Wednesday, November 21, 2007

PM apologizes for data débâcle


Following the worst security breach in British history the Prime Minister Gordon Brown has said that measures will be put into place that to ensure such an incident never happens again. His comments during Prime Minister’s Question Time in Parliament came less than 24 hours after Alistair Darling announced that the government had lost the data of 25 million individuals. The detail of what had been lost astonished the House and accusations of incompetence swiftly followed.

According to the Chancellor, the information consisted of child benefit lists. These files included names, addresses, dates of birth, child benefit numbers and national insurance numbers of Britain’s 15 children. The files also included the personal data of their carers or mothers and in some cases the bank details of an un-stated number of individuals. More than 7.2 million families were said to be affected. The Chancellor went on to say he regarded the matter as a “serious failure by the HMRC in its responsibility to the public”.

Shadow Chancellor George Osborne MP called the government incompetent and insisted they “Get a grip”. He also suggested the public would never again trust them with personal data. “Today must mark the final blow for the ambitions of this government to create a national ID card. They simply cannot be trusted with people’s personal information”

Media coverage was extensive following the revelations. BBC’s Newsnight programme devoted more than 25 minutes to the issue. Jeremy Paxman introduced the programmed with scathing remarks. “There could hardly be a bigger instance of incompetence when it comes to data entrusted by citizens of this country by their government”, he said. Paxman went on to describe the data loss as “monstrous” and that beyond the resignation of Paul Gray, others should also take responsibility. Paul Gray, chairman of Revenue and Customs, the department from which the data was sent, offered his resignation to the Chancellor shortly after the security breach was discovered.

The discs began their journey in the Child Benefit Office in Washington, Tyne & Wear. On Thursday the 18th of October a junior employee of the HMRC Child Benefit Office sent the discs to the National Audit Office in London. The member of staff downloaded the files onto two CDs and sent them, unrecorded, through the internal postal system using the courier firm TNT. The discs, however failed to arrive at the NAO, but bosses at the HMRC were not told until the 8th November. Alistair Darling was informed two days later on the 10th and after launching a full investigation the police were called in on the 14th November. It has subsequently emerged that banks were not informed for yet another two days on 16th November.

Opponents of the Labour government are putting the responsibility at the door of the current Prime Minister. Gordon Brown, as Chancellor of the Exchequer, had made changes by combining responsibilities of Revenue and Customs giving them oversight of benefits. In addition job cuts amongst civil servants are also being cited as another failure in government policy. Michael Fallon MP told Newsnight the government were entirely to blame. “They designed this system, they spatchcocked together the revenue with the customs, two completely different departments. They gave the Revenue the responsibility of organizing child benefit, tax credit, which the Revenue had never had before. And finally they imposed on the Revenue these draconian job cuts, which undermined morale in the organization. So they can’t pretend it was nothing to do with them. They’ve been running the Revenue and Customs for the last ten years” he said.

What is particularly shocking is the level of encryption on the discs. According to Newsnight investigations, there was no encryption and only simple password protection. According to one expert, breaking through the passwords could be relatively simple with the appropriate software. And how useful would the data be to criminals? Avivah Litan, a Security Analyst for Gartner Inc., said there was a thriving market for such information. Robert Schifreen, a former hacker and now a security consultant, expressed surprise the data had not been encrypted.

But this most recent débâcle is by no means the first time the government has lost data or had security breaches. In April 2007, junior doctors’ confidential details were revealed to be accessible on the internet. In September the HMRC lost a CD containing data on 15,000 Standard Life customers. In October an HMRC laptop was stolen from a car. The computer contained information about customers with high value ISA accounts. And this was only one of 41 laptops ‘lost’ in the last 12 months.

The sending of the CDs by post, internally or otherwise, may, according to Dr Ian Brown of the Oxford Internet Institute, constitute a breach of the Data Protection Act. “I hope the Information Commissioners Office will be opening an investigation” he told the BBC.

Jane Kennedy MP, Financial Secretary to the Treasury, was evasive about whether the government would pick up the losses given the information fell into the hands of criminals. She told Jeremy Paxman that the Chancellor made clear that “nobody will lose as a result of any fraud arising from this breakdown”. Pressed by Paxman as to whether the government would refund lost assets she said, “all I can tell you right at this moment is that the banking system has a system in place that will make sure that nobody loses..” Paxman interrupted saying, “It wasn’t the banks that made the mistake” to which the Financial Secretary conceded. But she added, “Inquiries will be made to find out where liability lies”.

Professor Ross Anderson from the University of Cambridge spoke of a move over the last ten years to increase transformational government which entails the putting together of public sector data into fewer and ever larger data bases. These data bases gave more and more people routine access and he described the security blunder as an “accident waiting to happen”. He then went on to accuse the government of continually ignoring advice on matters of security. A report to the Information Commissioner suggesting the proposed Children’s data bases were unsafe and illegal had, he said, been “brushed aside” along with several other reports on the handling of sensitive data.

Paxman then scolded Jane Kennedy saying that families thoughout Britain would never trust the government again. But as she attempted to defend the government, Paxman interjected. “I’m sorry you’ve just demonstrated utter incompetence” he said.

Asked as to whether any safeguards could be made to prevent a repeat of this fiasco, Prof. Anderson simply said, “No”. System architecture, policy and how electronic government is managed from the top down were, he said all features that posed security problems.

The newspaper headlines spoke volumes as to how much confidence prevailed in the wake of the data loss. The Independent ran with a headline of questions; “Who? What? Why? Where? When? THE DATA DISASTER”. The Daily Mail was more forthright calling the loss “Mind-Blowing Incompetence”. Wednesday’s Channel Four News uncovered further revelations that the NAO had not even requested the entire database. They had only asked for names of children along with national insurance and child benefit numbers. They specifically asked that parents’ information, including addresses and bank details, be stripped from the information provided.

Whilst millions of UK citizens were worrying about their bank security, there were further financial concerns after shares in Northern Rock fell sharply yesterday. The bank has been the focus of much media attention in recent weeks after hundreds of customers withdrew funds after worries about the future of the bank.

Today’s apology by Gordon Brown may mean little to the millions affected, and even less if the data does fall into the hands of criminals [BBC].

No comments: