Criminal lack of common sense
Discuss this article in the ZeroFlaws forums
Government department loses the personal details of 25 million UK tax benefit claimants. Yawn. It's happened before, and it will continue to happen until everyone - private companies, Governments and the like - start to create real cultures of security within their organisations. In case you're unfamiliar with this story, in October 2007 an employee within Her Majesty's Revenue and Customs ("HMRC") copied the names, addresses, NI numbers and bank details of 25 million unlucky people onto a couple of CDs, then popped them in the post. Predictably they vanished into thin air, sending everyone into a frenzied panic.
Not to be outdone, some other bright spark in HMRC decided that he'd get in on the action by sending out a further 6 CDs of data in exactly the same manner. You probably guessed the punchline - according to BBC News [ click for story ], these new discs went missing too. That's not the interesting part of the story though.
It's been widely reported that this practice of copying confidential information onto a CD then chucking it in the post has actually been in place since early 2007. Presumably someone came back into the office from a long weekend and announced with gusto, "I had a great idea in the bath last night - let's ship confidential information between departments on CD without any encryption!". No doubt there was a murmur of agreement and a shout from someone at the back of the room, "That's a great idea, but whatever you do don't post it using a recorded delivery service". The visionary leadership done, everyone went back to work and left the 16 year old kid on work experience to label the CDs and put them in the post. The rest, as they say, is history.
Oddly the surprising part here is not that HMRC didn't use the secure networks already available to them to transfer this data. Nor is it strange that they didn't use a strong encryption mechanism to secure the data. It's less than shocking that they didn't consult a security expert to check best practice for this kind of thing, and if they did there's a consultant somewhere polishing their CV and removing the "HMRC Security Consultant" section from it. It's also completely believable that the discs went missing somewhere between the work experience kid's desk and their final destination.
No, the really, really shocking part of this fiasco is the following quote reported by Thompson Financial News [ click for story ]:
The department of Revenues and Excise (HMRC) risks more errors, similar to the loss of 25 mln child benefit records, if it is forced to proceed with cost cutting plans while initiating new tax policies, a leading financial adviser said. Grant Thornton said more mistakes will be inevitable if the government pushes the HMRC to reduce its funding and staff while its workload is increasing. Francesca Lagerberg, head of Grant Thornton's national tax office said that while the government ought to question the HMRC's costs, the cuts are untimely. "It is now a merged department and has taken on considerable new activity such as tax credit payment," said Lagerberg. "Without suitable funding for this transformation, the cracks are beginning to show," she said.
Grant Thornton is an extremely well known and respected financial services company who clearly need to get a slightly stronger grip on the press statements given by their staff. The idea that this massive, criminal loss of data is all due to cost cutting is absolutely ludicrous. Cost cutting has absolutely nothing to do with the idiotic decision to copy confidential data to CD, to leave it without strong encryption, and then to stick it in the post without even purchasing a proper parcel tracking service for it.
I'm picking on Grant Thornton today because they were first off the mark with the silly press release. This "over-worked and under-funded" defence is one we'll no doubt hear a lot of over the next few days, and it's an irrelevant one. The reason someone sent confidential data via an insecure method is purely and simply down to a lack of security culture. If these people had attended (and absorbed just a little of) a "Security Essentials" course they would know that encryption is an absolute necessity in these situations. Nobody expects them to debate the finer points of Blowfish versus 3DES, but if they were simply aware that encryption was necessary they could have asked for guidance on the next steps.
Not sending the CDs via a registered post service? That's just a moronic lack of common sense. In these situations you should ask yourself one question - "If that was my personal data and it went missing, how upset would I be?". Admittedly the "under-funded" defence might apply to the cost of a track-and-trace service, but if things are really that bad in HMRC I'll quite happily lend them a tenner in the meantime.
This incident is proof of something all decent security professionals know. Technology does not provide security by itself; organisations need a strong culture of security to keep confidential data and systems safe. In the modern world it's not good enough to say, "Security? That's something those wierd people in the IT department deal with". It's everyone's responsibility. The culture has to be created and actively reinforced from the top down.
On the plus side this will hopefully be the final nail in the coffin of UK ID Cards - a topic for another time.
