Going Paperless With My Bank
Wildfire Victims Targeted By Identity Thieves

When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.