REVENUE officials have been routinely posting out people’s confidential data in bulk and without proper security, a Sunday Times investigation has found. It undermines Gordon Brown’s claim that the loss of 25m child benefit records was the fault of a lone junior official.

The prime minister last week blamed the junior civil servant for the loss of two computer discs containing the personal and financial details of the claimants. He said they had been posted out in a clear breach of rules that all sensitive data in transit should be encrypted.

Revenue officials have admitted that similar personal data for hundreds of thousands of people have routinely been put on CD and sent by post without encryption. The practice has now been quietly stopped.

HM Revenue & Customs (HMRC) has been sending confidential personal information to pension companies, including Norwich Union and Legal & General, without encrypting it and despite the risk of identity fraud. The practice continued even after confidential employee data went missing in September.

Q&A: how can I protect myself?

Advice for anyone who fears their personal data may be misused by fraudsters after Britain's worst ever security breach

• Government under pressure over taxman's giant blunder

Related Internet Links

• Online security: full coverage

BACKGROUND

• Police step in as other CDs have gone astray

• Moment’s blunder puts half the country at risk

• Data watchdog seeks dawn-raid powers

• New data law 'urgently needed'

Related Links

• More bad news in the post

Union representatives said that the junior official – who has not been disciplined – believed that he had been made a scapegoat when he had simply been following what were widely regarded as “pretty standard” procedures. “I just want my life back and for all this to go away,” he has told a colleague.

This weekend opposition politicians accused Brown of political opportunism in singling out the official. “HMRC had a systemic culture of carelessness when it came to handling confidential data, yet instead of taking the blame, Gordon Brown and his chancellor singled out a lone junior official,” said George Osborne, the shadow chancellor.

The government was also challenged last night to come clean over whether HMRC even has the capability to encrypt computer discs at its office in Washington, Tyne and Wear. Brown told MPs that this was required when sensitive data were sent out by the post. HMRC officials refused to comment this weekend.

Brown told the Commons that under “the Manual of Protective Security . . . any data that are sensitive . . . should be encrypted when in transit. That is the procedure, it was just not followed”.

However, The Sunday Times has established that HMRC halted the practice of sending out unencrypted data only after the loss of the child benefit database. Until the ban, officials were sending out unencrypted details on discs, including employees’ names, details of tax payments, National Insurance numbers and dates of birth.

Legal & General said that it had received unencrypted personal data from HMRC but would not disclose the number of their customers affected.

Norwich Union and Prudential also said they routinely received unencrypted data from HMRC by courier but were now reviewing the practice.

Last September HMRC lost the personal details of 15,000 customers of Standard Life and warned those affected. Despite the bungle, the pension company said last week that records were still being sent on unencrypted discs, but these were being sent by recorded delivery.

Investigators hunting for the two discs containing the details of all families with children under the age of 16 were yesterday focusing on the depots of TNT, the HMRC’s courier. Royal Mail is also conducting a search of its return letter centre in Belfast.

The claim by Brown and Alistair Darling, the chancellor, that it was a lone official who had breached the rules was starting to unravel.

A senior HMRC source said that only “two or three” managers had the passwords to download the missing database of child benefit claimants before it was burnt onto the discs. A senior HMRC official said: “Either a senior manager downloaded the information and gave it to [the junior official] or he did it after being given the password.”

All government departments are now reviewing their procedures. The Department for Work and Pensions yesterday admitted that it had sent “bulk” unencrypted personal data by computer disc in the post to other government offices.

It also emerged last night that a package containing hundreds of pension statements had gone missing after being sent on October 26 by the Scottish Public Pensions Agency to the NHS.

Data have also gone missing in a controversial government scheme in which the bank account details and incomes of public sector employees, pensioners and private home residents are sent to a private company for fraud checks on behalf of the Audit Commission.

The government faces legal action over the child benefit data fiasco. Privacy International, which campaigns to protect the public from government intrusion, has consulted lawyers and is to take a test case on behalf of 300 worried families who have contacted it.

Times Recommends

• How I lost the gift of joy for a while
• Why Ann Widdecombe has got it wrong
• Alas, it’s the end of the road for petrolheads