Security experts said today that HM Revenue & Customs was "totally irresponsible" to have sent personal information between offices on a CD.

The information contained on it - bank account details and national insurance numbers - constituted the "holy grail" for criminal, who if they intercepted the disc would be free to commit identity fraud on a vast scale.

They said that older and more risky means of transporting information - such as sending it via courier on a compact disc, were, however, "surprisingly common" as organisations sought to avoid the cost of implementing safer methods.

Increasingly, sensitive information is passed between organisations needing access to it - banks, for instance - via electronic transfer.

Almost all the banks in the US, where security breaches have been more common, have updated their systems to facilitate electronic transfer, and whilst the major financial institutions in the UK have done the same, Government departments were often slower to catch up, experts said.

It was often preferable to save information onto a CD and then send the 'hard copy' because of the enormous amount of bandwidth required to send large files electronically, and the complicated systems that need to be in place to rescue a transaction if it is interrupted.

Sending the 25 million odd individual records that were contained on the discs lost by HMRC would take approximately 4 hours on a high speed connection, an analyst at Gartner said. There was also the added complication of managing the 'encryption keys' - the tools which enable a recipient to decypher encrypted, or scrambled, information.

Information sent on a CD can - and should - be encrypted, they said, but there was no evidence that the HMRC had protected the data effectively in this case.

"The main issue with electronic transfer methods is getting everyone on board," Aviva Latin, chief security analyst at Gartner, said. " Say you're sending information to 5 banks. Each of them has to agree to the procedures you set up, and that presents an enormous challenge.

"Changing business and technical processes like this is also very expensive, which is why improving data transfer often falls to the bottom of an IT manager's list."

Ms Litan said, however, that the Government should be taking greater care with data transfer because of the "havoc" that incidents like this were capable of wreaking on the banking system.

She added that in 99 per cent of cases where information was lost or stolen in this way, no fraud was subsequently committed.

Brian Spector, a spokesman for the security firm Workshare, said it was "staggering" that an organisation responsible for the data of millions of child benefit claimaints "was still copying data onto CDs and not ensuring full protection through encryption techniques."

Ross Anderson, a computer security expert at the University of Cambridge, said that the breach was indicative of a wider failure of the Government's e-Government strategy which, in attempting to centralise information such as patient records, had led to vast numbers of records being shared, increasing the risk in the event that data was stolen or lost.

Explore UK News

• Science News

• Crime News

• Education News

• Health News

• Scotland News

Times Recommends

• Savers left in limbo as Icesave freezes deposits
• Kennel Club changes breeding rules
• Passengers triple risk of fatal crashes