The loss of the personal data of 25 million UK residents by the Revenue and Customs service would not have occurred if basic information security systems were in place, according to experts, writes John Collins.
The two discs in question, which were lost in the post, contain information such as names, addresses, dates of birth, national insurance numbers and banking details for recipients of child benefit. The missing discs include enough information to open bank accounts, take out loans and conduct other forms of identity theft in the names of those whose details are listed.
The data is believed to have been compressed into a Zip file which was password protected but not encrypted.
Chris Mayers, chief security architect at Citrix, says the incident demonstrated a failure of people, processes and technology, all of which are required for robust security. "It shouldn't have been possible to download the entire database to CD," he says. "If it was possible, the data should have been automatically encrypted. If it was downloaded, processes should have been in place to ensure it was transported properly."
While it is understandable a junior civil servant may need access to the entire database, it is a clear failure of systems that they had the necessary level of privileges to be able to download that data and burn it on to a CD.
"The level of access you have to your information should be appropriate to the roles or duties of your job," says Brian Honan of BH Consulting.
"There is plenty of technology available in the area of data leakage prevention that can enforce that."
Large organisations should have a formal approval process in place for downloads of data, no matter how small, according to Mayers.
Citrix and other vendors also provide access control software which ensures trusted partners can be given access to the data they require only, as opposed to an organisation's entire systems.
If such systems had been in place at Revenue and Customs, there would have been no need to post the data to the National Audit Office (NAO). Instead, NAO officials could have accessed the information they needed, without having to copy any data from the revenue's systems.
Perhaps most worrying is the fact that this was not the first major data leak from the UK revenue this year. Most recently, in September a laptop with citizens' personal details went missing from an employee's home.
"As an organisation they have not learnt from past incidents," says Honan.
"That is one of the basic tenets of good security management - you put in place systems to ensure the same problems don't happen again."
According to Honan, a recent House of Lords report on information security recommended that breach disclosure laws be introduced, but the British government said they were not required. Honan believes there needs to be a sea-change in attitudes towards the protection of personal data.
"Companies need to know that information given to them by customers is not theirs," he says. "They don't own it; they are just the guardians of it."
