A massive data breach in the United Kingdom demonstrates how easy it is for sensitive data to be compromised.
Two CDs containing the personal information of almost every child under the age of 16 and their parents in the U.K. have gone missing. (That’s 25 million people who belong to 7.25 million families.)
The data, compiled for the payment of certain social benefits, includes each child’s name, address, date of birth, sex, and National Insurance number, the parents’ and any partners’ information, and in some cases, the family’s bank account details.
The two disks, protected only by passwords, were prepared for the government’s National Audit Office (NAO) by HM Revenue and Customs (HMRC), the department responsible for the payment of Child Benefits. In direct contravention of HMRC’s security protocols, the package containing the CDs was sent via a postal courier company on October 18, and was neither registered nor recorded. At that time, the U.K.’s postal strike was in full swing and the NAO was moving to new offices, so the loss of the package was not immediately obvious.
Senior HMRC officials weren’t told until November 8 that the package was missing. It still is, and the Metropolitan Police (Scotland Yard) have been called in for the hunt. HMRC chairman Paul Gray has resigned over the incident, which was announced to the public only yesterday.
Child Benefits amount to approximately $38 per week for a first child and $28 per week for each additional child. The program is, of course, very popular and most families in the U.K. have signed up for the money.
Banks have been alerted throughout the U.K., and Child Benefits recipients have been warned to monitor their accounts and credit reports for “unusual activity.” Any financial victims are protected under U.K. banking laws.
Although HMRC has procedures in place for handling sensitive data, this is at least the fourth breach that’s been reported. A similar incident to this one happened in March 2007, but that data was safely recovered. In September of this year, two breaches occurred: the theft of a laptop containing information on 400 people’s savings accounts, and the records of 15,000 people were sent to a life insurance company. An independent investigation of security procedures is now underway.
The truly frightening part of this drama is that this data is not only valuable to identity thieves. The far more serious possibility exists of danger to the children themselves, as the missing records contain names, addresses, sexes, and dates of birth.
Although there is no proof that this sensitive data has been stolen rather than simply lost in the mail, the incident emphasizes that government officials who handle people’s private information are handling their private lives, and should be careful to follow all security guidelines no matter how inconvenient. It is also important to remember that there is no postal service or email facility that can be considered completely secure. After all, data is only as secure as its protection.
Criminals (as well as insurance companies, banks, and retail outlets which share information “for marketing purposes”) are seeing to it that information can never really be 100% safe, but they surely don’t need (and shouldn’t receive) assistance in that process through help from any government.
Original article is available via the BBC