Iconic Films

2 for 1 tickets to Singin' In The Rain, this coming Monday. Book now

Navigation - link to other main sections from here

Skip Navigation

From The Sunday Times
November 25, 2007

Revenue routinely sent secret data with no security

Jon Ungoed-Thomas, Marie Woolf and Brendan Montague

REVENUE officials have been routinely posting out people’s confidential data in bulk and without proper security, a Sunday Times investigation has found. It undermines Gordon Brown’s claim that the loss of 25m child benefit records was the fault of a lone junior official.

The prime minister last week blamed the junior civil servant for the loss of two computer discs containing the personal and financial details of the claimants. He said they had been posted out in a clear breach of rules that all sensitive data in transit should be encrypted.

Revenue officials have admitted that similar personal data for hundreds of thousands of people have routinely been put on CD and sent by post without encryption. The practice has now been quietly stopped.

HM Revenue & Customs (HMRC) has been sending confidential personal information to pension companies, including Norwich Union and Legal & General, without encrypting it and despite the risk of identity fraud. The practice continued even after confidential employee data went missing in September.

Q&A: how can I protect myself?

Advice for anyone who fears their personal data may be misused by fraudsters after Britain's worst ever security breach

Related Internet Links

Background

Related Links

Union representatives said that the junior official – who has not been disciplined – believed that he had been made a scapegoat when he had simply been following what were widely regarded as “pretty standard” procedures. “I just want my life back and for all this to go away,” he has told a colleague.

This weekend opposition politicians accused Brown of political opportunism in singling out the official. “HMRC had a systemic culture of carelessness when it came to handling confidential data, yet instead of taking the blame, Gordon Brown and his chancellor singled out a lone junior official,” said George Osborne, the shadow chancellor.

The government was also challenged last night to come clean over whether HMRC even has the capability to encrypt computer discs at its office in Washington, Tyne and Wear. Brown told MPs that this was required when sensitive data were sent out by the post. HMRC officials refused to comment this weekend.

Brown told the Commons that under “the Manual of Protective Security . . . any data that are sensitive . . . should be encrypted when in transit. That is the procedure, it was just not followed”.

However, The Sunday Times has established that HMRC halted the practice of sending out unencrypted data only after the loss of the child benefit database. Until the ban, officials were sending out unencrypted details on discs, including employees’ names, details of tax payments, National Insurance numbers and dates of birth.

Legal & General said that it had received unencrypted personal data from HMRC but would not disclose the number of their customers affected.

Norwich Union and Prudential also said they routinely received unencrypted data from HMRC by courier but were now reviewing the practice.

Last September HMRC lost the personal details of 15,000 customers of Standard Life and warned those affected. Despite the bungle, the pension company said last week that records were still being sent on unencrypted discs, but these were being sent by recorded delivery.

Investigators hunting for the two discs containing the details of all families with children under the age of 16 were yesterday focusing on the depots of TNT, the HMRC’s courier. Royal Mail is also conducting a search of its return letter centre in Belfast.

The claim by Brown and Alistair Darling, the chancellor, that it was a lone official who had breached the rules was starting to unravel.

A senior HMRC source said that only “two or three” managers had the passwords to download the missing database of child benefit claimants before it was burnt onto the discs. A senior HMRC official said: “Either a senior manager downloaded the information and gave it to [the junior official] or he did it after being given the password.”

All government departments are now reviewing their procedures. The Department for Work and Pensions yesterday admitted that it had sent “bulk” unencrypted personal data by computer disc in the post to other government offices.

It also emerged last night that a package containing hundreds of pension statements had gone missing after being sent on October 26 by the Scottish Public Pensions Agency to the NHS.

Data have also gone missing in a controversial government scheme in which the bank account details and incomes of public sector employees, pensioners and private home residents are sent to a private company for fraud checks on behalf of the Audit Commission.

The government faces legal action over the child benefit data fiasco. Privacy International, which campaigns to protect the public from government intrusion, has consulted lawyers and is to take a test case on behalf of 300 worried families who have contacted it.

Why is HMRC using a private courier to deliver these discs? Is this yet another example of the Government's desire to run down the Post Office, by starving it of revenue so that they can privatise it because they will say it needs private finance? PS Surely this fiasco proves that ID Cards are dead in the water.

Brian , Liverpool,

I think it was Ronald Reagan who said that the worst 9 words uttered to anyone was....

"I'm from the government and I'm here to help".

I'm sure someone can think of an oppropriate line for our bunch of incompetents, but what bothers me apart from the fact that any meaningfull qualifications are not required in this department (it seems) is that some elements of a past criminal record can be deemed 'not relevant'.

Nice one

Phil, Preston,

Like cww, I hope the junior official will be protected and management or those higher up the ladder accept responsibility for their decisions. As a civil servant and ICT specialist I know it's very difficult to refuse a demand made by management which often hasn't got the foggiest idea what security, proper maintenance, outsourcing, or any ICT issue is about - let alone what risks are involved. Not using encrypting/encripted data is really unbelievable. Though no guarentee, mrs Baramy, in ensuring your account is not plundered through internet phishing and other means.
As someone else rightly remarked: sending any item by registered post will only ensure someone signed for it on delivery.
Good to hear legal action is being contemplated. Isn't it illegal to copy private and personal data without permission and not once but several times? Disregarding encryption and other tools to protect it and prevent further copying? Music CDs are better protected than private data.

Kate, the Hague, Holland

Petition protesting the ContactPoint database is here

http://petitions.pm.gov.uk/Databases/

Trust the state with personal details of every child in the country? eek!

emma, London, UK,

I would quite like to know how it is possible to lose anything in the post anyway. How does it happen when there is a destination written on it that could never be mistaken for another?

Anon, Edinburgh,

We are all, correctly, complaining about the way the government fails to protect our personal details.
I just wonder how may home computer users are equally lax. I have friends who keep all their financial dealings etc on home computers without even basic password protection. Apart from the possibility of hackers whilst on line, none seems to have considered the possibility that the computer might fail and need to be sent away for repair before data could be removed from the hard drive.
A semi-retired accountant friend kept a considerable amount of confidential data on his computer, and when it failed had to pay very highly for an expert to repair the computer at home in order that he could watch and ensure the data was not examined or copied. He now uses an program which keeps all the data fully encrypted when not actually in use and I advise all my friends to do the same - there is at least one very good program available free of charge and it is well worth the effort.

Brian E, London, England

you should immediately request that all of your personal data is removed from all and any HMRC computer databases and detabases that could be connected or "contaminated"

and that you will (subsequently and in my own time) apply to each and every bank for replacement account nos.

REMEMBER IT IS YOU THAT ARE AT RISK UNTIL YOUR ACCOUNT IS SECURED and as the Banks losses could be substantial they will endeavour to recover any losses from customers.

paul wilcox, newbury, berkshire

Will you trust this goverment to securely look after your medical record when it is uploaded (without your explicit and informed consent) to a central computer?

John Priestman, Huddersfield, England

Speaking of money, aren't you supposed to pay tax on gifts or money you give to people?

Why then has this guy who gave money to 2 people who donated it to labour not paid tax?

This is strange?

Gary O'Neil, London,


Does anyone else think it's strange that a junior clerk could download this amount of highly confidential data without some sort of internal control preventing it?

What other data could have been downloaded onto a memory stick and walked out the building - and then sold on? Would anyone even know it was missing?

Rob, Birmingham, UK

After this farce, I cannot imagine anyone in their right mind providing identity card information but how can it be a case of 'go to jail, go directly to jail' when Macavity has not built the prisons to hold us all?

C Smith, Chester,

HMRC must be in the dark ages. The post should never have been used. Encryption over an intranet would have been quick & cheap. Or getting a database to offer out only the non contentious fields or is their database useless? And access to the database ought to be controlled by someone senior. This is root & branch failure, not the error of some poor clerk!!

Keith, Hastings, UK

To Jenny in Petersfield Hampshire

Sorry to be crude, but I have a feeling your letter will fall on deaf ears and achieve nothing.

Imaad, Bradford, West Yorkshire

We are just as at risk from our own government than we are from foreign terrors, it seems.

Justin, Nr. Lincoln, UK

I once sent something by the courier company, TNT. Not only did they lose my stuff, they were absolutely horrible when I contacted them and asked what they were going to do about it. I don't recall ever being treated with such rudeness as by the MD of TNT. Go figure.

Judith G, Aspet,

Yes, role on identity cards, n.h.s. computerisation and the ultimate destruction of the citizens right to a private life. Gordo wants your money to waste, now he wants to know what you had for dinner last night. And if you object he'l probably hold you for 56 days (or ninety days) without charge as a suspected terrorist.

Diddly Do, Liverpool,

Does registered/recorded/tracked delivery actually guarantee that the item will not go astray. Does it not simply prove in whose hands the item was if it does go astray?

Tony Knight, Durham,

I am surprised that in comments about this fiasco people say that if only the discs had been sent by "Registered Mail" then there would not have been a problem. As far as I can see from the Royal Mail web site the there is no such thing as Registered Mail, only Recorded Signed For. This doesn't give you any additional security except a signature if it happens to be delivered. If it isn't delivered then you get the cost of your stamps back (been there, done that). Not much help!

Jon, St Albans, Herts

I would question the justification of sending personal data to public sector organisations at all. If these organisations require such information thay should ask me for it, not the government.

In any case, as the databases are outsourced there is no such thing as security so many 'unvetted' personel will have access to them. And it may be worth asking who has access to disaster recovery and routine backup copies.

Mike Poulsen, Reading, Berkshire

We will be writing to any government agency and private company that holds our personal details, asking for an epxlanation of their security policies when dealing with our confidential data.

My son's passport was recently posted back by ordinary second class mail from the Student Support Department of our local council. We were surprised it was not registered delivery: now we suspect that cutting down on mail costs is government policy, and hence a systemic carelessness.

Jenny , Petersfield Hampshire,

I cannot understand Britain's reluctance to use the computer to transfer information. In our country I can use the internet for the bank to check my account. Afteralll you transfer money by internet so I don't understand why not government information to another department. Very strange.

Renate Baramy, Ramat Hasaron, Israel

Is all this a kind of 'trial run' for a new form of internal terrorism?

jill piercey, flackwell heath,

I do hope this junior official gets all the protection and help he needs - considering what happened to Dr Kelly...

cww, suffolk,

Have your say

* Required

Also in Politics

Also in News

Exclusive extracts

cherie

Cherie autobiography

Full coverage and exclusive interviews and extracts from a decade in power

Comment    

Times leader masthead

open quote mark Governments cannot, and should not, seek to ban the investigation of natureclose quote mark

More...
Leading article

PRESCOTT MEMOIRS

John Prescott

John Prescott on power struggles in Downing Street and saving his marriage

Red box blog

Judge's wig

The High Court's damning judgement on MPs' expenses

    Stockings

    Naughtiness at No. 11

    Britain's 10 most outrageous Chancellors: who picked up scores of prostitutes?

      CHERIE AUTOBIOGRAPHY

      Cherie Blair

      Cherie Blair exposes the secrets of life in Number 10

      Comment Central

      Gordon Brown and David Cameron

      Can you see this in Congress?

      The American PMQs: What McCain should expect

        Brookes

        Latest from award-winning cartoonist Peter Brookes

        Morland Cartoon

        Morland

        The savage and bizarre from Morten Morland

        Most Read

        Skip Most Read

        Today

        MOST COMMENTED

        Skip Editor's Pick

        Today

        MOST CURIOUS

        Skip Most Curious

        Today

        Focus Zone

        Dr Zhivago

        Top 100 Films:

        Enjoy screenings of all the classic films you love, plus take advantage of two-for-one tickets

        horses

        Alternative Investments:

        Have you ever dreamed of owning your own racehorse or a beautiful painting?

        Toyota Auris

        Places & Spaces:

        Enjoy comfort, safety, space and great design. Plus enter our great competition

        Focus zone, pets, 100x100

        Perfect Pets:

        Times Online's new TV show helps you make the right decisions for your pet

        California

        Totally California:

        Are you California dreaming? Explore the wonders of the Golden State. Also enter our fantastic competition

        Nikon D40X camera

        Young Photographer:

        Do you have what it takes to be a Times photographer?

        Train your brain

        Surprise Yourself:

        Your brain is capable of more than you might think...

        Wealth Management:

        Find out to make the most of your money with our wealth management guides

        Boards advertising property for sale and rent are seen in east London

        Property Guides:

        Need help with your property? We have an entire how to guide - buying, selling, letting, moving, to help you

        Best 100 Green Companies

        Best Green Companies:

        We are seeking entries for the inaugural Sunday Times Best Green Companies Awards

        RSPB

        Love Nature:

        Enjoy some wonderful inspiring wildlife moments

        James Bond eye image

        James Bond:

        An interactive preview of the brand new For Your Eyes Only exhibition

        previous next

        QUICKLINKS

        Sudoku 

        Skip Sudoku

        70 x 70 JPEG

        Now Interactive

        Love Sudoku? Play our brand new interactive game: with added functionality and daily prizes

          Career/Jobs 

          Skip Career/Jobs

          70 x 70 JPEG

          Forget burnout, boreout is the new office disease

          Are you irritable when you return from work? Drained of emotion? You could be suffering from boreout

            Podcasts 

            Skip Podcasts

            70 x 70 JPEG

            The Bugle - Dead Hill Walking

            John Oliver and Andy Zaltzman beg Hillary to pack it in

              Driving 

              Skip Driving

              70 x 70 JPEG

              Jeremy Clarkson's greatest hits

              Prepare for some shock and awe, petrol lovers. Despite the greens trying to wipe it out, the car is about to offer us the most exciting year ever

                Travel 

                Skip Travel

                70 x 70 JPEG

                100 summer holidays for '08

                We've trawled the brochures and websites to find this summer’s best holidays for every taste and budget

                Skip Photo Galleries
                70 x 70 JPEG

                Photo Galleries

                Pictures of the Week

                A selection of the best images from around the world

                  Services

                  Cheese

                  Best Artisan Cheeses, £27.50

                  Direct from the farms

                  The Singapore skyline pictured at night

                  Business City Guides

                  Overseas contacts and local business information

                  Classifieds 

                  Cars

                  Skip Cars of the Week

                  Jaguar XKR Supercharged Coupe

                  2007/07
                  £57,500
                  South East England

                  BMW 630Ci

                  2007/07
                  £40,995
                  South East England

                  BMW M5

                  2006/06
                  £41,995
                  South East England

                  Car insurance

                  Great car insurance deals online


                  Jobs

                  Skip Jobs of the Week
                  Business Development & Relationship Managers

                  £40-55k+benefits+uncapped commission
                  Morgan Keating
                  South East

                  Operations Director

                  £ c£75,000 + executive benefits
                  Morgan Keating
                  London and South

                  Public Members

                  Unpaid with travel expenses
                  Network Rail

                  Properties

                  Househunting. Without the hunt.

                  Globrix, the property search engine

                  Looking for a new home?

                  Visit Times Online Property for homes for sale or rent

                  Leicester LE3

                  Residential development site with planning permission
                  £1,500,000

                  Barclays Buy Abroad

                  Mortgages, bank accounts & money transfers to help you buy abroad

                  Holidays

                  Skip Travel of the Week

                  Mauritius

                  Dinarobin Hotel Golf & Spa 7 nights
                  From £1830 per person – saving £530.

                  Explore the French Pyrenees

                  Walking & multi-activity holidays in Cauterets. Stylish self-catering apartments.
                  From 350€ for 7 nights.

                  Funway Holidays Int Inc

                  SAVE 25% on Sandals Luxury Resorts


                  Travel insurance

                  Great travel insurance deals online


                  Place your advert now