[This article is subject to a legal complaint]

Inside the spacious office of the chancellor on Tuesday morning, Alistair Darling looked like a man who had lost a wallet containing some very embarrassing items. He had searched everywhere, high and low, but it was no good – he was going to have to own up.

At 11am calls went out to George Osborne, the shadow chancellor, and Vince Cable, the acting Liberal Democrat leader, inviting them to a briefing on “privy council terms” – the highest form of confidentiality. Osborne and Cable cancelled their engagements and hurried around.

They found Darling, flanked by two officials, looking almost as white as his hair. The keeper of the nation’s finances admitted that the government’s entire database of families receiving child benefit had been downloaded onto two computer discs, popped in the post – and lost. Some 25m people were at risk of fraud.

Q&A: how can I protect myself?

Advice for anyone who fears their personal data may be misused by fraudsters after Britain's worst ever security breach

• Government under pressure over taxman's giant blunder

Related Internet Links

• Online security: full coverage

Background

• Police step in as other CDs have gone astray

• Moment’s blunder puts half the country at risk

• Data watchdog seeks dawn-raid powers

• New data law 'urgently needed'

Related Links

• Where the government holds your details

• Is biometrics the answer?

• The ID fraud victims

“He was very shaken,” said one of those who attended the meeting. “He looked very upset. He was concerned to reassure everyone that the government was taking action to prevent the risk of fraud. But the whole thing was quite mind-boggling.”

Darling told his opponents he would make a formal statement that day, but because of the gravity of the situation had wanted to warn them in advance. “He wanted to give them a heads-up,” said one of those at the meeting. “It was an enormous drama.”

Indeed it was: the fifth biggest loss of data in the world, putting millions of individuals at risk of identity fraud, which is the fastest-growing crime in Britain. The discs contain the names, addresses, dates of birth, and bank account details of millions of families.

Experts warn that even though banks will reimburse fraudulent losses, the effect can be devastating if individuals’ credit records are blighted.

The unspoken thought in the room was: never mind the money, think of the votes.

Later that day when Darling’s revelations provoked gasps in the House of Commons, he pinned the blame firmly on a “junior official” at Her Majesty’s Revenue & Customs (HMRC). Proper procedures had not been followed, said Darling. The government and its policies were not at fault, he implied.

But last week a colleague of the HMRC employee fingered by Darling told The Sunday Times: “I have spoken to the person who sent the CDs and he is very concerned that he is being made a scapegoat by the government. He said to me, ‘I just want my life back and for all this to go away.’

“His view is that he has not broken any guidelines because there were not any. The government is trying to blame the civil service rather than taking the blame themselves. [The official] does not feel guilty because he was following what he saw as the correct procedures.”

As more details have emerged, the scenario painted by Darling, and Gordon Brown, looks increasingly threadbare. Investigations by The Sunday Times have established that:

- Senior HMRC officials were involved in releasing the data.

- The access codes for downloading the entire database were restricted to a handful of top managers.

- HMRC regularly dispatched sensitive data in unencrypted form, including personal details of hundreds of thousands of pension holders.

- Government guidelines are ambiguous on whether data has to be encrypted.

- The government’s own information watchdog raised the issue of data security with HMRC earlier this month.

As MPs absorbed what Darling revealed, it looked like another terrible blunder by a government already under siege.

Yesterday the embarrassment increased when it emerged that six further CDs, carrying conversations between a tax credit claimant and an HMRC hotline, had gone missing more than three weeks ago after being posted.

If widespread fraud results from the loss of the child benefit database, the government will also face potentially huge claims for compensation.

Already Privacy International, the human rights group, is preparing a legal case alleging that the government breached its duty of care to the public by mislaying the data. More than 300 members of the public have written to the group asking for its assistance in pursuing legal action.

On Friday the British Bankers’ Association (BBA) wrote to Darling saying that banks would ensure customers suffered no losses – but that the Treasury should pick up the bill. The government, the BBA pointed out, had admitted the loss of the data was a breach of its “duty of care” and so should reimburse the banks if people were defrauded.

When the BBA asked to publish the letter, the Treasury refused permission.

In a similar vein, government officials threatened dire retribution against any HMRC staff who talked to the media. With almost Stalinist fervour, Brown’s officials reminded staff that they had signed the Official Secrets Act.

“All the staff have had a very stark reminder – you are risking the sack if you speak to journalists,” one insider said.

The HMRC might play fast and loose with the personal data of 25m people, but allow the truth to slip out – not likely.

Brown and Darling now face accusations of trying to cover up the affair.

Osborne said: “Alistair Darling’s version of events unravels day by day. Mr Darling urgently needs to come before parliament [tomorrow] and explain himself.”

So how did the debacle happen? Where does responsibility lie? And what are the risks for individuals?

THE man who created the HMRC shambles is ultimately Brown, the former all-powerful chancellor. In his 2004 budget, Brown announced that he was going to merge the Inland Revenue and Customs & Excise. The great bean counter saw the chance for huge savings. Funding and more than 14,000 jobs were to be slashed.

In July this year the House of Commons treasury committee warned, with eerie prescience, that the staff cuts could affect the level of service at HMRC. The staff reduction “is an understandable source of concern to staff, and carries with it potential risks to the quality of service”, the MPs reported.

Tessa Smith (not her real name), 34, was one of those who knows first hand what the atmosphere is like inside the Waterview Park office in Washington, Tyne and Wear, from where the discs went missing.

“A lot of people are feeling very downtrodden,” she said. “People have passed being angry a long time ago. We have now been working for three different departments in recent years: the DWP [Department for Work and Pensions], the Inland Revenue and now the HMRC. There is no stability, no continuity.”

Last week Tim Coxon, the Public and Commercial Services union’s local secretary, said: “People are feeling very stressed because of workloads. There is a waiting list for early retirement. Some people have said to me that it is only a matter of time before something like this happened. They are indifferent to what is going on.”

Post piled up, inquiries took ages to be answered and errors proliferated. As Brown presided over numerous new taxes and benefits as chancellor, billions poured in – and billions also went astray.

For several years the National Audit Office (NAO) has refused to give the accounts of the HMRC (and its predecessor the Inland Revenue) a clean bill of health because of serious errors in the handling of taxes and benefits. Last year the audit office noted that “organised fraudsters” had been so successful in targeting the tax credit system that the HMRC had had to close “the tax credit e-portal”.

Amid this chaos, data was flying about all over the place. One government contractor, who sells encryption software and asked not to be named, said sensitive data was routinely sent unencrypted by HMRC and other government departments.

“I sold one government department an encryption system 2½ years ago and they are still not using it,” he said. “Officials said they had more important projects to deal with. The government’s security advisers would say you shouldn’t move data around unencrypted, but it’s not the security advisers who decide to send out the data.”

Private financial firms and advisers regularly receive CDs containing sensitive personal data, unencrypted, from HMRC. Legal & General, Norwich Union and Prudential all said last week that this happened.

If the data is protected by a password, it is often included in the package on a compliments slip, according to Shawn Williams of Rose, Williams & Partners, a legal firm in Wolverhampton.

“Sometimes there is no security at all, sometimes there are instructions telling you how to access the data,” he said.

According to an HRMC insider last week, data was often sent between different departments using an intranet known as the government secure gateway. But it appears it was not possible to send the vast child benefit database to the National Audit Office in this way. Instead, the personal data of 25m people were going to be entrusted to a couple of envelopes. AT 8.20am on Tuesday March 13 an official in the Washington child benefits office dispatched an e-mail to colleagues about sending data to the NAO.

“Please find attached the . . . data scan . . . The [blanked out] should help the NAO decipher the information.”

What is notable is that the e-mail was not sent to the NAO. It was addressed to three colleagues inside the HMRC and appears to have been informing them of the sort of data being prepared for release to the NAO.

After Darling blamed a “junior official” at HMRC for the fiasco last week, some media reports suggested this was a hapless 23-year-old. The Treasury did nothing to contradict this view.

The truth is rather different. The official who sent the March 13 e-mail was not some minor jobsworth or dogsbody from the postroom. It was a manager with significant service.

In one e-mail an official at the NAO told the HMRC: “I do not need address, bank of parent details in the download – are these removable to make the file smaller?” The HMRC official responded that it was too expensive to strip out such entries, writing: “I must stress we must make use of data we hold and not overburden the business by asking them to run additional data scans/filters that may incur cost to the department.”

Experts have since estimated that the cost of stripping out such details from a database of this size would have been about £5,000.

This e-mail was copied to at least two people at HMRC and one at the NAO. So officials knew that the sensitive details of names, addresses and bank accounts were not going to be removed when the data was sent to the NAO. Yet nobody appears to have been concerned.

Contacted on Friday, Jordan told The Sunday Times: “I haven’t done anything.” He declined to say whether Darling was correct in blaming a “junior” official, merely saying: “Don’t believe all you read.”

However, another HMRC insider said the access codes for the computer database were restricted to a handful of senior officials: “You can’t just download the discs unless you have specific authorisation. That is for senior managers.

“Either a senior manager downloaded the information and gave it to him [Darling’s so-called junior official] or he did it after being given the password.”

Access is so restricted and monitored that in the past staff have been fired for simply looking at the records of celebrities, let alone downloading a whole database. “We have a tracing system,” said the source. “People have been sacked for looking at celebrity records.”

On March 16 the HMRC sent CDs containing the personal details of 25m people, including bank accounts and children’s names, to the NAO by post. This time they got away with it. They arrived safely, were audited and returned safely a month later.

The dangers were made all too clear in September when HMRC dispatched a CD to the insurance company Standard Life containing personal details on 15,000 people, including names, National Insurance numbers, dates of birth and salary information. It went missing – and it was not encrypted.

It emerged this weekend that in early November, two weeks after the child benefit discs went missing, officials from the information commissioner’s office met data experts from the HMRC to discuss security in the wake of the Standard Life fiasco.

The meeting focused on the need for tight security, but it is not known whether the more serious loss of data was raised.

“It was a meeting to discuss security lapses,” said a source close to the information commissioner. “We told [HMRC] very clearly that we will take enforcement action against them. This meeting was all about the security breaches.”

After the Standard Life disaster emerged, the government sought refuge in that old standby, the review. “We have reviewed our arrangements,” it said, “and have introduced safeguards to prevent this happening in the future”. Weeks later the biggest loss of data witnessed in the UK began to unfold. ON October 2 the NAO again requested data from the HMRC. This time there was a hint of concern about security. The NAO’s e-mail requested: “Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content.”

Once again the transfer of data was known at a high level. The two CDs were sealed in an envelope which in turn was put in a “tax post wallet” used for internal mail. They were sent on October 18.

Post at Waterview Park is placed in a number of out-trays: one for members of the public, another for confidential or restricted material and one specifically for the NAO.

From there the system relied partly on Royal Mail and partly on TNT, a private delivery service. Last week TNT said that if the package had been entrusted to it a delivery truck would have picked up the mail and taken it to a depot in Durham from where it would have been sent to a “major hub” in the Midlands.

It would then have been taken to TNT’s London City depot, before being delivered to the National Audit Office headquarters in Buckingham Palace Road, central London.

Yesterday the police search moved to the TNT sites, the work at Waterview Park having been completed.

Six days passed before the NAO told the HMRC that the discs had not arrived. The HMRC then sent a second lot of discs, this time by registered post. The next day, October 25, the NAO told the HMRC the second package had arrived – but there was still no sign of the first pair of discs. Data that could lay 7m families open to fraud were lost – and nobody reacted. They simply hoped the discs “would turn up”.

Last week an HMRC spokesman again tried to blame junior staff, saying: “The junior HMRC official involved should have notified their senior officials but did not.”

But even when the information did reach the top, ministers and officials did not warn the public.

When Darling was told of the missing discs on Saturday November 10, he didn’t alert the banks or the public: he simply ordered another look around the desk and rubbish bin. By now the data had been missing for more than three weeks.

The Treasury team crossed its fingers and hoped the discs would resurface. Only on Wednesday, November 14, did Darling take more urgent action, calling in the police – but still not warning the banks or the public.

That Friday the HMRC sent another copy of the data to Apacs, the organisation at the centre of the bank clearing system. This time HMRC managed to strip out sensitive data and to deliver it by hand.

Working over the weekend, Apacs split the data down by individual bank. By Monday it was able to tell some 90 institutions which of their accounts were at risk. On Tuesday, Darling came clean to parliament.

BROWN assumed power vowing to remove the culture of spin that the public had grown to detest under Tony Blair. Yet last week the government spin machine was on full revs over the HMRC scandal. As well as the junior official, Darling fingered TNT in the House of Commons as responsible.

The company is furious: it says there is no evidence as yet that it handled the package at all. A source close to TNT said: “We knew there would be a statement, but we didn’t think we would be named because we knew we weren’t implicated. We would have held our hands up if we knew it had gone through our system but we had absolutely no proof at all [that it had], let alone that we had mislaid the thing.”

Treasury officials were, for their part, furious that the NAO had released the e-mail exchanges with HMRC. One senior Treasury figure said the NAO’s behaviour over the past few days has been “unedifying to say the least”.

Brown weighed in to blame individual failures, rather than the system. At prime minister’s questions he declared: “The house should know that under the Manual of Protective Security [MPS], which all government departments are required to follow, any data that are sensitive . . . should be encrypted when in transit.

“There is absolutely no doubt that that is the procedure; it is just that it was not followed.”

But union officials and security experts say policies and the manual are far from as clear as Brown claimed. At the child benefit office in Washington last week, HMRC staff had not even heard of the MPS, let alone been trained in its strictures.

The MPS is the Cabinet Office document that governs sensitive data. The manual, which is not available to the public, states that departments should classify the impact of losing information on a scale from zero (low) to six (high).

Andrew Beckett, of Regency IT consultancy, which provides the government with encryption services, said: “The manual does not say which information should be encrypted. It’s up to the senior responsible officer to determine the impact level of the information being compromised.”

Beckett added: “Impact level six is the kind of information that leads us to going to war or massive loss of life. An individual record of personal information would be level two or three, and the Manual of Protective Security does provide for level three to be posted by Royal Mail.”

Though the volume of data is also a factor, Beckett said it was “entirely possible” that the employee who sent the HMRC data considered that it merited only a level three classification under the manual’s guidelines.

Indeed, the NAO itself does not follow Brown’s strictures.

Once it received the HMRC data it sent the discs on to KPMG, the accountancy firm, to which it contracts out some audit work.

“A member of the audit team turns up and delivers it by hand,” said KPMG. “When the work is finished we return it and the data is deleted [from KPMG computers].” But the data is apparently not encrypted in transit.

If this is the case it would amount to yet another breach of Brown’s apparent strict guidelines.

IN Westminster there was shock that another debacle had hit the government only months after Brown had taken over as prime minister. One Labour backbencher said: “If you had asked me a week ago if our situation was retrievable I would have said yes. Now I’m not so sure.”

Darling’s humiliation last week was only increased by the lost data saga. On Monday he had made a statement to the Commons in which he had defended the government’s lending of more than £23 billion of taxpayers’ money to Northern Rock. His assurances that our money was safe were not taken as read.

His boss was hardly faring better. On Thursday five former military chiefs lambasted Brown for failing to provide Britain’s armed forces with sufficient resources.

Brown’s cherished reputation for prudence is also taking a battering: Britain’s budget deficit is already running far higher than expected and may reach £42 billion, warned the Institute for Fiscal Studies.

The government is determined to ride out the storm. In relation to the data scandal, Treasury insiders protested that Darling had been careful in what he had told parliament. “He only said ‘it appears’ to be a junior official,” said one insider. “We are still waiting to find out exactly what went on.”

But public opinion polls makes painful reading for Brown and his chancellor. A survey by Populus late last week rated the pair as less competent than David Cameron, the Tory leader, and Osborne.

The ramifications of the affair could be far-reaching. Richard Thomas, the information commissioner, said there should be much more rigorous checks on how all data was handled. He wants sweeping new powers to check on data security.

The Sunday Times has discovered that another government organisation, the Audit Commission, has regularly been demanding data files from public bodies containing the names, addresses and bank accounts of hundreds of thousands of staff. They are often sent unencrypted and the practice has provoked numerous complaints and claims that it is against the law. The government has introduced proposals to ensure it is legal.

This weekend the operators of some Russian websites associated with fraud were posting comments suggesting they were hopeful of obtaining the child benefit data and putting it up for sale.

One poster wrote on a forum: “The British government has screwed up and lost all its child benefit data! The identity of every family in Britain with kids is up for grabs.”

It is not a threat that will go away if the discs are not found. Commenting on how fraudsters would use the data if they got their hands on it, Konstantin Gavrilenko, managing director of the security firm Arhont, said: “Whoever has it won’t sell it on or use it straight away, they’ll wait until all the fuss has died down. Then they will sell it on using the usual channels; 25m sets of data will last them a long time.”

If it does surface, the risks are “chilling”, according to Richard Turner of RSA, a computer security company that works for many banks.

“The reality is that this sort of information could enable a fraudster to get a credit card, a loan, a phone or even buy a car in your name. That’s why this is such a huge one.”

Even if the discs are found, the risk may still lurk if they have been copied. And it could be a timebomb that might surface only in many years’ time.

Fraudsters might, for example, wait until children on the database reach 18 and then start applying for credit in their names. The first individuals could know about it is when the bills start arriving.

World’s biggest data losses

- In 2003 AOL, the internet company, suffered a security breach that led to the theft of 92m e-mail records

- Last year TJX, a retailer, discovered that sales data, including 45.7m credit and debit card account numbers, may have been illegally accessed through its systems

- CardSystems, a US data company, admitted in 2005 that 40m records relating to American Express, Visa and Mastercard customers had been accessed illegally

- Last year the US Department of Veterans Affairs revealed that data stolen from an employee’s home included names, dates of birth, and in many cases telephone numbers and addresses, of 28.6m veterans

Times Recommends

• Third of Muslim students back killings
• Curfew tames feral yobs of Cornwall
• £3,000-a-month drug free abroad