Perhaps his mind was elswhere that Thursday morning. England's hopes of
qualifying for the European Championships had been dentged the night before
by defeat in Moscow — still, there was the Rugby World Cup Final to look
forward to at the weekend.
Certainly, when the request came to send child benefit data to the National
Audit Office in London, the junior official’s mind does not appear to have
been on the job. He burned the entire national child benefit database on two
computer discs, popped them in an envelope and sent them to the post room
for collection by TNT couriers.
“He messed up, it was treated as a normal piece of mail,” an insider at HM
Revenue & Customs said.
The IT worker returned to his duties, unaware that posting that envelope would
trigger the country’s biggest police investigation into possible identity
theft and jeopardise the career of the Chancellor.
He had committed a potentially catastrophic security breach.
HMRC’s procedures state that such detailed data — the names, addresses,
National Insurance numbers and bank details of every child benefit claimant
in the country — should never leave the offices in Washington, Tyne & Wear.
If the auditors wanted to see that material, they were to be invited to the
North East to view it on a standalone computer in a secure room.
But the NAO staff had not asked for this level of detail. They had specified
that they wanted limited information, specifically claimants’ names, NI
numbers and child benefit numbers. They knew the procedures and the risks
associated with sending addresses or bank account details.
The NAO wanted to select a sample of claimants and then visit HMRC to study
the full records as part of the 2007-08 child benefit audit.
HMRC decided unnecessarily, as it had done seven months earlier for the
2006-07 audit, to send much more and exposed 7.25 million families to the
risk of identity fraud by organised criminals.
The Information Commissioner was already investigating two serious
data-protection breaches at HMRC — the losses of a laptop containing 15,000
individuals’ details and a CD with information about Standard Life
customers. On October 18, however, no one could foresee the problems ahead.
It was not until the following Wednesday, when the NAO called to say that
the discs had not arrived, that anything was done.
And then, the wrong thing was done again. The full database was burned on to
two more discs and posted again. This time, however, the despatch was
approved by senior staff and sent by recorded delivery.
The second package arrived at the NAO offices at Buckingham Palace Road where
officials continued to be concerned at the non-arrival of the first parcel.
They continued to pursue the issue and eventually, on November 8, managers at
Washington decided to tell Paul Gray, the recently appointed chairman of
HMRC.
If his junior officials did not realise the gravity of the situation, Mr Gray
did. He ordered an inquiry by the Revenue’s investigators who began the
search for the missing package.
Mr Gray, a former Treasury civil servant, also knew that his political bosses
had to be told. Alistair Darling was at home with his wife in Edinburgh on
Saturday, November 10, when a call came through on the secure line reserved
for sensitive communications.
Jane Kennedy, a junior Treasury Minister, was on the line with details of the
fiasco. Both ministers’ private secretaries listened in to the call.
Within minutes, Mr Darling was on the phone to the Prime Minister. It took him
30 minutes to tell Gordon Brown what, to the best of his knowledge, had
happened.
A furious Chancellor demanded an immediate overhaul of security at HMRC but it
was a case of closing the stable door. The Chancellor was told on Monday,
November 14, that HMRC thought that it was confident of tracing the missing
package, but Mr Darling’s patience was running out.
By Wednesday, he said, “it was clear to me that the HMRC searches had failed
to find them [the discs]”. He ordered Mr Gray to call in Scotland Yard.
That call was made the next day, November 15, and the Metropolitan Police
assigned the inquiry to the Specialist Crime Directorate, which handles
sensitive investigations.
Acting Assistant Commissioner Janet Williams was placed in charge of the
investigation which initially involved six officers. Within days, as senior
officers realised the urgency of the case and the scale of the inquiry, the
number of officers was doubled. Personnel were seconded from other forces
and an extensive series of searches began.
A source said: “We have no evidence of a crime, but the potential for a crime
is there. Something can be regarded as lost when actually it may have been
stolen.”
The search is something of a needle in a haystack job. TNT carries about
100,000 pieces of mail for HMRC every night of the working week. The courier
firm said that the first package had been sent with general mail and
therefore had no “track and trace” facility. A TNT spokesman said: “It has
been impossible, in this instance, to conduct an audit to identify if the
item entered the system.” Searches have been carried out at the NAO’s London
offices, where three officials have been interviewed. A source there said:
“The fact is that the package never arrived here.”
The biggest search operation is taking place at the HMRC child benefit
headquarters in Washington, where several staff have been interviewed as
witnesses. But the searches have been fruitless and huge emphasis is now
being placed on fraud prevention.
Apacs, the banking industry body that overlooks payments systems in Britain,
was informed last Friday and co-ordinated an escalation of the banks’
systems for pinpointing suspicious transactions.
Millions of transactions are monitored every day and the most advanced systems
can track payments in real time. A high-street bank executive said: “We are
doing what we normally do, but on a much larger scale. If you are attacked
by a fraudster and we suddenly see ‘you’ purchasing £500 worth of jewellery
from a shop in eastern Europe, we aim to spot it.”
Experts in identity theft have warned that sophisticated fraudsters might
never touch existing accounts, but use the data to obtain credit cards and
loans. David Hill, senior security consultant at red24, said: “It may be
that the first we see of any criminal activity is in a few months’ time when
bills start appearing for goods we haven’t ordered.”
Post haste
March A junior Revenue official sends child benefit payment records to
National Audit Office, disregarding security rules. Data later returned
October Further request for information from NAO
October 18 Junior official sends two password-protected disks with all
child benefit payment records to NAO using the courier firm TNT, again
ignoring security rules. They fail to arrive
Late October More disks sent to NAO, this time by registered post. They
arrive safely
November 8 Revenue manager is told that the original two disks failed
to arrive
November 10 Alistair Darling, the Chancellor, is told. He demands an
investigation and orders searches for disks
November 12 Revenue officials tell Chancellor that they expect the data
to be found
November 14 Chancellor told searches have failed to find disks, and
decides police should be called in. Paul Gray, the Revenue chairman, offers
to resign
November 15 The Chancellor discusses the breach with Richard Thomas,
the Information Commissioner
November 20 The Chancellor tells Parliament of the lost disks and
announces Mr Gray’s resignation
I am surprised that the IT security systems in Revenue and Customs allow any but a high ranking official to 'burn' any part of the database onto a CD. Surely, such actions don't form a great part of the work and only those who can be trusted to secure such data should have access to the possibility of downloading it to any output device other than a screen.
This is an example of astounding incompetence - a thing one can see operating right across the public sector. Ineptitude is tolerated and idleness is rife because workers and managers are almost impossible to dismiss. Many would never be able to hold a job in the real world. Just look at the debacle of the CSA for an example of how these places work, or don't. Over more than forty years I have known people who worked at the huge Benton office of the DSS. I can not count the times they have told me of how little work they are required to perform. Look no further for the cause of failure than the appalling lack of management.
Anon, Newcastle upon Tyne, UK
The junior official clearly is not the issue, data access and security is an issue that should be addressed at the highest level and enforced through system privileges not civil service rules.
Darling is endulging in a shameless scapegoating exercise and for that he should resign.
Mark, Newcastle,
I am concerned that a broader implication of this revelation on data security does not appear to have been addressed in the ongoing national discussion.
Given the large number of government employees that clearly have access to these databases, if the administration and security systems in place allow for this kind of data to be burned onto an external removable disc, then it is inevitable that such data already has been (or will be) deliberately taken and sold to identity theft fraudsters by a modestly paid, unscrupulous civil servant (it is unfortunately naive to assume everyone is honest).
This is an issue that has largely been addressed in banks and other financial institutions who have historically held our private data, and who have measures in place to prevent such extraction of confidential data.
The idea of a "momentary blunder" or accidental loss seems to miss the real risk.
Fergal, London,
if hmg were not such a tight wad the fellow could have taken it himself by cab if neccessary
peter codner, devizes, england
Andy Johnson's experience begs the question of why the Government is unable to attain standards that UK business takes for granted, and has done for years. Public sector IT projects regularly fail, costing the taxpayer millions; massive wastage occurs across government departments. Why isn't the government using technology to tackle problems like benefit fraud instead of trying to foist ID cards on us? I now know where I stand on that issue, after this latest fiasco. As for Paul Gray resigning - what incentive is that for the worker who posted the data erroneously to do his job better? He should be held to the same standards he would be in the private sector; instead, he is probably still in his job. Public servants who fail should not have job security.
Judy, London,
Perhaps staff training was an issue in this case. I suggest the following multi-choice questions as a test for new staff or possibly this could be included in the government’s new citizenship curriculum.
Q. If asked to send a disc of confidential personal information by your boss would you:
a. Just post it because your Gran’s card has always been fine that way.
b. Encrypt it and send by special delivery which can be tracked.
c. Send it to the Guardian (they will encrypt it for you).
d. Find out if there is a secure government system for dealing with this.
Q.If you chose one of the above and the item failed to arrive do you:
a. Post it again.
b. Find out if there is a secure system for dealing with this.
c. Give it to the bloke hanging around by the front door who said he knew how to deal with things like this.
Anne, London,
You could not make it up! The Government has security markings for different levels of security with definitions of each from unclassified to top secret. Data at rest (as on a laptop) and data in transit (such as in e-mails or in the post) are also covered by various protocols. Data breaches likely to lead to Government embarrassment are covered. Not only was common sense avoided, but every procedure in the book was broken. If the poor guy hiding in a safe house away from the media did not know how to handle the discs, his superiors should have told him. But as stated elsewhere, the security was floored when he was able to take the data off the computer in the clear (not encrypted).
For all the palaver about the incompetence of various officials and the time it took to tell us that the problem existed, the most amazing thing is that we were told at all! But why should we pay one senior official his £190,000 per year after he has resigned so that he can retire on a full pension?
Shaun, London,
Just to let you know, Mr/Ms Bennedik, 0845 numbers are not premium rate. They are charged at local rate. I agree that for some people that is more expensive if they have a bundled package that gives them free calls to geographic numbers. 0845 is classed as a non-geographic number as you can't tell from the number where the ultimate location of the end of the line is.
JMD, St. Albans,
Since my ID is likely to be one of those given away, it is a good idea for me to sign up for CIFAS protective registration (as mentioned in Times Online). However, I have always been very careful with my ID so it riles me that I will have to pay the admin cost of this, shouldn't the govt offer to cover the cost?
J Foley, Beckenham, UK
And to add insult to injury the Child Bennefit Office is using a premium rate telephone number for its 'helpline'. So they will be making money from worried people like me trying to get information about a situation that is their mistake.
S Bennedik, Twickenham,
This is just another example of the amateurish approach of government departments to Information Technology. There is no way that sensitive data such as this should ever be sent by physical means, whether encrypted (as was sadly not the case here) or otherwise. There should be a secure Government network over which encrypted data can be sent - if indeed it needs to be sent at all. Heads rolling is sadly unlikely to be a solution. What is needed is a fundamental rethink of how Government departments handle the security of their data. Where my wife works (a Government agency) you are required to have a password a minimum of 12 characters long, with upper and lower case letters, numbers, and non-alphanumeric characters, and it is expired on a regular bases (whereupon no previously used password may be reused). Since nobody can remember the passwords, they write them down on a piece of paper and put it in the drawer!
Brian, Stockport,
100,000 itemns by TNT every day?
This undermines Royal Mail which the government spouts platitudes about supporting, despite the threatened closures of Post Offices.
The best way to support R.M. is for all government departments to use Royal Mail exclusively.
If that proves more expensive per item, what will it save in direct subsidies? This situation is entirely because of the craven way our government caves in to EU "competition" directives, enabling TNT etc. to undercut R.M. on collection, but washing their hands of delivery, for which they do not pay a proper fee to R.M. Where are the red lines here?
David, St. Albans,
Despite the error of the junior clerk/official. is this not a management failure for not only allowing access to such sensitive and detailed personalised data but also requiring him to be copying the data and forwarding it by means of a not so reliable method! Don't blame the cleark, no matter how incompetent or unfocussed he may be. Whilst the buck may stop with the Home Secretary surely the senior managers must carry the responsibility for being so lax with their procedures for access and duplication!!
M Naguib, Birmingham,
This is a timely demonstration of the dangers of electronic data storage. As long as there are people interfacing with a system, that system cannot be secure. With the concept of our data being made available to all authorities within the EU it becomes infinitely more likely that this kind of incident will recur.
But of course, we know that if you have nothing to hide you have nothing to fear.
Mike Poulsen, Reading, Berkshire
Umm - sorry to state the obvious but why is the loathesome incompetency of one worker the direct fault of Alaistair Darling? He didn't put it in the post - someone else did.
Beth, London,
This is not an isolated failure of a single person having a bad day. Instead it is a systematic failure of a system that could allow an entire database to be copied to two CDs.
I am a program manager working for a supplier in a UK bank. My role is to push customer data projects forwards. In contrast the bank has numerous processes that often slow things down, the most stringent of which are always connected with the security of data.
A request to copy the entire customer database would need to go to senior VP level. If my team wanted to bypass this process we would be unable to do so because we don't have the IT rights to access all the data, the bank's servers would stop the copying of the data to a PC, almost all PCs have their CD drives disabled & remote access excludes file transfer.
Data security in HMRC therefore appears to be defined by un-policed rules which are not reinforced by system design. I suspect the public sector will soon have very powerful IT Risk Offices.
Andy Johnson, Bristol, UK
Mr Brown - learn three letters - PGP
Joe Bloggs, London,
So the government loses almost half the populations bank details and they expect us to hand over even more information for an insane ID card scheme.....forget it everyone hould apply for a new passport NOW so they don't hve to get an ID card for 10 years by which time it might be dead. The government cannot be trusted with anything they are completely incompetent. And as for anyone getting an ID card voluntarily which is what they hope people will do initially, you would be insane to hand over your information to this bunch of clowns.
Everyone please apply for a new passport NOW and avoid this future fiasco for at least 10 years.
Tom, Londo, UK
What a calamity. The Government should be held totally responsible for the fiasco and it seems never ending, from immigration to HMRC. Seems there are problems in all the departments and a major overhaul is required and changes as well.
TC, lONDON, Middx
If a gaping hole in security was left wide open after being drawn to your attention, then yes, you deserve to resign.
But if in-place security measures were breached by someone lower down the chain, there's no way the senior person should resign. Deal with the individual who performed the irresponsible act.
Else where does the buck stop?? The Chancellor? The Prime Minister? And what about all the line managers in-between? Oh, and TNT? After all, they lost it. Will they lose contracts with HMRC or other govt agencies? No, you discipline the fellow whose memory lapsed as he forgot to send the mail "registered" as required.
The bigger problem is that massive amounts of personal data, easily copied onto a disk, can be taken out of that building in peoples' pockets every day.
Were a time/date audit to be made when a file is accessed or when copious data is extracted, then an authorisation from above could be required to process it, ensuring data goes only where it should.
Peter Jamieson, Aichi, Japan
i feel that this is a good reason to give the postal workers
a decent pay rise
at least they arrived by post
steve adams, royston , herts