In a statement to the House of Commons, the Chancellor Alistair Darling explained that the data had been held on two disks that had been sent to the National Audit Office (NAO) from an HMRC office. The chairman of HMRC had already offered his resignation after the breach was made public.
The disks were said to be protected by passwords but the Chancellor did not say whether the disks were encrypted.
To gasps from the Opposition benches he added that the disks had been sent by a junior HMRC employee via a TNT courier, but the package was not registered or recorded - in contravention of HMRC rules. When the disks failed to arrive, a second disk was sent by registered post which did arrive at the NAO. A police investigation has begun to find the missing disks.
“I regard this as an extremely serious failure by HMRC and appropriate steps are in place. There is no evidence of unusual activity and police have no reason to believe the data has fallen into the wrong hands” the Chancellor, told the Commons, flanked by the Prime Minister Gordon Brown. He added that HMRC had now introduced changes in its security procedures and that "the Government took the protection of personal data extremely seriously".
Calling the incident a “catastrophic mistake” the Shadow Chancellor, George Osborne asked: “What is the point of this House passing laws to protect people’s private data if those laws are not followed by government?”
Industry figures were quick to condemn HMRC and the Government. Tom de Jongh, product manager at encryption specialist SafeBoot said: “The responsibility must lie with the people in charge, and it is only right that Mr. Gray resigned. Under his leadership, mandatory security measures should have been in place to make sure these mistakes do not occur."
Greg Day, security analyst at McAfee said that the loss of the data by HMRC was: “Yet another example of the danger of putting sensitive information on an easy to lose format such as disks and the result of internal policies not being backed up by good security practice.
At this point we would have to assume the worst until more details are given and the public and the Government should be taking steps to limit the damage and risk, if and when the data enters the wrong hands.”
Jamie Cowper, director of European marketing at PGP Corporation said: " These disks should never have been transported in the first place - information of this type should only be transmitted using the strongest security protocols available such as encrypted batch transfer - but more to the point, these details should not have been stored in this medium.”
In an ironic twist the HMRC website currently carries a warning about phishing attempts by fraudsters.
UK Government condemned over loss of 25m child records
By Paul Fisher on Nov 21, 2007 9:48AM