The British government has lost confidential details of 25 million child benefit recipients that had been stored on two computer disks, according to officials.
HM Revenue and Customs, or HMRC, only admitted the loss Nov. 20, despite the breach occurring Oct. 18, leading to the resignation of HMRC Chairman Paul Gray. The disks were lost while being transported via internal mail from the National Audit Office department to HMRC. A junior employee at the National Audit Office is believed to have sent the disks through the mail, but the disks didnt appear at HMRC.
Sending such information via internal mail is a breach of rules governing data protection. Copies of the disks were then resent, using registered and traceable mail.
This is also the second time since March that the data protection rules had been broken by HMRC, although the first incident did not result in a data breach.
Child benefit is received by all parents in the UK who have children who are teens. The disks contained names, addresses, dates of birth, bank account details, childrens names and national insurance numbers—similar to U.S. Social Security numbers. HMRC officials said the disks were password protected, but it is unclear if the data on the disks were encrypted.
“If it was just password-protected with no encryption, then this is very scary,” said Greg Day, security analyst at McAfee. “Also, where did these passwords go? Are they themselves secure? Unfortunately HMRC wont say.”
HMRC is working with UK banks, the Metropolitan Police Force and payment groups, and is also tracking bank accounts to prevent this data from being used. However, Day said the data on the disks could be used for far more than just banking fraud.
“This is a serious amount of data that could mean ID theft,” he said. “This is potentially much bigger than just bank fraud.”
The UK Chancellor of the Exchequer, Alistair Darling, has given a speech in the House of Commons, outlining the measures that will be taken to protect those whose data has been lost. However, the onus seems to be on the individuals whose data has been put at risk. He encouraged people to check bank accounts every day and ensure that passwords and other details are changed.
“This is fine if you bank online, but it is doubtful that people who dont do online banking are going to visit their branch every day,” Day said. “Also, and more importantly, the government should not be focusing just on banking; this could be much wider, which makes it very difficult for the government to monitor. The responsibility will ultimately fall to the user to check their own safety.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.