2007 UK child benefit data misplacement
   HOME

TheInfoList



OR:

The loss of United Kingdom child benefit data was a
data breach A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
incident in October 2007, when two computer discs owned by HM Revenue and Customs containing data relating to child benefit went missing. The incident was announced by the
Chancellor of the Exchequer The chancellor of the Exchequer, often abbreviated to chancellor, is a senior minister of the Crown within the Government of the United Kingdom, and head of His Majesty's Treasury. As one of the four Great Offices of State, the Chancellor is ...
, Alistair Darling, on 20 November 2007. The two discs contained the personal details of all families in the United Kingdom (UK) claiming child benefit, of which takeup in the UK is near 100%.


The loss

The discs were sent by junior staff at HM Revenue and Customs (HMRC) based at Waterview Park in Washington, Tyne and Wear, to the National Audit Office (NAO), as unrecorded internal mail via TNT on 18 October. On 24 October the NAO complained to HMRC that they had not received the data. On 8 November, senior officials in HMRC were informed of the loss, with
Chancellor of the Exchequer The chancellor of the Exchequer, often abbreviated to chancellor, is a senior minister of the Crown within the Government of the United Kingdom, and head of His Majesty's Treasury. As one of the four Great Offices of State, the Chancellor is ...
, Alistair Darling being informed on 10 November. On 20 November Darling announced: The lost data was thought to concern approximately 25 million people in the UK (nearly half of the country's population). The personal data on the missing discs was reported to include names and addresses of parents and children and dates of birth of the children, together with the National Insurance numbers and bank or building society details of their parents. The "password protection" in question is that provided by
WinZip WinZip is a trialware file archiver and data compression, compressor for Microsoft Windows, macOS, iOS and Android (operating system), Android. It is developed by WinZip Computing (formerly Nico Mak Computing), which is owned by Corel, Corel Co ...
version 8. This is a weak, proprietary scheme (unnamed encryption and
hash Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients * Hash, a nickname for hashish, a cannabis product Hash mark *Hash mark (sports), a marking on hockey rinks and gridiron football field ...
algorithms) with well-known attacks. Anyone competent in computing would be able to break this protection by downloading readily-available tools. WinZip version 9 introduced
AES AES may refer to: Businesses and organizations Companies * AES Corporation, an American electricity company * AES Data, former owner of Daisy Systems Holland * AES Eletropaulo, a former Brazilian electricity company * AES Andes, formerly AES Gener ...
encryption, which would have been secure and only breakable by correctly knowing the passphrase. In a list of frequently asked questions, on the BBC News website a breakdown of the loss was reported as being: * 7.25 million claimants * 15.5 million children, including some who no longer qualify but whose family is claiming for a younger child * 2.25 million 'alternative payees' such as partners or carers * 3,000 'appointees' who claim the benefit under court instructions * 12,500 agents who claim the benefit on behalf of a third party Whilst government ministers claimed that a junior official was to blame, the Conservatives said that the fault lay in part with senior management. This was based on a claim that the National Audit Office had requested that bank details be removed from the data before it was sent, but that HMRC had denied this request, because it would be "too costly and complicated". Emails released on 22 November confirmed that senior HMRC officials had been made aware of the decision on cost grounds not to strip out sensitive information. The cost of removing sensitive information has been given as £5,000. Although the cost was found to be substantially less (£650) in an academic study. According to an IT trade journal '' Computer Weekly'', it said that back in March 2007, the NAO had asked for completed information of the child benefit database to be sent by post on CDs, instead of a sample of the database. The first time this was done, things went smoothly, and the package was registered post. However this time, it was unregistered through the courier. It was later revealed, on 17 December 2007, that the data protection manual for HMRC was in itself under restriction to only senior members of staff, not junior civil servants who had just a summary of what the manual says on security.


Other data scandals

This was followed by several other data scandals. On 17 December it was revealed by Ruth Kelly that the details of three million learner drivers were lost in the United States. However the only details said to be lost were the: name, address, phone number, the fee paid, the test centre, payment code and e-mail, so not much of a panic was caused due to a reduced risk of financial
fraud In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (e.g., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compens ...
. On 23 December it was revealed that nine National Health Service (NHS) trusts had also lost the data of hundreds of thousands of patients, some of it archive information, some of it medical records, contact details and soft financial data. A few other trusts also lost data, but found it fairly quickly. Several other UK firms have also admitted security failings.


Response

Darling stated that there was no indication that the details had fallen into criminal hands, but he urged those affected to monitor their bank accounts. He said "If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result." HMRC then set up a Child Benefit Helpline for those concerned about the data loss. The incident was a breach of the UK's Data Protection Act and resulted in the resignation of HMRC chairman Paul Gray; Darling commented that the discs were probably destroyed when "the hunt was on, probably within days" and that there was an "opaque" management structure at HMRC and it was difficult to see who was responsible for what. Gray was subsequently found to be working at Cabinet Office. The
Metropolitan Police The Metropolitan Police Service (MPS), formerly and still commonly known as the Metropolitan Police (and informally as the Met Police, the Met, Scotland Yard, or the Yard), is the territorial police force responsible for law enforcement and ...
and the Independent Police Complaints Commission both investigated the security breach, and uniformed police officers investigated HMRC offices. The loss led to much criticism by the Acting Leader of the Liberal Democrats Vince Cable and
Shadow Chancellor The Shadow Chancellor of the Exchequer in the British Parliamentary system is the member of the Shadow Cabinet who is responsible for shadowing the Chancellor of the Exchequer. The title is given at the gift of the Leader of the Opposition and ...
George Osborne. Osborne said: In addition he said that it was the "final blow for the ambitions of this government to create a national ID database". Cable also criticised the use of disks in the modern age of electronic data transfer. Spokespersons for Gordon Brown, however, said that the Prime Minister fully supported Darling, and said that Darling had not expressed any intention to resign. The general reaction of the public was one of anger and worry. Banks, individuals, businesses and government departments became more vigilant over data fraud and identity theft and the government pledged to be more careful with data. The public and media was particularly angry over the fact that the data was not registered or recorded, and that it was not securely encrypted. Nick Assinder, a political correspondent at the BBC, expressed the opinion that he believed Darling to be "on borrowed time". George Osborne, who questioned whether Darling was "up to the job", suggested that it would be a matter of days before a decision was made regarding Darling's future.''Ministers under fire over records''
BBC News retrieved November 21, 2007
However Darling remained Chancellor until Labour's defeat in 2010. TNT stated that, as the delivery was not recorded, it would not be possible to even ascertain if it had actually been sent, let alone where it went.


Jeremy Clarkson direct debit fraud

On 7 January 2008, Jeremy Clarkson found himself the subject of direct debit fraud after publishing his bank account and sort code details in his
column A column or pillar in architecture and structural engineering is a structural element that transmits, through compression, the weight of the structure above to other structural elements below. In other words, a column is a compression member. ...
in '' The Sun'' to make the point that public concern over the scandal was unnecessary. He wrote, “All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing”. Someone then used these details to set up a £500 direct debit to the charity
Diabetes UK Diabetes UK is a British-based patient, healthcare professional and research charity that has been described as "one of the foremost diabetes charities in the UK". The charity campaigns for improvements in the care and treatment of people with d ...
. In his next ''
Sunday Times ''The Sunday Times'' is a British newspaper whose circulation makes it the largest in Britain's quality press market category. It was founded in 1821 as ''The New Observer''. It is published by Times Newspapers Ltd, a subsidiary of News UK, whi ...
'' column, Clarkson wrote, “I was wrong and I have been punished for my mistake.″ Clarkson stung after bank prank
, BBC News
Under the terms of the Direct Debit Guarantee, the payment could be reversed.


See also

*
List of UK government data losses The following is a list of UK government data losses. It lists reported instances of the loss of personal data by UK central and local government, agencies, non-departmental public bodies, etc., whether directly or indirectly because of the action ...
*
United Kingdom government security breaches This page is a time-line of published security lapses committed by governmental entities in the UK, including data security breaches. This article does not attempt to capture security vulnerabilities. Timeline 1980s 1990s 2000s * Dec ...


References

{{reflist, 2


External links


Alistair Darling's statement to Parliament



Brown apologizes for records loss
with timeline of events Child benefit data misplacement Data security Political scandals in the United Kingdom HM Revenue and Customs