UK Up In Arms Over Loss Of Two CDs. 25 Million Britons Affected By Lack of Data Encryption.

HM Revenue & Customs (HMRC) has lost two CDs containing the details of 25 million people in the United Kingdom.  With the official population of the UK at 60.5 million, this represents slightly less than half of all the people in that country.  The matter was grave enough, combined with other data breaches at the same department, for the chairman, Paul Gray, to resign.


The data that could potentially be compromised are the names, addresses, and the birthdates of every child in the UK, plus the bank account details and England’s equivalent of Social Security numbers of 10 million parents and other caretakers.  The two CDs were lost en route to the National Audit Office.  Because of the nature of the media lost—compact discs—there has been plenty of fist-pounding on why the government is using such “ancient museum pieces” and that these must be replaced.  I would like to comment, as I usually do, that the method of delivery is not at fault.  After seeing the breaches for, TJX, Ameritrade, and other online data security mishaps, are we really to believe that substituting plastic doughnuts with a server and wires gives us more security?  That this will ensure total and complete security?


I think most experts whose intent is not to sell their services—or recommend a cash infusion into devices that will lose half their value the moment that they’re delivered to your door—will readily agree that the transfer medium is not the issue.  The real issue is, “why weren’t the appropriate steps taken to protect the data?”


Protecting the data, ensuring that outsiders can not see the sensitive information—that’s where the focus should be concentrated.  And if one does so, one realizes that the culture at the HMRC is ill-prepared for protecting data, and would have ultimately lead to data breaches, which it did.


To begin with, there was no attempt to ensure that the information sent via courier from one department to another would be protected from prying eyes: inter-office mail envelopes used by the HMRC cannot be secured which, actually, makes sense.  I’ve seen such reusable envelopes in many corporations, and the last thing you want on “reusable” envelopes is something that will allow you to glue down the flaps.  You can’t use it after that one instance.  The answer, of course, is not to use reusable envelopes when sending sensitive information.  But sealable envelopes can only show you that there was tampering, it cannot protect the contents inside.  For digital data protection, encryption, such as those offered by AlertBoot, is necessary.


Also, if you listen to the HMRC, it was junior officials who made mistakes and ignored security procedures.  I’m not sure in what context these officials are “junior,” but it certainly sounds like they shouldn’t have had access to such information in the first place.  Perhaps it was the presence of a password that supposedly secured the data (note to readers: having a password is not the same as encrypting data) that allowed the more senior officials to relax and pass the duties to the junior ones.  And I guess there’s a reason why the junior ones are in the junior position.  However, the above proves that a lax attitude towards security exists in the department.  What’s galling is that the HMRC has already had two other significant data breaches this year, so it’s readily apparent that nobody in that department seems to be learning from their mistakes.  I think the two prior cases were blamed on junior staff as well.


In such an environment, it doesn’t matter how data is being handled.  Be it a CD or the latest secure gizmo, if people are going to be lax about security, data breaches will happen.  What good is the most impenetrable strongbox if you’re going to keep the combination to the safe taped to the door?


I commend the HMRC for using a “password” to secure the data on the two CDs (which, incidentally, is actually four CDs.  A pair got lost earlier, and a second set of data CDs were sent via the same method, which got lost as well.  The latter is what everyone in the UK has bunched their knickers about) not because this implies that the lost data is secure from prying eyes, but because it indicates that not everyone in that department is incompetent—just misguided.

Comments (0)

Let us know what you think