Personal Data of 25 Million U.K. Children Lost

"When mistakes happen in enforcing procedures we have a duty to do everything we can to protect the public...we will do everything in our power to make sure data is safe," said Prime Minister Gordon Brown.

by / November 21, 2007

An announcement was made yesterday revealing that the U.K.'s Her Majesty's Revenue and Customs (HMRC) office has lost the personal information of 25 million people. The data, which records information on all British families with children under the age of 16, has gone missing after it was sent by internal mail between the HMRC and the National Audit Office.

Data contained on two lost CDs includes parents' and children's names, dates of birth, addresses, National Insurance numbers and, where relevant, the details of the bank or building society account into which Child Benefit is or was paid.

Speaking to MPs during Prime Minister's Questions on Tuesday, Prime Minister Gordon Brown expressed his regret for the "inconvenience and worry" caused to members of the public and promised to find out why strict security procedures had not been followed.

"When mistakes happen in enforcing procedures we have a duty to do everything we can to protect the public...we will do everything in our power to make sure data is safe," said Brown. Security procedures at HMRC require that only authorized staff have access to sensitive information and that such information be encrypted when transported.

Brown said that there was no evidence of any fraudulent activity occurring as a result of the loss and that the Banking Code would ensure that no financial losses occur should such activity take place. Brown also announced an independent review to be carried out by PriceWaterhouse Coopers to find out how the loss of data occurred.

Dave Hartnett, HMRC's Director General, issued an apology to the affected families yesterday on their Web site: "I am writing to make a personal apology ... I would like to offer my personal apologies for any worry or concern this data loss may cause you. And I can assure you that all efforts are being made to ensure that such a loss can never happen again."

In the apology, Hartnett told British families there is no need to contact the office unless bank statements show fraudulent activity. He also recommended changing passwords if they include personal data such as children's names or dates of birth, which may have been on the lost CDs.

"As is usual in these circumstances, if you are the innocent victim of banking fraud you will not have to pay, but you may want to take some precautionary steps to protect yourself," said Hartnett.

This latest incident is not the only time that HM Revenue and Customs has allowed data on British citizens to potentially fall into the wrong hands. In September, a laptop containing personal information on thousands of investors was stolen from the car trunk of an HMRC official. Last month, in a separate incident, a courier being used by HMRC lost a CD containing details of 15,000 Standard Life customers.

"If this data fell into the wrong hands it could be sold off piecemeal to organized identity theft gangs over the Internet for a handsome profit. Within minutes information can be duplicated and passed around the world for criminals to exploit," said Graham Cluley, senior technology consultant at Sophos. "Hackers have set up auction sites on the shadier areas of the Internet for hawking their stolen wares to interested parties. Everyone will be desperately hoping that if a criminal has intercepted the CDs that they do not realize the value of what they have stolen, and the data will not be exploited."

The scale of the HMRC's data loss, and the fact that it happened at the heart of government, means many individuals may worry about what data they share with such legitimate institutions in future. A survey published by Sophos found that 33 percent of people believe that the public sector does a worse job of securing their confidential information than private firms.

"Having your identity stolen isn't always as obvious as when something else gets stolen. It's not like when the Mona Lisa is pinched and there's a gap on the wall," explained Cluley. "Unauthorized people can have personal information about you without you realizing -- and it's only when evidence emerges that they have been stealing money or goods in your name that you may know that something illegal has occurred."

Gina M. Scott Writer