UK Government Loses 15 Million Private Records

bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.

And they expect us to trust them...

[ditoa]

With a nationwide DNA database? Please. They can't be trusted with anything.

Trust the Government

[Vanders]

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector. Apparently they were being sent to the Audit Office, but why the Audit Office needed an off line copy of the data, and a complete copy at that, isn't addressed: no doubt some ridiculous bureaucratic idiocy that makes Brazil look sane.

The idea of burning an unencrypted copy of your sensitive data to a DVD and handing it to a random delivery company should horrify even the most incompetent sysadmin or DBA. Apparently no one in HM Customs & Revenue thought anything of it.

These are the sorts of people who want to build a massive database of all our personal details and tie them to ID cards. They tell us the data will be "perfectly safe". I wouldn't trust them to run a mail server.

Offering 100,000 - 1 odds it was clear text

[lena_10326]

At that time, they refused to say 'on security grounds' whether the information was encrypted.

Then it wasn't. If it had, the first thing out of their mouths would have been "relax, it was all encrypted".

Three times!

[Dr_Barnowl]

The first time this happened was in March - the discs were not lost, and were returned to sender after use, not that that actually makes any difference, since the data could easily have been copied.

The real WTFs here are

• That the database was being sent in it's entirety to the audit office when they only asked for a sample.
  
• That the whole data was sent when they only wanted a subset of the fields.
  
• That junior officers in the civil service have enough access to dump entire databases.
  
• That they trusted a third-party courier instead of delivering it by hand.
  
• That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).
  

Ok, it's probably worse than that though.

Oh please.

[Harold+Halloway]

"The Chancellor will try to evade responsibility..." In what way could be held responsible? The data was copied and sent in clear breach of the agency's (and the Government's) rules. The last time I checked, it wasn't the Chancellor's responsibility to monitor personally all packages sent by Government agencies. Had the security breach happened due to actions which did NOT breach any rules then I might agree with you, however this is not the case here. Put it this way: If ministerial resignation (and that is what you are implying should happen) is to follow every breach of security then that is a green light to every ne'er-do-well and Tory malcontent working in Government to start posting confidential data left, right and centre.

Re:25 million now...

[TheRaven64]

That was my first thought. The one good thing about this kind of disaster is that there is now a strong concrete example of why it is a bad idea to give the government any more data than they absolutely need. Whenever someone suggests a massive central database we can say 'you lost 15 million private records, why should we trust you with any more?'