HMRC data security lapses - the final straw. By John Stokdyk

Paul Gray's resignation [1] as chairman of HM Revenue and Customs this week followed a series of increasingly dramatic breaches of the tax department's data security.

While the episode brings home the paramount importance of good information security, it also renews concerns over management and morale at the merged tax department. Gray has been closely involved with the HMRC's structural merger and was delegated by his predecessor David Varney to lead a task force in 2004-05 to establish the true scale of tax credits overpayments and to find remedies for the fiasco.

In a recent appearance before the House of Commons public accounts committee, Gray admitted that payments made by IT contractor EDS under a £71 million compensation package for the botched tax credits IT system were "lower than expected". EDS had so far paid only £250,000 and Gray threatened litigation if the compensation payments did not accelerate in 2008.

With the tax credits fiasco refusing to go away, HMRC has continued to draw increasingly critical comments from the opposition. Surveys, news reports and comments on AccountingWEB also highlighted morale problems [2] among HMRC staff, who face cuts of more than 10,000 full time equivalent jobs in the government's efficiency drive [3].

But it was a data security lapse that precipated Gray's departure, after it emerged that a pair of password-protected disks containing details of 25 individual child benefit recipients had been lost by the courier on their way to the National Accounting Office.

The information included names, addresses and birthdates for 25 million recipients of child benefits from more than 7 million families, and details of bank and building society account numbers into which the payments were made.

"This is an extremely serious matter," said chancellor Alistair Darling in his Commons statement. "HMRC has a responsibility towards the general public who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it.

"I deeply regret this and apologise for the anxiety that will undoubtedly be caused. Banks and building societies will continue to monitor their accounts and no one will suffer any loss if they are an innocent victim of fraud."

BBC Radio 4's Moneybox programme [4] raised the profile of data vulernabilities within the department on 3 November when it followed up two incidents. In the first, an HMRC laptop with details on 400 individuals with high value savings accounts was stolen from the boot of a tax official's car. Then it was reported that CD-ROMs containing personal information on around 15,000 Standard Life customers were lost in transit from HMRC's Newcastle offices to Edinburgh.

In his Commons statement on the latest HMRC data breach, Darling said that the information was not sufficient to gain access to individuals' bank accounts and that there was no evidence that any irregularities or fraud had occurred as a result. But as AccountingWEB's security correspondent Stewart Twynham recently warned [5], gaining access to existing accounts is not the primary motive behind identity theft. Personal information such as birthdates, bank account details and national insurance numbers are much more valuable to criminals because they can use the information to set up new accounts or lines of credit.

"The fact that a junior official would dispatch a pair of disks on the basis of a telephone call and not comply with departmental rules is a serious indictment of HMRC's information security policies," said Twynham. "I suspect that Mr Gray will not be the only one in the firing line for this. I guess this is a timely reminder that something as mundane as some computer records stored on a couple of CDs has the potential to bring down a government department."

The police are continuing to hunt for the missing disks and the Information Commissioner has been notified and is likely to take further action against the department over breaches of the Data Protection Act, Darling said. The chancellor has also asked PwC's UK chairman Keiran Poynter to investigate HMRC's procedures for data handling and will publish his report in the spring.

Twynham commented: "The size and scope of data loss is huge. In terms of risk assessment, it's reasonable to assume that 'any fool' would understand the stupidity of sending the confidential records of half the country on a couple of CDs by courier or through the postal system." [After the initial HMRC disks failed to reach the NAO by courier, they were resent by registered post].

The chancellor emphasised that a "junior" staff member responsible and that in future it will only be possible to send data if signed off by a senior manager. "This completely misses the point," said Twynham.

"This suggests a massive lack of basic access controls within HMRC. There is a key principle within security called the rule of least privilege, which means only allowing access to information by those who need it.

"What the chancellor is saying is not only was a junior staff member able to unilaterally send this material, they were able to get hold of it in the first place. Without training nor authority, and bypassing all internal controls, someone was able to compile a list of 25 million confidential records and burn them to a CD. Forget the fact that they then popped said CD into the post.

"There are clearly deep rooted problems at HMRC with regard to information security, far deeper than a lack of process. Fundamental principles of access control and best practices have clearly not been followed. This is guaranteed to be more widespread throughout the civil service."

So what can small businesses learn from HMRC's lapses? Twynham raises the following points:

It’s not just big companies or government departments that lose important storage media. Most small businesses back up their data to tape, but forget how valuable those tapes are. They are often left on reception desks in public areas, in cars, or worse still are never taken off-site at all. Back up tapes and CDs need to be taken off-site, but should be handled securely and carefully all the way. You may need them one day, and you certainly don’t want them falling into the wrong hands.
Laptop theft isn’t going away. Anyone with sensitive data on their laptop should ensure that it is both encrypted and backed up.
Don’t forget the paperwork. In the case of the stolen laptop, printouts of several ISA customers including their addresses and passport numbers were also taken. A timely reminder that it's not just computers and storage media that matter.

Back in Whitehall, both the chancellor and HMRC are at the centre of a massive political storm that will not lift the pressure on a department which finds itself in the midst of a major transformation programme [6] with no chief executive at the helm.

While having to face even more public scrutiny, the incoming chairman will need to possess many of the same qualities set out last year, when AccountingWEB members debated who should be David Varney's successor [7].

"This post is a poisoned chalice," commented AccountingWEB member Alastair Harris at that time. "What is needed is an HMRC that is able to be responsive to challenges (such as carosel fraud) whilst not alienating the British taxpayer. I am afraid that that means it requires a man manager who is able to weed out the cultural incompetence that pervades HMRC, and someone with a strategic vision who is able to accept measurable objectives covering effectiveness and empathy to taxpayers, but balance that with the objectives of HM Treasury, which often seem to be in conflict."

Harris proposed former Tory chancellor Ken Clarke as a candidate, while Lord Howe was also mentioned. Captains of industry including Sir Richard Branson, Lord Browne and Sir Ian Gibson (a member of the Bank of England court) were suggested, but the consensus is that anyone with the right business credentials is unlikely to accept the job. Internal HMRC candidates include Dave Hartnett, who has been leading HMRC's recent "Fresh Start" initiatives to engage with tax advisers, and Steve Lamey, recently promoted from chief information officer to chief operating officer, responsible for the department's transformation programme.