is disastrous. People's lives could be in danger. It makes a mockery of the witness protection programme."


Why is there still no offer of a substantial financial reward and a promise of immunity from prosecution, in return for these missing CDs, forthcoming from the Government ?

What about all the other categories of people whose real names and home addresses could also have been revealed e.g. Police Officers, Prison Warders, Judges, Intelligence Agency employees, and frontline Military Personnel currently facing the risk of capture and torture by our enemies in Iraq, Afghanistan or Iran etc.?

November 29, 2007

HMRC data security scandal debate - still no mandatory use of encryption

The latest Labour party financial funding scandal seem to be obsessing the "Westminster Village" and has overshadowed yesterday's Opposition debate on the ongoing scandal at Her Majesty's Revenue and Customs (HMRC).

Chancellor of the Exchequer Alistair Darling admitted that the missing CD discs have still not been found or accounted for. He seems to be obsessed with the review of the data security and privacy procedures at HMRC which Kieran Poynter (see the Terms of Reference for this HMRC only review, and the other one across all Government departments, being conducted by Robert Hannigan, Head of Intelligence, Security and Resilience at the Cabinet Office)

Alistair Darling's response in the Opposition debate in the Commons on the HMRC scandal yesterday, contained a dozen references to this Keiran Poynter led review.

The junior Financial Secretary to the Treasury, Jane Kennedy , who appeared so clueless on Newsnight opposite Professor Ross Anderson, did give some more details about the current changes to procedure at HMRC prior to the results of the review.

28 Nov 2007 : Column 344


The motion asks what policy changes will be introduced to protect the public in future. First, HMRC has immediately communicated to all staff three key steps that must be followed. Transfers must take place only if they are absolutely necessary, written authorisation for the transfer must be given by a senior HMRC manager and a clear instruction must be given regarding the appropriate standard of protection for the transfer. Where directors decide that a data transfer by disc is absolutely unavoidable, such media must in every case be securely encrypted at the appropriate level. Those changes are already in place.


A number of hon. Members raised proper questions on the steps that we are taking on encryption. It may be of interest to the House to hear what has been done. HMRC has established a central team to handle encryption on behalf of the organisation, to ensure that the proper deployment of encryption is used at the appropriate level. All bulk transfers of sensitive data using CDs are being encrypted and password protected where necessary. Those procedures were implemented on 21 November. [Hon. Members: “Ah!”] Hon.

28 Nov 2007 : Column 345

This policy change still says nothing about mandatory encryption of all sensitive data on say, laptop computers or USB memory devices or via email, or extending such encryption policy to third parties like the KPMG sub-contract auditors to the National Audit Office.

Continue reading "HMRC data security scandal debate - still no mandatory use of encryption" »

November 26, 2007

Biometrics - Labour Government are still clueless about the technology

Several eminent academics who do actually know about information security, cryptography, software engineering etc.. have written a letter, published by one of the signatories Dr. Ian Brown on his Blogzilla blog.

Biometrics are not a panacea for data loss:

Mr Andrew Dismore MP
Chair, Joint Committee on Human Rights
Committee Office
House of Commons
7 Millbank
London SW1P 3JA

cc: Committee members; David Smith, Deputy Information Commissioner

26 November 2007

Dear Mr Dismore,

The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured':

    "The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be." - The Chancellor, Hansard Column 1106, 20/11/07

    "What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected." - The Prime Minister, Hansard Column 1181, 21/11/07

These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.

Ministers assert that people's information will be 'protected' because it will be much harder for someone to pass themselves off as another individual if a biometric check is made. This presupposes that:

(a) the entire population can be successfully biometrically enrolled onto the National Identity Register, and successfully matched on every occasion thereafter - which is highly unlikely, given the performance of biometrics across mass populations generally and especially their poor performance in the only, relatively small-scale, trial to date (UKPS enrolment trial, 2004). Groups found to have particular problems with biometric checks include the elderly, the disabled and some ethnic groups such as Asian women;

(b) biometrics are 'unforgeable' - which is demonstrably untrue. Biometric systems have been compromised by 'spoofing' and other means on numerous occasions and, as the technology develops, techniques for subverting the systems evolve too;

(c) every ID check will be authenticated by a live biometric check against the biometric stored on the NIR or at the very least against the biometric stored on the chip on the ID card which is itself verified against the NIR. [N.B. This would represent a huge leap in the cost of the scheme which at present proposes only to check biometrics for 'high value' transactions. The network of secure biometric readers alone (each far more complex and expensive than, e.g. a Chip & PIN card reader) would add billions to the cost of rollout and maintenance.]

Even if, in this fairy-tale land, it came to pass that (a) (b) and (c) were true after all (which we consider most unlikely), the proposed roll-out of the National Identity Scheme would mean that this level of 'protection' would not - on the Home Office's own highly optimistic projections - be extended to the entire population before the end of the next decade (i.e. 2020) at the earliest.

Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.

The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.

However, this concentration on citizens 'verifying' their identity when making transactions is only one issue amongst many when considering the leakage of personal data. Large-scale losses of personal data can have consequences well beyond an increase in identity fraud. For example, they could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers.

It is therefore our strongest recommendation that further development of a National Identity Register or National Identity Scheme (including biometric visas and ePassports) should be suspended until such time that research and development work has established beyond reasonable doubt that these are capable of operating securely, effectively and economically on the scale envisaged.

Government systems have so far paid little attention to privacy. Last week's events have very significant implications indeed for future government information systems development.

We would be pleased to clarify any of these points or provide further information if useful to the Committee.

Yours sincerely,

Professor Ross Anderson
Dr Richard Clayton
University of Cambridge Computer Laboratory

Dr Ian Brown
Oxford Internet Institute, University of Oxford

Dr Brian Gladman
Ministry of Defence and NATO (retired)

Professor Angela Sasse
University College London Department of Computer Science

Martyn Thomas CBE FREng

Compare and contrast this with the Labour Government / Home Office clueless "fairy tale" view given so embarrassingly evasively by Home Secretary Jacqui Smith in reply to her Conservative Opposition counterpart David Davis, during the Topical Questions section of Oral Home Office Questions on Monday (26 Nov 2007 : Column 18)

Continue reading "Biometrics - Labour Government are still clueless about the technology" »

How many Reviews will it take to sort out the HMRC and other UK Government data privacy and security scandals ?

The data security and privacy disaster involving the lost CDs containing the entire Child Benefit Award database by Her Majesty's Revenue and Customs and the National Audit Office, seems to have spawned several Reviews and Inquiries, at least two of which are due to report in mid December 2007.

These Reviews will be causing senior civil servants to dust off their copies of their Departmental Standard Operating Procedures manuals, and Departmental Security Policy documents, If they are feeling truly masochistic, they will actually read the boring and tedious concordance documents which aim to cross reference, often line by line, the current Departmental Security Policy with the Manual of Protective Security and BS7799 / ISO17799 / ISO27001 etc. standards, with which they are meant to have complied with several years ago.

Such voluminous documents probably already list all the relevant eventualities, but are of little practical use, where a culture of data security sloppiness, incompetence and management penny pinching has been allowed to develop.

The process of these reviews will probably stifle all decision making on any new IT systems, whilst the "Sir Humphreys" are engaged in Cover Your Backside and inter-departmental Empire Building campaigns, well into the New Year.

It is hard to see how any honest, uncensored Review, either by Kieran Poynter of PricewaterhouseCoopers, by Robert Hannigan Head of Intelligence, Security and Resilience in the Cabinet Office, by the Information Commissioner Richard Thomas, by Dr. Mark Walport of the Wellcome Trust, by the Independent Police Complaints Commission, by the Metropolitan Police Service, or by the Treasury Select Committee of the House of Commons etc. etc. can fail to blame the senior civil servants and politicians who were in charge of the Treasury and monster Her Majesty's Revenue and Customs department, at the time when the first of the the data security and privacy breaches occurred i.e. back in March 2007.

The "Sir Humphrey" at the Treasury back then was Sir Gus O'Donnell, the current Cabinet Secretary, and the micromanaging control freak politician in charge as Chancellor of the Exchequer was Gordon Brown, the present Prime Minister.

We will therefore be extremely surprised if any actual direct criticism or blame emerges from these soon to be censored, "must be seen to be doing something" Reviews.

The Terms of Reference for the Kieran Poynter and Robert Harrigan reviews:

Continue reading "How many Reviews will it take to sort out the HMRC and other UK Government data privacy and security scandals ?" »

November 23, 2007

Did the NAO hand over the 25 million HMRC Child Benefit records to KPMG, unencrypted ?

Further to our previous posting, National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless, about our worries about the National Audit Office's lack of "best practice " secure data handling:

It is, presumably, deliberately, not clear from the censored NAO letter of 9th November, exactly which copies or extracts of the 25 million records are being described as having been analysed by the private firm of financial auditors KPMG:

I also confirm that I have asked KPMG to provide me with assurances that they have deleted or erased the data that they analysed as part of our 2006-2007 Resource Accounts audit; and that we have similar procedures in place to ensure that we delete the 2007-2008 data that we have received. I will let you have a copy of this confirmation one I have received it.

The words "deleted or erased the data" do not sound like they apply to the Read-Only CDs, which cannot be simply "erased" - they need to be physically destroyed, which cannot have been done, since the CDs were returned to HMRC on April 16.

Charitably, the words may apply to further digital copies of the data selected and imported into other computer systems which was analysed i.e. only a small subset of the 25 million records.

What about the vast majority of the data which was not analysed , what happened to that ?

Worryingly, the report in The Guardian on this part of the story claims that:

In a further letter, sent by an unidentified senior official in the NAO to Revenue & Customs, it emerged that the audit office had passed on all 25m names to the auditors KPMG. The NAO said last night this had been delivered by hand and it had asked for the information to be deleted.

Does this mean that there were actually 3 sets of physical transfers of the 25 million records, as unencrypted CDs, by the National Audit Office back in March / April e.g.

1) Delivery of the HMRC March CDs from by NAO, "by hand", to KPMG
2) Return (method undivulged) from KPMG back to NAO
3) Return (method undivulged) of the CDs back to HMRC on April 16th

Surely the NAO did not need to hand over the entire 25 million record Child Benefit Award database files on CDROM to KPMG back in March ? Why could they not just select the 1500 records that they intended to audit ?

Did NAO or KPMG staff make further copies of the CDs, or load them onto the hard disk of a portable laptop computer or onto high capacity USB flash memory media etc. to transfer to KPMG ?

Were any of these copies strongly encrypted ?

Even if there was only one single Child Benefit Award database record being transferred between HMRC and NAO and KPMG, rather than 25 million of them, then we expect that personal sensitive data to have been protected by strong encryption.

November 22, 2007

National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless

The National Audit Office (NAO), is strenuously trying to distance itself from the Her Majesty's Revenue and Customs (HMRC) Child Benefit Awards database data privacy and security breach disaster, involving the loss of copies of 25 million people's sensitive personal data records.

NAO have published some censored emails and other correspondence, which mostly, and correctly, shifts the blame onto HMRC middle and senior management:

See child_benefit_data.pdf
N.B. this is the usual sort of .pdf file image scan, with various bits censored i.e. deliberately not possible to cut and paste, or to be indexed word for word by web search engines. This is a tactic used by organisations with something to hide from the public.

[hat tip to Ray Corrigan B2fxxx]

However, the National Audit Office are not entirely blameless, and despite their claims that:

The NAO attaches the highest priority to data security


...we will continue to ensure that our processes are in line with best practice. We shall review our arrangements accordingly though we have found no defects in them.

We beg to differ:

The NAO appear to have admitted to returning to HMRC the CDROM discs obtained in March, containing a copy of the unencrypted, full Child Benefit Awards database, including the sensitive personal data which they had, commendably, asked not to be included in the data extract.

Once they had extracted their 1500 or so records for audit, why did the NAO not securely destroy these CDROMS, instead of risking them again in transit, unencrypted, by sending them back somehow to HMRC, who had no possible use for them anyway ?

Why did they not raise a Security incident when they received so much unencrypted personal data the first time in March ?

That does not seem like "best practice"or "no defects" to us.

Continue reading "National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless" »

November 21, 2007

HMRC 25 million personal records scandal - no encryption

BBC1 TV Newsnight programme revealed last night, that after some evasive answers, Her Majesty's Revenue and Customs (HMRC) admitted that the two lost CDROM discs containing the entire Child Benefit database personal details of 25 million people, which were lost in the internal mail were only "password protected" and were, as we suspected yesterday, not encrypted

Alistair Darling's feeble efforts at reassurance in the House of Commons are now online in Hansard 20 Nov 2007 : Column 1101:

[...] In March, it appears that a junior official in HMRC provided the National Audit Office with a full copy of HMRC’s data in relation to the payment of child benefit. In doing so, the strict rules governing HMRC standing procedures were clearly not followed. Those procedures relate to the security of and access to data as well as their transit to ensure that they are properly protected. That information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information that it received in March to HMRC after auditing it.

It now appears that, following a further request from the NAO in October for information from the child benefit database, again at a junior level and again contrary to all HMRC standing procedures, two password-protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit were sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered.

It appears that the data have failed to reach the addressee in the NAO. I also have to tell the House that, on finding that the package had not arrived at the NAO, a further copy of those data was sent, this time by registered post, which did arrive at the NAO. However, again HMRC should never have let that happen.


The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. Those records include the recipient and their children’s names, addresses and dates of birth, child benefit numbers, national insurance numbers and, where relevant, bank or building society account details. I regard this as an extremely serious failure by HMRC in its responsibilities to the public.


So, the entire HMRC Child Benefit personal data record data for 25 million people was sent, unencrypted, at least three times in a year to the National Audit Office.

Continue reading "HMRC 25 million personal records scandal - no encryption" »

November 20, 2007

25 million people's records at risk from HMRC scandal

The statement in the Commons by Alistair Darling reveals that the massive data privacy and security breach by Her Majesty's Revenue and Customs, is even worse than the initial TV reports.

The breach seems to have been instigated by the supposed auditing process by the National Audit Office (NAO)!

The potential data privacy and security breach involves:
25 million individuals (out of about 60 million people in the UK) including

  • 7.25 million families
  • names of all Child Benefit recipients i.e. the parents
  • names of their Children
  • dates of birth
  • addresses
  • Child Benefit Numbers
  • National Insurance Numbers (NINOs)
  • Bank or Building Society account details

Why was one junior civil servant allowed to have access to download the full database, when the National Audit Office didn't even request all of that data, only a small sample for audit purposes e.g. a dozen records ?

The two CDROM were sent initially in the internal mail, which is subcontracted to TNT couriers.

The two discs are supposedly "password protected" but that rather implies that they are not actually encrypted to normal commercial or Government approved cryptographic standards.

When the initial two discs failed to arrive at the National Audit Office, the "junior official" then sent another two copies via registered post, which did arrive ok.

It is irrelevant that this was all against the complicated HMRC Standard Operating Procedures, which had been supposedly strengthened after the previous incident which "only" affected 15,000 records being sent to an insurance company at the end of September.

Why was it possible for any one single junior civil servant to obtain a complete copy of the entire database ?

Alistair Darling only mentioned the financial risks of this massive potential data breach, but he ignored the confidential name and address information which could be life threatening to, say, battered wives and their children, victims of stalkers, people in witness protection schemes, families of Judges, police officers, prison officers, armed forces. intelligence agencies etc.

The Chancellor unconvincingly tried to claim that somehow Identity Cards would have prevented the risks of this data breach, because of the magic of "biometrics" - which is, of course, utter rubbish !

Surely this must affect public opinion and trust in the "database state" centralised databases such as the National Identity Register / ID cards, the National Health Service centralised patient records ("Data Spine") etc.?

The non-partisan NO2ID Campaign has been trying to raise public and political awareness of the risks of such "all your eggs in one basket" systems, which are so vulnerable to incompetent or corrupt authorised insiders.

Massive potential data privacy and security breach at Her Majesty's Revenue and Customs

We are awaiting with interest, the Emergency Statement to the House of Commons this afternoon by the Chancellor Alistair Darling.

Paul Gray, the chief civil servant at Her Majesty's Revenue and Customs (HMRC) has resigned.
TV news reports are talking of the "loss" of the personal and bank account details of up to 7.5 million (Sky News ) or perhaps 15 million (BBC) people claiming Child Benefit.

If it is Child Benefit details, then for "battered wives" who have fled their violent partners, or for victims of stalkers, or people in witness protection schemes, it is not just the worry of potential financial fraud, but also their actual physical safety which could now have been endangered.

There have been comparatively minor breaches, reported recently in October where "only" 15,000 people's data, customers of one insurance company, had their details lost in the post.

There has been spin and evasion about whether or not the CDROM was encrypted in that case

If this case, as reported, also involves CDROMs lost in the HMRC "internal" post, unless there is a clear and unambiguous claim that it was all strongly encrypted, then it is best to assume that it was not.

Remember, even if the missing CDROMS are eventually found somewhere, there can now be no guarantee that they have not been copied in transit.

Will anyone be prosecuted under the (weak) Data Protection Act ?

Will the Government actually pay to rectify some of the damage i.e. to cover the disruption costs of , say, changing millions of bank account details ?

Remember that these are the same systems, run by the same demoralised and overworked low level civil servants, facing job cuts, who are supposed to magically somehow guarantee the integrity and security of the centralised National Identity Register scheme.

Will Alistair Darling or any of his Treasury Ministers also do the honourable thing and resign ?

Any political blame for HMRC incompetence is really down to his predecessor i.e. the current Prime Minister Gordon Brown.