AccountingWeb
News
Stewart Twynham's IT security diary - The tip of the iceberg
Whenever I investigate a security problem within an organisation, the initial reaction is usually the same. If it's related to process and procedures, I will be told, "It's a one-off", or "It couldn't happen again, we were unlucky." If it's related to software, I hear something along the lines of, "Well, we'll just fix the bit that was wrong."Not entirely dissimilar, in fact, to the reaction from the Prime Minister this week, and the suggestion that this whole sorry affair at HMRC was triggered by a junior member of staff not following well laid down procedures. A simple, honest mistake.
Sorry, Mr Brown, I just don't buy that story.
The loss in transit of 25 million confidential records by a government department is, frankly, catastrophic - and catastrophic failures don't "just happen". Look at any major man-made disaster, and you'll soon realise that it takes a chain of events - a series of errors of judgements, a failure of internal controls, poor planning, inadequate training and a host of other things that all need to come together at the same time to turn an honest mistake that gets spotted and corrected into something far more serious. Luck can play a part, but bad luck is not in itself a sufficient condition here.
At any point along the line, someone, anyone could have stopped these CDs from being prepared, let alone from leaving the building. Clearly, staff at all levels within HMRC need to access and process data as part of their job. Very few, however, should be able to compile such a huge data set without passing through some very serious security checks and overcoming a number of practical difficulties. At least that's what one would hope.
So let's look at some of the practicalities here. Retrieving 25 million confidential records isn't like opening "child_ben_2007.xls" in Excel on your PC. For a start, this is a very large data set that would probably tie several systems up for some time. Uncompressed, a single record could be at least 100 bytes long. Twenty-five million such records would be 2.5 gigabytes of data - not huge in modern computing terms, but still significant in terms of a database retrieval. The computer systems in use at HMRC are a mix of old and news systems, extremely complex in their interconnection and built and maintained by developers and programmers - not by junior clerks.
The BBC reported that a 23-year-old man has resigned over the disappearance of the two data CDs. However I find it hard to believe that an individual daft enough to pop confidential records in the post would alone possess the skills and the access rights to be able to export 2.Gb of confidential data and then compress and span that data across two CDs. Not, at least, without some help.
I can only draw one conclusion - that the HMRC's computer systems have been explicitly written to allow the export of such huge quantities of data. And why would they do that? Because the bulk export of confidential data is standard practice within HMRC, and probably every government department, local council, benefit office and job centre in the country.
Of course, there may be good reason for all of this. Whether just good housekeeping or the determination to catch up with benefit fraudsters and tax-credits cheats, the government needs its various departments to share data.
I for one will not be surprised if this turns out to be just the tip of the iceberg. I expect the ongoing investigations to yield much further embarrassment for the government. What about all the CDs that don't get lost, for example? Any fool can copy a CD and then pop it in the post - it's doubtful whether anyone would be any the wiser. And who else, specifically, has had uncontrolled access rights to our most personal data over the last few years?
The real fraud risk
Should this information have fallen into the wrong hands (and that would just be speculation at this stage), then it's very unlikely that it will be used just yet. It is believed that credit card details are stolen as many as five times before they are actually used. Criminals aren't stupid. They know what to spend and how to spend it to stay below the fraud protection radar and get the most out of your personal information.
The real risk is the ability to use your identity combined with bank details to obtain a line of credit. Perhaps ordering items in your name, where you don't find out until the bailiffs turn up. Or by paying for things through direct debit from your account.
Companies like Masterwatch Credit Check and Experian offer regular credit reports and even on-line access to credit ratings. CIFAS, for example, offers protective registration through Equifax for a one-off fee.
I wonder if the government would consider covering the cost of these services - who knows, they may even get a discount if they request more than 20 million registrations in one go?
Where now for Data Protection?
The Office of the Information Commissioner has long been a joke within the security community. Even if you are a large organisation, the chances of being caught and then fined by the Information Commissioner are anything from virtually zero to non-existent.
When Nationwide was fined almost £1 million for losing a laptop containing 11 million unencrypted customer records last year, it was the FSA that imposed the fine, not the Information Commissioner. I suspect that all this is about to change, but wonder whether this will simply mean more red tape for small businesses, and very little change where the biggest problems lie.
Related articles
Gray Tuesday for HMRC: Chairman resigns over data breach
HMRC data security lapses - the final straw
Information security - 10-part Expert Guide series
Focus on data protection
Stewart Twynham
Bawden Quinn Associates Ltd
Number of comments: 8
AccountingWEB.co.uk 22-Nov-2007
Categories: IT Features
Times read: 4006
There's a common thread
Outsourced carriers
Stop using TNT
Headlines in today's edition of the Huddersfield Daily Examiner advise 45,000 Kirklees claimants' details- on two CDs! - are missing in transit to DWP by TNT. The CDs were sent in August as part of the normal information which every council is obliged to send to DWP each month and includes names, addresses,dates of birth, NI numbers etc. A review by Kirklees of its communications with government departments following the revelation of the missing Child Benefit data elicited the information from DWP that these discs were still missing. Kirklees council has now ordered a freeze on data transfers to all government departments until they are satisfied that information sent is secure and confidentially received. Quite how they intend to achieve this is unclear.
This does support Mr Twynham's point regarding the vast amount of confidential data which is apparently moved regularly between different government departments with blatant disregard for a basic level of security. It does beg the question that exactly how much lost information is out there? And we are moving towards a national ID card? Perhaps the hackers, forgers and criminals will soon be able to provide us with a cheaper version than Mr Brown's.
Erica
95% of the lost data is publicly available
Try the census, for starters
Richard
@Richard:
Ovum principal analyst Graham Titterington : "If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations."
So, not exactly a catastrophe, just a potential one ...
I gave up with this story the moment it described the data loss as "catastrophic".
Serious, yes. Needing action, definitely.
Catastrophic. Never, and to say so is to live in a world of fantasy.
No one has died. No one has lost a penny. No one even knows that anything has been lost.
Please, to use the vernacular, "get real" and deal with the issue, but drop the hyperbole.
The police do not take data protection seriously either.
Some time ago some personal information was misused by an agency, I notified the police who were able to find the relevant identifying phone number via BT.
But they then refused to take matters further since they believed a prosecution was unlikely, and refused to let me chase it up by denying me access to the phone number for reasons of ... data protection.
The Data Protection office did not want to take it up due to lack of help from the police.
I think just a shot across the bows of the agency would have helped them put their house in order, as it is they remained unaware that abuse of information was occurring.
I absolutely agree that when things go badly wrong it is (almost) invariably not the result of one error, it is the coming together of a whole series of errors.
To argue the opposite is like saying England were eliminated from Euro 2008 because Croatia scored the winning goal in the last 20 minutes of the final game. The problem goes much deeper than that.
If you look at cases of accountants or solicitors convicted in relation to money laundering (as I do) or even at investigations into aircraft crashes, these things do not happen as a result of a single error. They happen after several opportunities to avoid disaster have been missed and a number of rules have been broken.
Have HMR&C been re-engineered too much over the past few years in the name of efficiency and have intangible and non-measurable assets, like the relevant knowledge, experience and common sense of their staff, been lost along the way?
As for the risk of future losses due to fraud, those of us in the 'fraud community' (perhaps I should say fraud prevention community) know that it is all too common for call centre staff to leak confidential information to criminals (either in return for payment, or accidentally, or in response to threats, or because they took the job for the purpose of obtaining and misusing the information). Why should HMR&C be immune from the risk of ID theft via its employees?
David
What amazes me the most at the moment is that the 'it was only a junior official' bit is being defended as though it makes everything less worrying. For me it would be infinitely more reassuring if it had happened due to the actions of a senior official - at least that might mean there were some procedures in place to stop anyone getting at the data. The fact that a junior official could apparently do what they did has far greater implications for the data security procedures and culture throughout government.
One of the most important points Stewart (and others) have made is that if it could be done, how do we know it hasn't been done on a similar or smaller scale many times before? How do we know criminals are not currently cultivating links with staff at key government establishments now they know for sure how easily they might be able to get at very valuable data? Is anyone checking the contents of staff's MP3 players as they leave each evening....
Simon Hurst
