HM Revenue & Customs (HMRC) has lost two CDs containing the details of 25 million people in the
The data that could potentially be compromised are the names, addresses, and the birthdates of every child in the
I think most experts whose intent is not to sell their services—or recommend a cash infusion into devices that will lose half their value the moment that they’re delivered to your door—will readily agree that the transfer medium is not the issue. The real issue is, “why weren’t the appropriate steps taken to protect the data?”
Protecting the data, ensuring that outsiders can not see the sensitive information—that’s where the focus should be concentrated. And if one does so, one realizes that the culture at the HMRC is ill-prepared for protecting data, and would have ultimately lead to data breaches, which it did.
To begin with, there was no attempt to ensure that the information sent via courier from one department to another would be protected from prying eyes: inter-office mail envelopes used by the HMRC cannot be secured which, actually, makes sense. I’ve seen such reusable envelopes in many corporations, and the last thing you want on “reusable” envelopes is something that will allow you to glue down the flaps. You can’t use it after that one instance. The answer, of course, is not to use reusable envelopes when sending sensitive information. But sealable envelopes can only show you that there was tampering, it cannot protect the contents inside. For digital data protection, encryption, such as those offered by AlertBoot, is necessary.
Also, if you listen to the HMRC, it was junior officials who made mistakes and ignored security procedures. I’m not sure in what context these officials are “junior,” but it certainly sounds like they shouldn’t have had access to such information in the first place. Perhaps it was the presence of a password that supposedly secured the data (note to readers: having a password is not the same as encrypting data) that allowed the more senior officials to relax and pass the duties to the junior ones. And I guess there’s a reason why the junior ones are in the junior position. However, the above proves that a lax attitude towards security exists in the department. What’s galling is that the HMRC has already had two other significant data breaches this year, so it’s readily apparent that nobody in that department seems to be learning from their mistakes. I think the two prior cases were blamed on junior staff as well.
In such an environment, it doesn’t matter how data is being handled. Be it a CD or the latest secure gizmo, if people are going to be lax about security, data breaches will happen. What good is the most impenetrable strongbox if you’re going to keep the combination to the safe taped to the door?
I commend the HMRC for using a “password” to secure the data on the two CDs (which, incidentally, is actually four CDs. A pair got lost earlier, and a second set of data CDs were sent via the same method, which got lost as well. The latter is what everyone in the UK has bunched their knickers about) not because this implies that the lost data is secure from prying eyes, but because it indicates that not everyone in that department is incompetent—just misguided.