Loss of United Kingdom child benefit data (2007)

Last updated

The loss of United Kingdom child benefit data was a data breach incident in October 2007, when two computer discs owned by HM Revenue and Customs containing data relating to child benefit went missing. The incident was announced by the Chancellor of the Exchequer, Alistair Darling, on 20 November 2007. The two discs contained the personal details of all families in the United Kingdom (UK) claiming child benefit, [1] of which takeup in the UK is near 100%. [2]

Contents

The loss

The discs were sent by junior staff at HM Revenue and Customs (HMRC) based at Waterview Park in Washington, Tyne and Wear, to the National Audit Office (NAO), as unrecorded internal mail via TNT on 18 October. On 24 October the NAO complained to HMRC that they had not received the data. On 8 November, senior officials in HMRC were informed of the loss, with Chancellor of the Exchequer, Alistair Darling being informed on 10 November. [3] On 20 November Darling announced:

Two password-protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the address in the NAO. [1]

The lost data was thought to concern approximately 25 million people in the UK (nearly half of the country's population). The personal data on the missing discs was reported to include names and addresses of parents and children and dates of birth of the children, together with the National Insurance numbers and bank or building society details of their parents. [3]

The "password protection" in question is that provided by WinZip version 8. [4] This is a weak, proprietary scheme (unnamed encryption and hash algorithms) with well-known attacks. [5] Anyone competent in computing would be able to break this protection by downloading readily-available tools. WinZip version 9 introduced AES encryption, which would have been secure and only breakable by a brute-force attack.

In a list of frequently asked questions, [6] on the BBC News website a breakdown of the loss was reported as being:

Whilst government ministers claimed that a junior official was to blame, the Conservatives said that the fault lay in part with senior management. This was based on a claim that the National Audit Office had requested that bank details be removed from the data before it was sent, but that HMRC had denied this request, because it would be "too costly and complicated". [7] Emails released on 22 November confirmed that senior HMRC officials had been made aware of the decision on cost grounds not to strip out sensitive information. [8] The cost of removing sensitive information has been given as £5,000. [9] Although the cost was found to be substantially less (£650) in an academic study. [10]

According to an IT trade journal Computer Weekly , it said that back in March 2007, the NAO had asked for completed information of the child benefit database to be sent by post on CDs, instead of a sample of the database. The first time this was done, things went smoothly, and the package was registered post. However this time, it was unregistered through the courier. [11]

It was later revealed, on 17 December 2007, that the data protection manual for HMRC was in itself under restriction to only senior members of staff, not junior civil servants who had just a summary of what the manual says on security. [12]

Other data scandals

This was followed by several other data scandals. On 17 December it was revealed by Ruth Kelly that the details of three million learner drivers were lost in the United States. However the only details said to be lost were the: name, address, phone number, the fee paid, the test centre, payment code and e-mail, so not much of a panic was caused due to a reduced risk of financial fraud. On 23 December it was revealed that nine National Health Service (NHS) trusts had also lost the data of hundreds of thousands of patients, some of it archive information, some of it medical records, contact details and soft financial data. A few other trusts also lost data, but found it fairly quickly. Several other UK firms have also admitted security failings. [13]

Response

Darling stated that there was no indication that the details had fallen into criminal hands, but he urged those affected to monitor their bank accounts. [1] He said "If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result." HMRC then set up a Child Benefit Helpline for those concerned about the data loss. [3]

HMRC chairman Paul Gray resigned Paul Gray (civil servant).jpg
HMRC chairman Paul Gray resigned

The incident was a breach of the UK's Data Protection Act and resulted in the resignation of HMRC chairman Paul Gray; Darling commented that the discs were probably destroyed when "the hunt was on, probably within days" and that there was an "opaque" management structure at HMRC and it was difficult to see who was responsible for what. [14] Gray was subsequently found to be working at Cabinet Office. [15] [16] The Metropolitan Police and the Independent Police Complaints Commission both investigated the security breach, and uniformed police officers investigated HMRC offices. The loss led to much criticism by the Acting Leader of the Liberal Democrats Vince Cable and Shadow Chancellor George Osborne. Osborne said:

Let us be clear about the scale of this catastrophic mistake— the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post, and the bank account details and National Insurance numbers of ten million parents, guardians and carers have gone missing. [3]

In addition he said that it was the "final blow for the ambitions of this government to create a national ID database". Cable also criticised the use of disks in the modern age of electronic data transfer. Spokespersons for Gordon Brown, however, said that the Prime Minister fully supported Darling, and said that Darling had not expressed any intention to resign. [3]

The general reaction of the public was one of anger and worry. Banks, individuals, businesses and government departments became more vigilant over data fraud and identity theft and the government pledged to be more careful with data. The public and media was particularly angry over the fact that the data was not registered or recorded, and that it was not securely encrypted.

Nick Assinder, a political correspondent at the BBC, expressed the opinion that he believed Darling to be "on borrowed time". [17] George Osborne, who questioned whether Darling was "up to the job", suggested that it would be a matter of days before a decision was made regarding Darling's future. [18] However Darling remained Chancellor until Labour's defeat in 2010.

TNT stated that, as the delivery was not recorded, it would not be possible to even ascertain if it had actually been sent, let alone where it went. [19]

Jeremy Clarkson direct debit fraud

On 7 January 2008, Jeremy Clarkson found himself the subject of direct debit fraud after publishing his bank account and sort code details in his column in The Sun to make the point that public concern over the scandal was unnecessary. He wrote, “All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing”. Someone then used these details to set up a £500 direct debit to the charity Diabetes UK. In his next Sunday Times column, Clarkson wrote, “I was wrong and I have been punished for my mistake.″ [20] Under the terms of the Direct Debit Guarantee, the payment could be reversed.

See also

Related Research Articles

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

<span class="mw-page-title-main">Alistair Darling</span> British politician (1953–2023)

Alistair Maclean Darling, Baron Darling of Roulanish, was a British politician who served as Chancellor of the Exchequer under prime minister Gordon Brown from 2007 to 2010. A member of the Labour Party, he was a member of Parliament (MP) from 1987 to 2015, representing Edinburgh Central and Edinburgh South West.

<span class="mw-page-title-main">HM Revenue and Customs</span> Non-ministerial department of the UK Government

HM Revenue and Customs is a non-ministerial department of the UK Government responsible for the collection of taxes, the payment of some forms of state support, the administration of other regulatory regimes including the national minimum wage and the issuance of national insurance numbers. HMRC was formed by the merger of the Inland Revenue and HM Customs and Excise, which took effect on 18 April 2005. The department's logo is the St Edward's Crown enclosed within a circle.

Benefit fraud is a form of welfare fraud as found within the system of government benefits paid to individuals by the welfare state in the United Kingdom.

A direct debit or direct withdrawal is a financial transaction in which one organisation withdraws funds from a payer's bank account. Formally, the organisation that calls for the funds instructs their bank to collect an amount directly from another's bank account designated by the payer and pay those funds into a bank account designated by the payee. Before the payer's banker will allow the transaction to take place, the payer must have advised the bank that they have authorized the payee to directly draw the funds. It is also called pre-authorized debit (PAD) or pre-authorized payment (PAP). After the authorities are set up, the direct debit transactions are usually processed electronically.

<span class="mw-page-title-main">Overdraft</span> Payments from a bank account exceeding the balance

An overdraft occurs when something is withdrawn in excess of what is in a current account. For financial systems, this can be funds in a bank account. In these situations the account is said to be "overdrawn". In the economic system, if there is a prior agreement with the account provider for an overdraft, and the amount overdrawn is within the authorized overdraft limit, then interest is normally charged at the agreed rate. If the negative balance exceeds the agreed terms, then additional fees may be charged and higher interest rates may apply.

<span class="mw-page-title-main">Premiership of Gordon Brown</span> Period of the Government of the United Kingdom from 2007 to 2010

Gordon Brown's term as the prime minister of the United Kingdom began on 27 June 2007 when he accepted an invitation of Queen Elizabeth II to form a government, replacing Tony Blair, and ended on 11 May 2010 upon his resignation. While serving as prime minister, Brown also served as the first lord of the treasury, the minister for the civil service, and the leader of the Labour Party. He and Blair both extensively used the New Labour branding while in office, which was presented as the brand of a newly reformed party that had altered Clause IV and endorsed market economics, though Brown's style of government differed from that of his predecessor. Brown is the most recent Labour politician as well as the most recent Scottish politician to hold the office of prime minister.

<span class="mw-page-title-main">Paul Gray (civil servant)</span>

Paul Richard Charles Gray, is a British former civil servant who was chairman of HM Revenue & Customs until he resigned on 20 November 2007.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

<span class="mw-page-title-main">Credit card</span> Card for financial transactions from a line of credit

A credit card is a payment card, usually issued by a bank, allowing its users to purchase goods or services or withdraw cash on credit. Using the card thus accrues debt that has to be repaid later. Credit cards are one of the most widely used forms of payment across the world.

<span class="mw-page-title-main">HBOS</span> United Kingdom banking and insurance company

HBOS plc is a banking and insurance company in the United Kingdom, a wholly owned subsidiary of the Lloyds Banking Group, having been taken over in January 2009. It was the holding company for Bank of Scotland plc, which operated the Bank of Scotland and Halifax brands in the UK, as well as HBOS Australia and HBOS Insurance & Investment Group Limited, the group's insurance division.

In the period September 2007 to December 2009, during the events now widely known as the Global Financial Crisis, the UK government enacted a number of financial interventions in support of the UK banking sector and four UK banks in particular.

<span class="mw-page-title-main">Lloyds Banking Group</span> British financial institution

Lloyds Banking Group plc is a British financial institution formed through the acquisition of HBOS by Lloyds TSB in 2009. It is one of the UK's largest financial services organisations, with 30 million customers and 65,000 employees. Lloyds Bank was founded in 1765 but the wider Group's heritage extends over 320 years, dating back to the founding of the Bank of Scotland by the Parliament of Scotland in 1695.

<span class="mw-page-title-main">UK Uncut</span>

UK Uncut was a network of United Kingdom-based protest groups established in October 2010 to protest against cuts to public services and tax avoidance in the UK. Various sources have described the group as left-wing in its political orientation.

<span class="mw-page-title-main">Value-added tax in the United Kingdom</span>

In the United Kingdom, the value added tax (VAT) was introduced in 1973, replacing Purchase Tax, and is the third-largest source of government revenue, after income tax and National Insurance. It is administered and collected by HM Revenue and Customs, primarily through the Value Added Tax Act 1994.

JPMorgan Chase is an American multinational banking corporation with a large presence in the United Kingdom. The corporation's European subsidiaries J.P. Morgan Europe Limited, J.P. Morgan International Bank Limited and J.P. Morgan Securities plc are headquartered in London.

<span class="mw-page-title-main">Barclays</span> British multinational banking and financial services company

Barclays plc is a British multinational universal bank, headquartered in London, England. Barclays operates as two divisions, Barclays UK and Barclays International, supported by a service company, Barclays Execution Services.

<span class="mw-page-title-main">Coronavirus Job Retention Scheme</span> Furlough scheme announced during the COVID-19 pandemic in the UK

The Coronavirus Job Retention Scheme (CJRS) was a furlough scheme announced by Rishi Sunak, the Chancellor of the Exchequer, on 20 March 2020, during the COVID-19 pandemic in the United Kingdom. The scheme was announced on 20 March 2020 as providing grants to employers to pay 80% of a staff wage and employment costs each month, up to a total of £2,500 per person per month. The scheme initially ran for three months and was backdated to 1 March.

<span class="mw-page-title-main">COVID-19 scams</span> Scams related to COVID-19

COVID-19 scams are frauds whose cover story primarily relies on the existence of the COVID-19 pandemic. Such scams have been reported in multiple countries, primarily the United States, Canada and the United Kingdom.

References

  1. 1 2 3 "Darling admits 25 million records lost". BBC. 2007-11-20. Archived from the original on 2017-09-05. Retrieved 2007-11-20.
  2. "Pressure on Darling over records". BBC. 2007-11-20. Archived from the original on 2021-10-17. Retrieved 2007-11-22.
  3. 1 2 3 4 5 "UK's families put on fraud alert". BBC. 2007-11-20. Archived from the original on 2017-09-05. Retrieved 2007-11-20.
  4. Neumann, Peter G. (30 December 2007). "HMRC Lost Discs & Encryption". The RISKS Digest. 24 (93). Archived from the original on 3 January 2008. Retrieved 2 January 2008.
  5. "Password Recovery/Cracking FAQ". Archived from the original on 2008-02-10. Retrieved 2008-02-05.
  6. "Data disaster: Your queries answered". BBC. 2007-11-21. Archived from the original on 2009-01-31. Retrieved 2007-11-21.
  7. "Fresh questions over data crisis". BBC. 2007-11-23. Archived from the original on 2021-10-17. Retrieved 2007-11-22.
  8. Email from HMRC to NAO Archived 2007-11-27 at the Wayback Machine , 13 March 2007. NAO website. Retrieved on 23 November 2007.
  9. £5,000 would have made HMRC discs safe [ dead link ], 23 November 2007. telegraph.co.uk. Retrieved on 25 November 2007.
  10. Removal of sensitive child benefit data would have cost £650, 19 December 2007. www.port.ac.uk. Retrieved on 20 December 2007.
  11. "Missing child benefit CDs: what went wrong, and why it would have carried on regardless". ComputerWeekly.com. Archived from the original on 2007-12-24. Retrieved 2007-12-17.
  12. "HMRC manual on data protection was protected data". The Register. Archived from the original on 2007-12-19. Retrieved 2007-12-17.
  13. "Firms admit to two more cases of personal data loss". 2007-12-11. Archived from the original on 2007-12-14. Retrieved 2008-02-05.
  14. Darling, Alistair (2011). Back from the Brink: 1,000 Days at Number 11. Atlantic Books. ISBN   978-0857892799.
  15. "Channel 4 - News - Paul Gray back at work". Archived from the original on 2008-11-18. Retrieved 2008-09-23.
  16. Summers, Deborah (2007-11-20). "Personal details of every child in UK lost by Revenue & Customs". The Guardian. London. Archived from the original on 2007-11-21. Retrieved 2007-11-20.
  17. "Assessing the political damage, Darling and Brown". BBC. 2007-11-20. Archived from the original on 2007-11-22. Retrieved 2007-11-20.
  18. Ministers under fire over records Archived 2009-03-28 at the Wayback Machine BBC News retrieved November 21, 2007
  19. CDs 'May Never Have Left The Building' Archived 2008-07-09 at the Wayback Machine Sky News - retrieved November 22, 2007
  20. Clarkson stung after bank prank Archived 2010-07-29 at the Wayback Machine , BBC News