2007 will be remembered as a bad year for those in charge of data security, but few organizations around the world can compete with the British government when it comes to sheer incompetence.
Here, briefly, is what happened. In October, Her Majesty’s Revenue and Customs (HMRC), the British equivalent of the IRS, managed to lose the child welfare payment records of 25 million people, including names, addresses, dates of birth and bank details. Bearing in mind that the population of Britain is under 60 million, the data loss affected nearly half the country.
The data was needed by another department in a different city, and rather than transfer the data over a dedicated encrypted connection, it was burned to a set of CDs and popped in the mail. When it failed to arrive, the intended recipient asked for a second set, which was sent in a similar fashion, and it was only some weeks later when the first set had still not arrived that anyone realized that something was amiss.
So what lessons can be learned? Clearly, sending removable storage media across the country using the postal service or a courier company is not a sensible way to transfer confidential data, but if the data is encrypted then it is at least protected should the media get mislaid, as long as the key remains a secret. But on both occasions when the HMRC data was burned on to CDs and shipped, it was completely unencrypted and readable by anyone. Was this contrary to HMRC security procedures? An HMRC spokesman declined to comment.
Even without encryption, the data would have been relatively useless if it had been anonymized. And it turns out that the intended recipient — the National Audit Office — only needed a subset of the data that was sent, and asked for all the names and some of the bank details to be stripped from the data as a security precaution. But HMRC is reported to have claimed that it was unable to do this, and instead sent all the data it had, including confidential information that was not required.
“The problem is that in situations like this, busy individuals will always take the easiest option if they can,” said Graham Titterington, an IT security specialist at analyst firm Ovum. “Sending a set of CDs was easy, and they didn’t encrypt them, as that would have been a hassle. And they weren’t asked for all the data that they sent, but they sent it all anyway as that was easiest. Unless appropriate procedures are in place, then you can’t blame individuals.”
It Gets Worse
One of the problems with data security is that many of those responsible for its safekeeping are simply unaware of how valuable it is to criminals, and how easily it can be misused, said Titterington.
This was illustrated recently when British journalist Jeremy Clarkson (also presenter of BBC’s Top Gear) wrote a newspaper column in which he heaped scorn on those who were worried about government data losses, and to prove his point he published his bank account details. “All you’ll be able to do with them is put money into my account. Not take it out. Honestly, I’ve never known such a palaver about nothing,” he wrote in Britain’s Sun newspaper.
But Clarkson very quickly discovered how valuable even basic banking information can be. “I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account,” he wrote in the Sunday Times just days later.
Without the realization of how valuable personal information can be, many security procedures will have limited value, Titterington said. “I have seen cases of the key for encrypted data being written on the case of the disk in pen,” he said. Moves like that are sure to create a market for key management solutions.
Since the data fiasco, HMRC has been looking to clean up its act, and a review has been set in motion chaired by Kieran Poynter, the chairman and senior partner of professional services firm PricewaterhouseCoopers LLP. In a preliminary report, Poynter said the following measures have now been taken:
- A reminder to all staff from the Chairman of HMRC of the importance of data security with some specific guidance;
- The appointment of a senior official to the new post of Director of Data Security;
- The appointment of Data Guardians in each area of HMRC;
- The imposition of a complete ban on the transfer of bulk data onto removable media without adequate security protection such as encryption;
- The disabling of the download function on all personal and laptop computers in use across HMRC to prevent their use to download data onto removable media.
- The utilization of secure couriers and appropriate tamper-proof packaging in the transport of bulk data stored on removable media.
The second to last measure is slightly worrying — it demonstrates such a lack of understanding of the word “download” that one wonders if the author can possibly understand the issues involved. The other recommendations are all sensible — what’s amazing is that they weren’t in place already.
Perhaps the key lesson to be learned from all this is that regardless of the value and sensitivity of any data you may be storing, the chances are that it won’t be protected in the way it should be, even if appropriate procedures are in place.
What’s needed is a “carrot and stick” approach — educating staff so they understand the value of data and the reasons why security procedures have been put in place so they are inclined to protect the data, and ensuring that procedures are followed by putting in place staff to police all data movements and disciplinary procedures to deter staff from breaking the rules.
It’s a lesson that has come too late for Paul Gray, the chairman of HMRC at the time of the data loss. Thanks to the ease with which a member of HMRC’s staff was able to burn a few disks and pop them in the post, Gray will be taking it easy himself for a little while: as the top person in the HMRC, he had no option to take responsibility for the data loss and resign his well paid post.
For the rest of the country, the incident has been a wake-up call — and Britons are unlikely to take it easy until new security measures are in place and working.
Paul Rubens is a freelance technology writer based in the UK.