Sunday, 25 November 2007

An unbelievable loss

Prior to the event happening, many people would have assumed this sort of thing could never happen. Maybe you thought that there would be enough safeguards in place. Obviously, we now know that this is not true. What am I talking about? This blog entry is about the 25 million Inland Revenue records that were lost in the post recently.

This article contains a timeline of the events leading to the current situation:
  1. 18 October - Junior official from HMRC in Washington, Tyne and Wear, sends two CDs containing password-protected records to audit office in London through courier TNT, neither recorded nor registered
  2. 24 October - When package fails to arrive, second one is sent by registered post and arrives safely
  3. 3 November - Senior managers are told first package has been lost
  4. 10 November - Prime minister and other ministers are informed
  5. 12 November - HMRC tell ministers CDs will probably be found
  6. 14 November - When HMRC searches fail, Metropolitan Police are called in
  7. 15 November - Richard Thomas, Information Commissioner, says remedial action must be taken before public is informed
  8. 20 November - HMRC Chairman Paul Gray resigns; Chancellor Alistair Darling makes announcement to House of Commons
In addition to this, HMRC gave the National Audit Office a full copy of child benefit data in March, which is a "breach of protocol". Also, 15000 records went missing in September after HMRC sent them to Standard Life and a laptop containing 400 ISA details was stolen.

A few interesting questions arise from the timeline above. Firstly, why was the original package not sent using recorded delivery and why wasn't it registered? Secondly, was there anything done between the 18th and the 24th to ensure this mistake wouldn't happen with the second package? Thirdly, why were senior managers told of the loss of the first package several days after the successful delivery of the second? Surely they should have been told straight away. Lastly, were ministers told of the specifics of the HMRC search? 'Probably' is a very vague term to use and inappropriate for the situation.

I also wonder about the password protection on the discs. There are multiple ways to implement password protection. Also, was anything encrypted? If it was, what was the strength of the encryption. If a mistake of this magnitude was made, can we automatically assume that there was appropriate security measures on the discs? I have not heard answers for any of these questions yet.

In this article, the following was mentioned:
"Darling stressed that there was no evidence that the data had fallen into criminal hands, but urged Britons to keep a close eye on their bank accounts."
This is definitely true - we don't have any evidence which implies that crimes have been committed using the information. However, we don't know that crimes haven't been committed either.

I the House of Commons, Conservative leader David Cameron said this:
"Millions of people today will be worrying about the safety of their bank accounts and the security of their family details, but they will not just be worried, they will be angry that the government has failed in its first duty to protect the public."
Well, it's not just the government that's to blame - however, they are at fault because they oversee HM Revenue and Customs and are supposed to be making sure that they always do their job properly. It's also the fault of HMRC themselves though - they should have ensured that existing security procedures are correctly implemented - especially after the earlier mistake in March.

The civil servant working for HMRC who originally made the mistake, remains unnamed according to this Telegraph article. For that person, it is probably a good thing - if he was named then a large portion of the country would be tracking him down. However, he needs to be punished and I hope that he has lost his job because of this fiasco.

Paul Gray, the Chairman of HMRC has left - which is the right thing to do. What about Alistair Darling though? He is at the top of the Treasury and in generally in charge of financial matters. What will happen to him? This article highlighted a poor performance in the Commons following the data loss. He hasn't resigned though - which is interesting. I think he should resign, but how would that affect Gordon Brown, who chose him to be the Chancellor?

Banks are preparing for panicking masses who will be enquiring about their personal details. The current levels of identity theft in this country definitely doesn't help. CIFAS, the fraud prevention service in the UK, has the following statistics:
YearCases recorded
Those figures show that although it's not yet a massive crime, it is on the increase - it could increase even more now that this problem has happened. Even if it doesn't, the worry will still exist amongst the general public.

So, what do you think?

Technorati tags: Inland Revenue, Finance, Government