HMRC's lost Child Benefit data: Don't blame a junior clerk…
Tag: Central Government Print article: Email article: This was published: 22 Nov 2007 - 07:00 am
Peapod Consulting, a GSS company, described the news that 25 million people’s personal details have gone ‘missing’ from HM Revenue and Customs (HMRC) as inevitable. Just yesterday, Peapod voiced its concern following the news last week from the Information Commisioner’s Office that nine out of ten adults worry that organisations are failing to keep their personal information secure. For them, this news couldn’t have come at a worse time.
Robin Hollington, Director of Consulting for Peapod (UK) Ltd, has been working in the IT Security arena for over 10 years. During this time he has provided indispensable advice to organisations on how to protect sensitive data, from personal customer records to sensitive business plans and confidential financial results. Additionally, Peapod has been carrying out security reviews as bespoke consulting assignments for more than five years to check organisations’ defences are impenetrable.
Robin made the following initial statement : “It’s pointless everyone pointing fingers now and placing the blame on a junior clerk, so let’s not jump on the bandwagon and throw mud at HMRC for the sake of it. They have a massive duty of care, which has been breached, but then so do lots of people. Whilst it is not acceptable to be losing data of this nature, HMRC are not the only large organisation to lose client data as there have been other high profile losses – like Nationwide Building Society and TKMaxx. How many companies’ back up tapes have been stolen from the back of vans that are never made public?
“Despite the potentially devastating short term implications of the incident, the real cost of the breach will be the long term damage done to the implicit trust with which Britons have been prepared to hand over their personally identifiable data and bank details. When the CDs eventually turn up, who is to say whether they have, or haven’t, been copied? The opportunistic thief can then wait one, two, three or even ten years to exploit the data – long after this incident is forgotten. This is a long term, potentially never ending problem and what is needed now is vigilance by everyone for any unusual account activity. But then, we’ve been doing this already, haven’t we?
“For the government a more demonstrable response is required. It needs to act swiftly or it can consider its headline national identity card policy and the NHS Patient Record initiatives dead in the water. It could even find itself paying the ultimate price at the next elections as an increasing sceptical public seeks a safer pair of hands in which to place the reins of power. That said it will not fix the problems overnight. No organisation of this size does. We know there are relatively simple solutions to the problem, technically. However the issue is normally with people and procedures.
"Information leakage from within and low-tech unauthorised disclosures are two major causes for concern, as are lack of management awareness, staff education relating to the use of removable media, working outside of the secure office environment etc., the list goes on. Although professional security experts have been advocating cohesive physical, information and technical security controls for many years, the holistic view is still all too often rejected and the culture of "someone else's problem" is very much prevalent. Government Departments often mandate suppliers are certified to ISO 27001 (the best practice Standard for Information Security), this is a wake up call to practice what they preach. Adoption of the standard need not be a costly exercise.
“I’m sure HMRC has policies in place that should have prevented this crisis in confidence but if these policies are not communicated to every member of staff, or are enforced, then they are not worth the time they took to write. Additionally, there are simple, cost effective solutions available that could have force encrypted this data as soon as it was passed outside the secure environment, in this instance downloaded to a CD.
“The lessons on offer in the wake of this disaster are clear, and show absolutely that all entities, public and private, in possession of personally identifiable data about UK residents must regard this unfortunate occurrence as a massive accelerant in their endeavours to ensure the sustainability of the confidentiality, integrity and availability of their critical information assets.
“Information security assurance can no longer be dismissed by business leaders as an afterthought, but must be treated as a cornerstone of any organisational strategy by any enterprise serious about remaining in business as a going concern in the 21st century.
“By adopting a sound organisational security policy that is effectively communicated to every member of staff, ensuring compliance is embedded in operational processes, implementing a regular audit programme and insisting on technical compliance testing of your internal and internet facing IT infrastructure, as well as testing staff are adhering to these processes and policies - all aspects covered by the ISO 27001 standard - you stand the best chance of minimising the likelihood of a security breach."
Finalists announced in the 2007 e-Government National Awards
81 finalists (detailed at this link) have been chosen from among the record 527 nominations received in this year's e-Government National Awards 2007. 11 Awards categories will recognise this year's "best of the best" strategies, achievements, teams and individuals in UK public sector web, ICT & e-Government services. The judging panel was headed by Government Chief Information Officer John Suffolk (based at Cabinet Office).
The winners will be announced and presented with their e-Government National Awards on 22nd January 2008 at a black-tie dinner at the Dorchester Hotel in London. Finalists may book tickets at this link
Copyright Public Technology Ltd 2003-2009. Crown copyright material used under click use licence C02W0007583.
Parliamentary material used under click use licence P2005000039, & reproduced with the permission of the Controller of HMSO on behalf of Parliament.
EU tender information published under license from the European Commission.
This web site automatically and continually monitors, collects and publishes latest breakings news from a large number of sources.
Copyright of content / material may belong to the original source.
