HMRC Chairman Paul Gray has announced his resignation following the scandal, but one security expert has said that the whole fiasco could have been avoided by adopting better security practices.

"The loss of this data by HM Revenue and Customs is yet another example of the danger of putting sensitive information on an easy-to-lose format such as discs and the result of internal policies not being backed up by good security practice," said Greg Day, security analyst at McAfee.

It emerged this afternoon that the incident happened over a week ago and it is still unclear just how much damage has been done.

"The department will need to explain to consumers why it has taken 10 days to disclose this breach and the extent of the risk to their personal details. At this point we would have to assume the worst until more details are given and the public and the government should be taking steps to limit the damage and risk, if and when the data enters the wrong hands," said Day.

Chancellor Alistair Darling made a statement in the House of Commons this afternoon, telling the House: "This is an extremely serious matter. The HMRC has failed to meet the high standards expected of it."

Darling admitted that the lost discs had still not been found but there was "no evidence" that it had fallen into the wrong hands.

According to the Chancellor, some 25 million individuals' records have been compromised, with data such as names, addresses, dates of birth and bank account numbers exposed.

The breach occured when the discs were posted from HMRC to the National Audit Office.

Another security expert questioned the need for the data to be downloaded onto discs and put in the post.

Chris Mayers, chief security architect at Citrix, said: "Why did this information even need to be transported at all? In these days of secure remote access there is rarely any need for data to be written onto a CD and transported anywhere.

"All organisations handling sensitive data need to realise there is nothing more important than their responsibility to keep that data secure. That means ensuring data is properly encrypted, and travels only when necessary: not on ordinary CDs, print-outs, or even on laptops - all of which appear to go missing with appalling regularity," Mayers continued.

Dominic Hoskins of Panda UK was concerned that the data on the discs wasn't even encrypted.

"Not content with physically sending the discs via an unsecured and untraceable delivery system they also failed to protect the data on the discs by not even encrypting it," Hoskins said.

Analyst Graham Titterington of Ovum cautioned that the security breach had serious implications for any proposed national identity card scheme.

"Politicians will inevitably warn of the risks of concentrating much personal data into a single system, as is planned for the National Identity Card. These fears are fully founded. There was a recent leakage of information from the UK Visa applications system and an earlier leak from the Department of Work and Pensions - two of the key components of the proposed National Identity database," he said.

"So long as it is physically possible for junior officials to download complete databases there can be no confidence in the security of information contained in them," Titterington warned.

www.mcafee.com
www.hmrc.gov.uk
www.citrix.com
www.ovum.com
www.pandasoftware.co.uk

Claim 50p off Web User's Ultimate PC & Web Workshops!

More news via RSS Post item to Del.icio.us Post item to Digg.com

Back to index