Oop. Sorry. Lost It.

I really shouldn’t be surprised, but I am. HM Revenue and Customs has lost 25m Child Benefit records. They were sent on CDs by unrecorded delivery. They didn’t reach their destination.
This, don’t forget, is the government that wants to build a national ID database.
They simply cannot be trusted with our data.
Aside from the all the reasons that building such an ID database wouldn’t work (and dishing out ID cards in the process), this incompetence just shows what actually happens when such a centralised database exists.
If you think ID fraud is bad now, it’s going to get worse. A lot worse. Data will go astray. Records will be wrongly maintained. There’ll be security holes.
Put this next to the ill-fated NHS database (£6.8bn and rising, with no end in sight), and the problems are clear.
[UPDATE] In fact, the more you think about this, the more scandalously shocking it is. I’m not even remotely interested in the political ramifications, and whether Alistair Darling is going to be out of a job anytime soon – it’s not his direct responsibility, although he’s just had a week from hell.
The real issue here is the colossal failure to even comprehend what the problems are with a system that lets this happen. Newsnight had Professor Ross Anderson on who put it all in very clear terms. It’s no good talking about a failure of procedure – procedures will always fail. The fact is that someone very junior had access to the entire database of UK child benefit claimants and their kin – in effect, every parent and child in the country – and they were able to burn a disk of that data. It’s no good saying that they should have had a manager standing over them as they did it (or whatever “procedure” should have been followed), ensuring that the file was encrypted and passed around with the security of a state secret – we all know that sometimes we do things that we shouldn’t just because we’re able to and it’s more convenient. The fact is that someone very junior had access to this data irrespective of “procedure.”
Anderson gave the very simple example of your health records. Historically, your medical record was held by your GP, perhaps at the surgery. A dozen people, perhaps, had access to it. Yes, someone who shouldn’t, may have been able to access the data, but the worst that could happen is that your local surgery’s patients’ records were compromised – a few thousand people maybe. In a national NHS database, it’s not just the dozen local receptionists and doctors in your surgery that can access your file, but another dozen at every surgery and facility around the country. And it’s not just a few thousand records that are at stake, but tens of millions of records across the country representing every man, woman and child. All our information is vulnerable to thousands of access points. There are “bad eggs” to be found in some surgeries up and down the land. I don’t know where they are, but that’s valuable data that someone, somewhere, is willing to pay for.
And finally, it’s worth noting that although this data is “password protected”, it’s not encrypted. While it may not be an Excel file (or series of files) we’re talking Excel levels of security. Let’s put it this way. I can get a password cracker for such a file from the internet in a matter of seconds. If those discs fall into the wrong hands, the data will be available to all with no problem whatsoever.
Quite simply, this breach is unprecedented in British history.


Posted

in

Tags: