Auditors have today released their reports on the HMRC data fiasco from last year. At the time, a junior employee was blamed for the loss of sensitive data affecting 25 million
According to the report, the National Audit Office (NAO) had asked for the information multiple times, and the HMRC responded—badly, every single time. By badly, I mean that their data security practices were inexistent. For example, when the NAO asked for data, it also requested that personal data—including names, addresses, and bank account details—be stripped. HMRC ignored the request in order to save money.
What could the HMRC have been thinking? I’ve been associated with government bureaucracies in some way or another my entire life, so I’m assuming, based on my experience, that it went something like this: Well…that’s going to cost my department money, and we’re on a tight budget. So, we’ll ignore the request, send the data, and they can deal with deleting the data, using money from their budget.
Then there are the unencrypted disks. Supposedly, government regulations required data to be encrypted. They were not. What’s not mentioned anywhere (and I won’t read the actual audit reports…they’re like 100 pages each) is whether staff members had access to encryption software. Using data encryption may be a no?brainer, but if the tools are not there…. Plus, nobody took any interest in tracking the sensitive information, ensuring it arrived at the correct destination.
In that kind of work environment, ensuring data security is very hard. Granted, if we were talking about securing the data on laptops, solutions like full disk encryption could have afforded some peace of mind. Encrypt your laptops once, and they’re encrypted for life. If someone decides to send that via internal mail and it gets lost—well, the data on that laptop is still secure.
However, encryption does not guarantee data safety when people are unaware of good security practices. For example, how many people do you know who have a post-it stuck to a monitor, a post-it with the username and password for accessing…pretty much anything?
As the auditors correctly pointed out, the blame cannot fall on one person if everyone has had a hand in creating such an environment.
Related Artiles and Sites: