http://www.telegraph.co.uk/news/main.jhtml;jsessionid=VI3DKMLFETR1NQFIQMFCFFOAVCBQ YIV0?xml=/news/2007/11/20/ncustoms220.xml

The head of Revenue & Customs has resigned after his department lost the details of as many as 15 million child benefit claimants in what is believed to be one of the world's biggest ID protection failures.

Paul Gray quit ahead of a Commons statement this afternoon by Chancellor Alistair Darling on "a major operational problem".

It is understood the information was stored on discs, which went missing in transit and have not yet been recovered. The Metropolitan Police are investigating

The data includes names, home addresses, dates of birth, National Insurance numbers and bank details of millions of child benefit recipients.

It is understood that senior officials from Revenue and Customs were called to a meeting with Treasury officials at the weekend as the scale of the problem emerged.

It is not the first security breach involving HM Revenue & Customs.

Earlier this month, BBC Radio 4's Money Box programme reported that a CD containing the personal details of thousands of Standard Life pension holders had gone missing, leaving them at risk of fraud.

Nearly 15,000 customers were warned to be on high alert for potential scams after their data was lost in transit by an external courier. However, it is thought that the statement does not relate directly to that case.

The revelations are likely to pile more pressure on Mr Darling, who has already been heavily criticised for his handling of the Northern Rock crisis.

In a statement, Mr Gray said: "This is not the way I would have planned to organise my departure from HMRC."

Michael Fallon, the Conservative member of the House of Commons Treasury Committee, said he was "stunned" by Mr Gray's departure.

He told BBC News 24: "Paul Gray is a very distinguished public servant who had served successive governments and we thought had a very good grip on the problems at Revenue and Customs."

The merger of Customs and Excise with the Inland Revenue announced by the then Chancellor Gordon Brown in 2004 created the biggest department in Whitehall.

The giant, minister-less super-ministry, was put under the control of an executive board, although the Chancellor remained responsible to parliament for its operations.

If only we had biometric ID cards.

Anyone want to buy a CD . . . :-dd

If only we had biometric ID cards.
and they wonder why people aren't keen on stumping up their personal details for the scheme:rolleyes:

They're saying 25 million now in the House of Commons.

Do I hear 30?

Anyone want to buy a CD . . . :-ddDowloaded it of Bit Torrent 20 mins ago.

Its only people on Benefits, so what use is it to anyone, they havent got any money in the 1st place!!

Dowloaded it of Bit Torrent 20 mins ago.

Its only people on Benefits, so what use is it to anyone, they havent got any money in the 1st place!!

I thought it was child benefits? - everyone with children gets that - its a set figure per child - stops when they leave full time education.

Why if the information was so important did they give the job of sending it to a low grade worker?

and they wonder why people aren't keen on stumping up their personal details for the scheme:rolleyes:

I think you miss the point somehow fella. I can assure you that a biometric system is more fail safe than anything else being presently used.

I have intimate knowledge of a system that has been developed which "presently" cannot be cheated. I can't say too much about it but I can assure you it would if adopted by banks for example, virtually remove credit card fraud from the world. It also has a wide spread of applications for point of sale,access control,cash dispensers plus a plug in version can be created that can fit in to your pc and allow safe interent transactions to take place.

The system I mention is far more accurate than finger tip reading, eye reading or voice activated systems.

Biometrics definitely the way ahead. Although the security of information being provided perhaps fall in to another category!

I think you miss the point somehow fella. I can assure you that a biometric system is more fail safe than anything else being presently used.
doesn't matter *what* they're storing, it's the storage methods that aren't able to prevent events like this, human error will ALWAYS be a factor. pretty much every large government run computer database since labour came to power has had problems, they should just face the facts that they aren't good at implimenting those kind of schemes. the fact that they're storing people's eye colour, height or even DNA sample only means that it's THAT information that gets out when (not if) someone makes an boo boo

to paraphrase, when the systems do exist to completely eliminate fraud AND human error, then it's peachy, but until then you'll have to keep coming up with more idiotproof methods, and the universe will keep coming up with better idiots:joker:

The disks were encrypted though, obviously?

Its only people on Benefits

So that's most of the population, then. Any woman with children aged sub-18 gets child benefit. So that's my missus included.

If it wasn't *really* serious, the head of HMRC wouldn't have fallen on his sword like he did. I just hope his boss, and his boss in turn do too.:smt103

Yep that would include Jax too, I do hope the data is encrypted, it would be so stupid not to have.

The disks were encrypted though, obviously?

nope, just password protected... useless...

Oh crap... bloody fools.

The Inland Revenue saving money. Bet they sent it second class.

Course, there's not much actual risk... People are paranoid about bank account details, but if you've ever written a cheque you've given them out, that doesn't seem to count though. But, if you've used your kid's name or date of birth as memorable info for phone access etc, well, you might want to change that ;)

The main problem is that they could commit fraud with you details, as they have allot of information to claim they are you.

Course, there's not much actual risk... People are paranoid about bank account details, but if you've ever written a cheque you've given them out, that doesn't seem to count though. But, if you've used your kid's name or date of birth as memorable info for phone access etc, well, you might want to change that ;)

If it was just account details on their own, perhaps it wouldn't be a problem. When they're given out with names, addresses, dates of birth, NI numbers...

So they somehow managed to copy the details on to CD - which shouldn't have been done,
Forgot to encrypt the data -
Posted the data - which shouldn't have left the building
Forgot to post it recorded.

That is an amazing series of blunders!

I heard on the news they used TNT couriers, so they must have some sort of paperwork trailer. It wouldn't suprise me if it had been delivered and is sitting under a mountain of paperwork on someones desk somewhere at the Treasury.

And the CD must be massive to cater 25 million records???

Not sure how long these will be on here :D

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&rd=1&item=290184203092

and they wonder why people aren't keen on stumping up their personal details for the scheme:rolleyes:

Yep. Don't put all your eggs in one basket n'all.

Not sure how long these will be on here :D

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&rd=1&item=290184203092

Class! :lol:

Without wishing to go into the (extremely boring) specifics, they've managed to violate the Data Protection Act quite spectacularly, even if like most government departments they try to weasel out of their need for compliance. I'd be interested to see if the Information Commissioner's Office gets involved and brings charges against Customs, our current ICO has the balls to go after other government departments who aren't taking things seriously enough (and has done in the past).

Not sure how long these will be on here :D

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&rd=1&item=290184203092
LMAO ... and have you seen this one too? (not sure if it's arleady been posted) ...

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=130176357093&ru=http%3A%2F%2Fsearch.ebay.co.uk%3A80%2Fsearch%2F search.dll%3Ffrom%3DR40%26_trksid%3Dm37%26satitle% 3D130176357093%26fvi%3D1

LMAO ... and have you seen this one too? (not sure if it's arleady been posted) ...

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=130176357093&ru=http%3A%2F%2Fsearch.ebay.co.uk%3A80%2Fsearch%2F search.dll%3Ffrom%3DR40%26_trksid%3Dm37%26satitle% 3D130176357093%26fvi%3D1
I LOL'd:smt023

LMAO ... and have you seen this one too? (not sure if it's arleady been posted) ...

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=130176357093&ru=http%3A%2F%2Fsearch.ebay.co.uk%3A80%2Fsearch%2F search.dll%3Ffrom%3DR40%26_trksid%3Dm37%26satitle% 3D130176357093%26fvi%3D1

No hadn't seen that one. LMAO at Gordo in his Brownie top :smt044

Not sure how long these will be on here :D

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&rd=1&item=290184203092

removed:(

Nope the seller ended early. Bought by 'ADarling'

If it was just account details on their own, perhaps it wouldn't be a problem. When they're given out with names, addresses, dates of birth, NI numbers...

None of which should be enough to bypass a bank's security, though.

I find it incredable that so few people question the fact that the state holds so much information about us on these databases.The assumption seems to be that the state is something benign,but I would beg to differ.

It doesn't strike me as excessive info in this case, it's quite hard to pay people child benefit if you don't have their bank account details frinstance.

I find it incredable that so few people question the fact that the state holds so much information about us on these databases.The assumption seems to be that the state is something benign,but I would beg to differ.

Oh dear. So how do you think benefit fraudsters, TV license and Road Fund License evaders, to name but a few, get caught?

OK, so the systems are run by muppets (and belive me, it frustrates me too), but that's what you get with public services that are cut to the bone and woefully underresourced.

(And yes, I had a bad day at the office. A bad month, in fact!)

Oh dear. So how do you think benefit fraudsters, TV license and Road Fund License evaders, to name but a few, get caught?

OK, so the systems are run by muppets (and belive me, it frustrates me too), but that's what you get with public services that are cut to the bone and woefully underresourced.

(And yes, I had a bad day at the office. A bad month, in fact!)

I'd assume that what Tim means is that there's nothing wrong with the tax office being aware of your annual income, but it's probably un-necessary for civil servants at the DVLA having access to that information. Or your medical records. Or your bank details. Or your marital status...

I wouldn't worry too much. You know all those off-shored call centres outside the EU? Well, the data protection act doesn't apply there. Our data is being freely exported on a daily basis.

It's all a shambles, but in this case designed to get shot of Gordon Brown who was responsible as chancellor the reorg of those departments before suceeding as PM.

Possibly a bit of a generation gap here,but I grew up in a time when we were relatively free from being endlessly listed and logged on these databases.I think we have lost a considerable slice of individual freedoms since then.Am I alone in finding the tone of those adverts about TV license or road tax surveillance offensive?"Theres no escape.We are watching you.We know everything"
My Great Grandad (Liberal Party politician)must be turning in his grave and the thing that would concern him most is the sheer complacency that allows hard won freedoms to be given up.

I wouldn't worry too much. You know all those off-shored call centres outside the EU? Well, the data protection act doesn't apply there. Our data is being freely exported on a daily basis.


Not true at all. One of the main 8 principles is that information is "not transferred abroad without adequate protection."- the DPA doesn't apply abroad but it doesn't matter, the offence takes place when the info is transferred abroad.

it's probably un-necessary for civil servants at the DVLA having access to that information. Or your medical records. Or your bank details. Or your marital status...

And they don't, which is why there are data gateways to ensure that departmetns only have access to the data they need (there's some hefty legislation on this, go look it up).


Possibly a bit of a generation gap here,but I grew up in a time when we were relatively free from being endlessly listed and logged on these databases.I think we have lost a considerable slice of individual freedoms since then.Am I alone in finding the tone of those adverts about TV license or road tax surveillance offensive?"Theres no escape.We are watching you.We know everything"
My Great Grandad (Liberal Party politician)must be turning in his grave and the thing that would concern him most is the sheer complacency that allows hard won freedoms to be given up.


Agreed. But there's liberal, and there's accountable. Unfortunately, there are elements of society that abuse the welfare system etc, and without monitoring we can't detect fraud. And that's public money that's being abused. I'm guessing that our friend Mr F Squirrel would be one of the first to be up in arms at the merest hint of misappropriation of public funds.

Not true at all. One of the main 8 principles is that information is "not transferred abroad without adequate protection."- the DPA doesn't apply abroad but it doesn't matter, the offence takes place when the info is transferred abroad.

So what happens when you validate your identity? That gets recorded, and in turn bypases that regulation.

Idiots, idiots, idiots. I'll just stop shredding bank statements before I put them in the bin shall I? The HMRC will just give my details out anyway so why bother?

It's not the HMRC workers fault though. The IT systems should never have allowed an unencrypted copy of that database to be written to removable media. When products such as Checkpoint's PointSec Protector are ready available as a boxed product, low cost and easily deployed, there is absolutely no excuse for this data to be compromised. Public sector IT systems are in general, a shambles.

None of which should be enough to bypass a bank's security, though.

Bank security procedures are only as good as the member of staff executing them. As are HMRC data protection procedures! The leak of this information has increased the risk of identity fraud for those on the database.

http://www.thisislondon.co.uk/news/article-16963740-details/'Gang+robbed+Ricky+Gervais+of+%C3%82%C2%A3200,000'/article.do;jsessionid=XsYMF5QcFzTTD2tRkLdnB60hVV1J nK9Q8pHgKsKtDRpMgq8xGSwf!-904198276!-1407319225!7001!-1

Something a bit more light hearted, but just shows what can be done with very little information and shows how bank clerks can be convinced to do the wrong thing.

So what happens when you validate your identity? That gets recorded, and in turn bypases that regulation.

No it doesn't. It's an offence to transfer information abroad without adequate protection, right? So, if when they process the information to validate your ID etc they fail to enforce adequate protection, then that's a DPA breach against the UK company.

No it doesn't. It's an offence to transfer information abroad without adequate protection, right? So, if when they process the information to validate your ID etc they fail to enforce adequate protection, then that's a DPA breach against the UK company.

The 8th principle is a bit of a grey area. If the country you're exporting the data to is in the "adequacy club" (collection of countries whose DP laws are deemed adequats, full list available at the ICO's website), it's usually deemed to be acceptable and should there be breaches, they can be prosecuted using the country's own law. Of course, people offshore data in countries that aren't in the adequacy club all the time (India is one example that springs to mind) and most of the time, this is fine. There is a greater expectation on you having checked their DP practices are adequate/secure, though.

Its only people on Benefits, so what use is it to anyone, they havent got any money in the 1st place!!
Child Benefit. Also, the threat is identity theft. You don't need to have money for that, and the problem comes when someone takes out a loan in your name, then doesn't pay the bill.

I have intimate knowledge of a system that has been developed which "presently" cannot be cheated. I can't say too much about it but I can assure you it would if adopted by banks for example, virtually remove credit card fraud from the world. It also has a wide spread of applications for point of sale,access control,cash dispensers plus a plug in version can be created that can fit in to your pc and allow safe interent transactions to take place.

The system I mention is far more accurate than finger tip reading, eye reading or voice activated systems.

Biometrics definitely the way ahead. Although the security of information being provided perhaps fall in to another category!

There's only one thing that I know of that could be used there, and I would disagree that it can't possibly be cheated. If it's stored in an electronic form, there's a chance of forging it, no matter what type of encryption is used. You work in IT, you know security is only a concept, and an attacker with enough time & determination WILL break it.

The disks were encrypted though, obviously?

Nope, I know the company used to transfer the data, and they don't encrypt anything, yet work with a lot of government computer systems.

nope, just password protected... useless...

It gets worse. I haven't had dealings with the Child Benefits, but I have with other government bodies/agencies. Typically EDS (the company that look after the servers, and deal with data transfers) just literally dump an Oracle DB straight to whatever media they're sending. The only protection on the data is the stuff that Oracle put on their DB's natively.

So they somehow managed to copy the details on to CD - which shouldn't have been done,
Forgot to encrypt the data -
Posted the data - which shouldn't have left the building
Forgot to post it recorded.

That is an amazing series of blunders!

Wrong. Policy is, and never has been to encrypt data, unless specifically requested by the recipient.

If you don't post the data out of the building, how does it get to the recipient? You have to remember that there is NO connection to the internet or any other computer network outside the building in situations like this. Mainly because a network connection of any sort is a far greater risk than sending an unencrypted disc by Royal Mail (no bad press intended about RM there either).

Again, why post it recorded delivery? EDS deal with a lot of things, not only government projects. It would be the client agreement that should of stated it was to be posted recorded delivery, and even then, it's easily overlooked when you're sending lots of data everywhere.

I will say though, that due to having dealings with EDS, they're far from being a perfect company. However, this has been a disaster that has been predicted for a while, just no-one took the danger seriously.

I heard on the news they used TNT couriers, so they must have some sort of paperwork trailer. It wouldn't suprise me if it had been delivered and is sitting under a mountain of paperwork on someones desk somewhere at the Treasury.

And the CD must be massive to cater 25 million records???

The courier is irrespective in all this. They deliver brown paper envelopes (ok, so it's a generalisation), but they have no knowledge of what's inside.

Also, you'd be supprised about the amount of information that you can fit on a CD. Remeber that it could of easily been an 800MB CD. Then also take into account that it will be a database dump, which has then been compressed. You're talking there about a text file that gets compressed, and these can be massively compressed.

Before now I've seen a 40Gb database fit on a 1Gb pen drive. That was done by EDS too, funnily enough.


It's not the HMRC workers fault though. The IT systems should never have allowed an unencrypted copy of that database to be written to removable media. When products such as Checkpoint's PointSec Protector are ready available as a boxed product, low cost and easily deployed, there is absolutely no excuse for this data to be compromised. Public sector IT systems are in general, a shambles.


You're partly right there. But the work was farmed out to someone else (namely EDS, as has been publicised in the media, otherwise I wouldn't be posting this), it wasn't done by HMRC.

If there's no excuse for data to be comprimised like this, how much does the commercial licence cost for Checkpoint's PointSec Protector? There's your excuse right there.

EDS as a company haven't particularly done anything wrong, just that their policies (as defined by their client agreement with HMRC) wasn't sufficient in this case. So the fault IMO is joint. If HMRC had insisted that all data trasnfers of any nature be encrypted, then they'd of been encrypted.

As I just posted, EDS aren't a perfect company, but I won't go into their flaws that I've experienced, because I don't know if they count in this case, and I'm still bound to Non Disclosure Agreements, even though I left my job months ago. (Note: All of the specific details I've given, are already public knowledge via the media before I posted).

I think it's amazing that this has only come to light because of some 'lost' CDs. Who is to say that a junior clerk hasn't just made a CD and taken it home without telling anyone? I mean, the CD's only lost if someone was expecting it.

I work in IT and security everywhere I have worked is a joke. Encryption, passwords etc. are only as secure as the user, always leaving the possibility of human error, or deliberate theft.

My objection to ID cards with biometric information is that no matter how much protection we are told our data has, inevitably it will be breeched. All it takes is one instance where the information is stolen.

I started phishing in about 1997 (aged 16), using AOL (I was young and I thought it was cool) and could get up to 50 account passwords a week. I never did anything with them, it just made me feel superior (and I looked for dirty e mails - wouldn't you?). I did the same with hotmail accounts later, all it took was a mock front page, linked from my website, and an error message (which emailed me the details), and then a forward to the real site. So easy. Then came USB keys, you could then go to any computer, anywhere, providing someone was logged in (and how often do you log out?) and take GBs of info in seconds, if you were so inclined. I have since seen the light (thank god it wasn't blue and flashing!).

The point I'm making is, is that if it's there, someone will have a go. A bit like Mallory and Everest.

I think it's amazing that this has only come to light because of some 'lost' CDs. Who is to say that a junior clerk hasn't just made a CD and taken it home without telling anyone? I mean, the CD's only lost if someone was expecting it.

Again, the "junior clerk" wasn't a junior clerk at all. The work was done by an outside company, and probably by one of their Service Engineers.

I must admit, I have considered walking away with sensative data on numerous occasions. Data that would be much much more valuable than the current "lost CD," but it was only ever a thought.


I work in IT and security everywhere I have worked is a joke. Encryption, passwords etc. are only as secure as the user, always leaving the possibility of human error, or deliberate theft.

My objection to ID cards with biometric information is that no matter how much protection we are told our data has, inevitably it will be breeched. All it takes is one instance where the information is stolen.

That's the IT industry for you. The people at the bottom shout about security holes, but it generally never get's fixed.


I started phishing in about 1997 (aged 16)

Ah, but you only tell us about the phishing!! Note: Anything you disclose you did within the last 6 years, you can still be prosecuted for.

Phishing, for many, is only the beginning. Now learn to code. :p

EDS aren't a perfect company
As anyone who has had any dealings with the Child Support Agency and their computerised system designed and built by EDS will testify to :smt013

As anyone who has had any dealings with the Child Support Agency and their computerised system designed and built by EDS will testify to :smt013

I will say that they typically underquote for hardware requirements, mainly to save costs & maximise profits, which goes a long way to explaining the CSA situation.

Again, the "junior clerk" wasn't a junior clerk at all. The work was done by an outside company, and probably by one of their Service Engineers.

Sorry, yes, but point still stands.

Ah, but you only tell us about the phishing!! Note: Anything you disclose you did within the last 6 years, you can still be prosecuted for.

Phishing, for many, is only the beginning. Now learn to code. :p

Child Support Security? Doesn't Really Matter.

Me?

No it doesn't. It's an offence to transfer information abroad without adequate protection, right? So, if when they process the information to validate your ID etc they fail to enforce adequate protection, then that's a DPA breach against the UK company.

The standard contractual clauses to which you refer are not compulsory for businesses.

The current status is only a first step in developing contractual solutions as a tailor-made tool for the transfer of personal data world-wide. The Commission intends to adopt separate Decisions referring to specific types of transfers and situations. The Commission is consulting Member States and Data Protection Authorities on a new draft Decision concerning standard contractual clauses for the transfer of personal data from data controllers (i.e. any person or body determining “the purposes and the means of the processing”) established in the Community to data processors (i.e. a subcontractor processing the data on behalf of a data controller) established in non-EU countries.

Not that the current situation within the EU gives me confidence. If things are this bad (http://www.finextra.com/fullstory.asp?id=17166) here, they are at least as bad, if not worse elsewhere.

"We're all doooooomed Mr Mainwairing...we're all dooooooooomed!:shaking:" ;)

how much does the commercial licence cost for Checkpoint's PointSec Protector? There's your excuse right there.

EDS as a company haven't particularly done anything wrong, just that their policies (as defined by their client agreement with HMRC) wasn't sufficient in this case. So the fault IMO is joint. If HMRC had insisted that all data trasnfers of any nature be encrypted, then they'd of been encrypted.

As I just posted, EDS aren't a perfect company

Maybe it's my black and white view of the world, but as a contracted third party supplier of HMRC, I don't make the distinction between HMRC and EDS. EDS is the HMRC's IT department.

If EDS have advised HMRC of the risk and given best advise regarding the data protection solutions available to them at bid stage, then HMRC have rejected on the basis of cost, then EDS are not at fault. HMRC may outsource to IT to EDS, however they are still commercially responsible for thier data.

Having managed a number of transitions of IT outsourced services where EDS was the incumbent supplier however, I know how sloppy they are, so wouldn't be surprised if this advise had never been given and if so, yes, they are as much at fault. HMRC are not in business to be IT security experts, thats why they outsource.

Where you have this kind of data and a legal and moral responsibility to protect it, cost is not an excuse IMO.

Where you have this kind of data and a legal and moral responsibility to protect it, cost is not an excuse IMO.

I quite agree, and we would often take things to the superiors at EDS when we didn't agree with their consultants.

I have countless experiences of where EDS have cut corners on a cost basis, so I wouldn't be supprised if this is the case here.

However, not having intimate details on the relationship between EDS & HMRC, I couldn't possibly comment on this case.