Two CDs or Not Two CDs – Updated

2:51 pm - November 21st 2007

by Unity    

      Share on Tumblr

It’s a matter of only twenty-four hours on from Alistair Darling’s statement on the apparent loss of two CDs containing personal information, including NI numbers and bank account information, relating to 7.25 million families who claim child benefit (an estimated 25 million people in total) and yet it seems that an injection of common sense into this situation is already long overdue.

(Especially in view of the amount of overheated nonsense currently being spouted by blogging ‘expert’, Iain Dale, who really should have learned, by now, the folly of stepping outside the limits of your own technical knowledge and understanding. By contrast, Dizzy – who does know his [technical stuff] has some observations that are well worth reading)

Let’s start with the what – what has actually happened? – for which we’ll turn to this summary provided by the BBC:

What has happened?

HM Revenue and Customs has lost computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall. The two discs contain the names, addresses, dates of birth and bank account details of people who received child benefit. They also include National Insurance numbers.

How were the discs lost?

They were sent in normal internal mail from HMRC in Newcastle to the National Audit Office in London on 18 October, by someone at a low level, and never arrived, Chancellor Alistair Darling said. That broke data protection laws and is the reason Revenue and Customs chairman Paul Gray has resigned.

What is the government saying?

Mr Darling called the loss “catastrophic”, apologising “unreservedly” and adding that ministers still did not know the whereabouts of the disks. He told the BBC “there were procedures there, which should have prevented this from ever happening in the first place” but that they “appear to have been breached”. People were “entitled to trust” the government to look after data but “that did not happen here”, Mr Darling said.

What this tells us is that two CDs containing highly confidential information were turned over to a junior underling to be forwarded via an ‘internal’ mail system to the National Audit Office, and said underling failed to follow the correct procedure with the result that the CDs are now missing – whether they have been taken by a third party or are merely tucked away in the bottom of a mail sack in a TNT depot is yet to be determined (by a Police investigation).

Which means that the Government is incompetent for losing this information – right?

Not necessarily.

Dizzy, as I’ve noted, raises some very pertinent points about some of the lax data security practices that appear to have been in place within HMRC, i.e. relying on mere passwords rather than data encryption, sending confidential information via a standard internal mail system, handing off responsibility for shipping confidential information to junior, etc. If those are matters of policy within HMRC then there are serious questions to be asked right up to ministerial level – the Government can and should, quite rightly, be held to account for policy failings.

If, on the other hand, all this has come about because HMRC staff have disregarded policy and operated outside specified data security procedures then one can no more hold Alistair Darling personally responsible for the loss of this information than one could reasonably hold the CEO of a private sector corporation to account on discovering that an office junior has been nicking paper-clips. The real lesson here is one that techies like myself and Dizzy know full well, from years of experience, for all that it is too often overlooked in political debates surrounding data security and identity theft; no matter how much time, effort and resources you put into data security, your system is only ever as secure as its weakest link, which has two arms, two legs and a basic ‘operating system’ that hasn’t been substantially upgraded for a couple of hundred thousand years – people.

No government, and certainly no individual minister, can legislate absolutely for individual acts of gross incompetence (or corruption) amongst civil servants working in locations far removed from Whitehall; the best they can do is hope that oversight procedures are sufficiently robust as to weed out the ‘problem’ employees before they cause major problems.

People routinely do really stupid things.

They write the pin numbers to their credit and debit cards on a slip of paper and keep in their wallet with their cards so they don’t forget the numbers. They use the same passwords on every website and on-line system they use, use obvious and easily cracked passwords and – as I’m sure Dizzy will also know from experience – complain bitterly about being required to change their passwords regularly and use ‘strong’ passwords (i.e. minimum eight characters including both letters and numbers). They also put bank statements and other letters in the bin without shredding them, respond to emails from their ‘bank’ asking them to resubmit their username and password by passing on the information without checking exactly where its being sent to and, of course, they send personal information and bank account details to all manner of fake lottery scams, Ponzi schemes and Nigerian generals without a thought, even though such scams are more than well-enough documented.

So far as I can see, at this stage, the government have made the best of a very difficult situation – they were certainly correct in choosing to delay the announcement of the loss of these two CDs until the banks had been given time to ramp up their own security checks and monitoring of ‘unusual’ activity before going public with the news. Quite who might be culpable for the failing that led to this incident and to what extent responsibility can be legitimately ascribed to the various parties involved (HMRC, Treasury, etc.) is yet to be seen and should, rightly, be the subject of an inquiry as soon as the police and IPCC investigations are concluded – one would expect that Public Accounts Committee will be ‘clearing the decks’ in anticipation very shortly, if they’ve not started already.

In the meantime, much of speculation surrounding this issue is, to say the least, unhelpful, if not entirely nonsensical.

Both Iain Dale and Dizzy query the assertion that the individual most responsible for the loss of the data was a ‘junior official’:

One thing I am waiting on is for a newspaper to identify the idiot who put the discs in the envelope. How junior was this person? I suspect that they aren’t very junior at all, because if they were, they presumably wouldn’t have access to the full data. Or would they? If a junior typist can get access to such data then we all ought to be even more worried that we already are! – Iain Dale

It was a ‘junior official’ that did it – what is a junior official doing have read access to that data? How did they get the data? Did they extract it themselves? If so what does this say about the system’s internal policy procedures that someone who should not have done this had access to production data? Who else, and how many more junior officials have this level of access to this sort of data across Government? – Dizzy

At this stage, its not clear whether this junior official had access to the data on the CD – or any data for that matter – as they may simply have had the task of shipping the CDs delegated to them, but even if the official in question did have access to the data then their apparent lack of seniority in Civil Service terms may have no bearing whatsoever on the question of whether they should have access to this data. The vast majority of data handling jobs, whether in the Civil Service or in the private sector, are routinely considered to be of a relatively low (or junior) status because those jobs revolve around managing information rather than managing people. In fact, the further up the corporate hierarchy one gets, the less likely it is that you’ll actually get your hands ‘dirty’ by dealing directly with this kind of raw information, not when you have subordinates to generate summaries for you. As Dizzy, at least, should know, in a modern corporation no one has greater access to confidential information than the IT department, even though the staff who tend to have the greatest degree of access (operators and data controllers/analysts) are amongst those with the lowest status in the office.

Meanwhile, if you’ve got any sense at all then you’ll completely disregard the ‘advice’ of Iain Dale and his ‘legal friend’ on the subject of suing the government for losing this data:

I asked a legal friend of mine to look at the Data Protection Act and ask if HMRC could be sued over losing 25 million child benefit records. In short, he says there is no exemption for government in this area. He says Schedule 1 of the Data Protection Act is relevant here…

…My contact gives a lot of other reasons why a law suit could work, but they are very technical so I won’t bore you with them here.

Before getting too carried away, Iain’s friend should have paid rather more attention to section 13 of the Data Protection Act 1998, which makes it perfectly clear that a civil action can be taken out under DPA only where an individual ‘suffers damage’ – which will mean primarily a material loss or loss of reputation – or ‘suffers distress’ in addition to damage or where a breach results in personal information hitting the public domain via journalism or in an artistic or literary work.

So unless your bank account does get reamed or personal information ships up in the Sunday’s and you can show that this is a result of the loss of these CDs and not for other reasons – which is a tough ask – then forget the idea of suing the government.

(It’s also worth recalling at this point, before the Tories get too full of themselves on this issue, that one of John Redwood’s proposals for increasing economic competitiveness was to scrap the Data Protection Act. Can we now take it that that idea has gone by the wayside?)

And to kill off another myth that’s rapidly circulating, no this does not mark the end of the Identity Cards project either. Darling has already been quick off the mark with one obvious line:

The chancellor defended the government’s plans to introduce ID cards. He said that without the protection of the scheme, information was more vulnerable than it should be.

And from a pure data security standpoint, there is better ‘argument’ for pressing ahead with a ‘clean’ NIR system than an incident in which another key data system, the National Insurance Number, could be compromised on such a massive scale. If these CDs have got out ‘in the wild’ then one of corrective measures the government should take is to issue new NI numbers to all affected individuals, and its but a short step from there to the suggestion that the National Identity Registration Number should replace in the NI number, which is precisely where things will be heading over time in any case.

No, the National Identity Register is far from being dead in the water at this stage. In fact, once the dust settles you can expect to see this incident spun as further justification for the introduction of the system on the premise that it will add an extra layer of security.

In all this, the one sensible suggestion I’ve seen is this:

What’s more, there should be an Information Security Committee drawn up that oversees Government systems. This should be a body that places information security at its core, not political expedience and be independent of Government. It should be made up of people that actually know about this subject and are not afraid to say “No” and block a system from going live or take a system off-line when it fails to meet the required standards. There should also be a ministerial level role specifically for information security and legislation should ensure that the buck stops at this position.

That’s Dizzy again, and he’s absolutely spot-on with his ideas. The government, and the Civil Service don’t pay enough attention to information security, precisely because most of those in key policy and decision-making positions simply lack the knowledge and understanding of the issues necessary to take those kinds of critical decisions.

Having given this much thought over the last year or so, let me very briefly put up a suggestion that I’ll return to in due course, one that may prove a touch controversial in some quarters – the suggestion that we may actually need a national identity system…

…just not the one that the current government are seeking to implement.

I’ll leave that hanging for the moment, aside from pointing to one of key things I’ll be raising when I return to the subject. See if you can work out exactly how the concept of ‘zero-knowledge proof‘ comes into this debate and how that might change its parameters considerably.

UPDATE – 22/11

The story has moved on this morning, largely thanks to a memo obtained by Edward Leigh MP, Chairman of the Public Accounts committee, from John Bourn, the head of the National Audit Office:

Ministers insist a mistake by a junior official led to the loss of the data – which includes bank account details – by HM Revenue and Customs (HMRC).

But the Conservatives say the fault lies in part with senior management.

They say the National Audit Office, which was due to receive the two discs sent via internal mail, had asked for bank account details to be removed.

But HMRC allegedly declined the request as it would be “too costly and too complicated”.

Shadow Chief Secretary to the Treasury Philip Hammond said: “It was made clear the Revenue would not be able to make it available in that form because it would involve an additional payment to an IT firm.”

He said an assistant director at HMRC was copied in on the decision by e-mail.

“Alistair Darling told the House of Commons this was a single maverick junior official operating in contravention of the rules,” Mr Hammond told the BBC.

“This seems to suggest a decision was made at a senior level not to desensitise the data simply to reduce costs.”

He called on the chancellor to say whether he knew senior officials were involved in the decision before he made his Commons statement on Tuesday.

Clearly, if any of this is accurate, then there are some serious issues to be dealt with, of which the question of what Alistair Darling might have known, and when, is of relatively minor importance outside the confines of the Westminster Village.

First and foremost, just what the hell kind of contract does HMRC have with EDS if it entails additional payments for obtaining properly sanitised audit data? Civil Service IT procurement is renowned for being, well, crap at the best of times, but to omit basic audit provisions from the standard contract seems to amount incompetence on staggering scale, when it relates to a government department with major audit responsibilities.

Next, allowing for the fact that it appears that this whole farrago may stem from a decision in senior management to put saving money ahead of data security, exactly who made that decision and, more importantly, what knowledge, experience and understanding of data security do the possess of the kind that might reasonably qualify them to make such a decision? You’ll excuse me for being a tad suspicious here, but I have to think that the individual in question is likely to one who possesses the kind of IT/Information Systems background that would leave them struggling to move a mouse and chew gum at the same time.

This backs up Dizzy’s point about the need for an Information Security Committee and Commissioner – it doesn’t matter how far up the Civil Service food chain the buck stops, the individual in question should not have had the authority to override what are, to an IT professional, very basic security protocols.

Answer those questions and then we can get around to what Alistair Darling knew, or didn’t know, on Tuesday – and to be fair to him, I cannot think that he would deliberately have misled the House on an issue of this importance, which rather suggests that he’s been comprehensively ‘Sir Humphrey’d’ by an underling, the kind of underling who should now be expecting a P45 in the post.

One still has to be a touch careful here, not least because there are some signs of a ‘not me Guv!’ turf war brewing between HMRC and NAO, but all this does seem to reinforce the impression that there are systemic failures at work here of a kind that seem all too common in the modern Civil Service.

Personal note: If I can crave a moment’s indulgence, problems with a domain registrar have resulted in MoT’s domain going off-line until I can sort out a few things with Nominet. In the interim (and probably permanently as I may just use a redirection when I get this sorted out), my personal blog, the Ministry of Truth, has moved to a new url –

    Share on Tumblr   submit to reddit  

About the author
'Unity' is a regular contributor to Liberal Conspiracy. He also blogs at Ministry of Truth.
· Other posts by

Story Filed Under: Blog ,Civil liberties ,Crime

Sorry, the comment form is closed at this time.

Reader comments

apparent lack of seniority in Civil Service terms may have no bearing whatsoever on the question of whether they should have access to this data

This is a bit of misrepresentation of my point to be fair. Access to production data off the production system is not something that anyone should have, period. Not unless you have a full sanitisation process in place. The fact that someone had 25 million records on their desktop machine to burn onto a cd (why did they have a burner?) is pure insanity. I agree with your point about the junior versus senior bit though. My point was more that someone was able to do this and was someone in less senior role with the wise experience like ours on their shoudlers perhaps?

“As Dizzy, at least, should know, in a modern corporation no one has greater access to confidential information than the IT department, even though the staff who tend to have the greatest degree of access (operators and data controllers/analysts) are amongst those with the lowest status in the office.”

Not in big corporations that have to work in the realm of Sarbox or PCI Visa complaince they don’t. All root and superuser passwords should be kept in a firesafe and only two people know the combination (to reduce the drop dead scenario). No one that is not an operational administrator of the system should have read access to manage entire dumps of the database. If the system has been designed to allow people to generate dumps via an interface then that is bad security design. Full production data in the commercial world of this nature should always be santised before it reaches someone’s desk to ensure this sort of thing does not happen.

Glad you liked the other stuff though. And I agree regarding ID cards. I said it yestedray as well. This will be used to justify it, not kill it.

Nevertheless its a very disturbing thing, especially linking bank account details with childrens names… and its no good telling people not to use childrens names as passwords – they just do..

“And from a pure data security standpoint, there is better ‘argument’ for pressing ahead with a ‘clean’ NIR system than an incident in which another key data system, the National Insurance Number, could be compromised on such a massive scale.”

…Until the NIR database dump CDs get lost in the post, that is.

Good comments.

>What’s more, there should be an Information Security Committee drawn up that oversees Government systems. This should be a body that places information security at its core, not political expedience and be independent of Government.

I would hope that that has been in place for fifteen years or more already (?)

The best analogy I have (having worked as an IT Manager in NATS) is that data security needs to permeate the organisation as safety does for both ATC and Nuclear.

A key question is how such a culture is dislocated by changes

Hence – beyond the political punch-up (and there are some valid political aspects to this such as the way warnings have been brushed aside) – there needs to be a bi-partisan approach.

I’d like the HoL to do the enquiry, but I don’t see it happening.

>A key question is how such a culture is dislocated by changes

Sorry … dislocated by political changes every few years.

Two CDs or Not Two CDs

I think we all agree, its a very CD affair…

What Dizzy said.

They will use this to push for ID cards.

Just reading my comments back to myself now that I am home and wanted to say to Unity that I wasn’t having a pop at him in case he thinks I was. I think we’re largely on the same page on this. I also agree with what Matt said regarding how the solution must be bi-partisan, although to be honest it should be totally politics free (I know, unlikely). Data security doesn’t care what party you support.

9. Innocent Abroad

An excellent article, Unity.

There’s only one problem. You (and Dizzy) are writing about the facts. Politics is more about narratives, however. The narrative is that government will abuse the information it collects on us – whether through malice or incompetence doesn’t really matter. (One more fact, before I go on: our political leaders and top civil servants are still computer illiterates. Difficult to see banana skins if you don’t know what a banana is.)

People won’t trust ID cards either to be secure or not to be abused. I don’t, lots of us don’t, and I don’t even think you’ll make much effort to persuade me otherwise. (Nick Palmer MP did his best a while back on Mike Smithson’s site and lost his cool in the process, a thing he never normally does.)

The Tories also have a problem here because the police and security services are 101% signed up for them, and they won’t change their mind because a new set of ministers has turned up. They’d be well advised to use some weasel words in their next manifesto.

The really creepy bit is the “joining up” of personal information across government. Apart from anything else, this information has considerable commercial value (dunno if any of the experts around here would care to price it) which will represent a standing temptation to government to flog it off (they can change the law by ministerial order these days, remember) to balance the books.

In the meantime, the government looks utterly incompetent – I’ve never agreed with a “Daily Mail” headline before, but I did to-day – and they won’t recover. The last thing they – or we – need with the banking system so fragile (and if people decide to trade elsewhere than the City of London our standard of living will start to crumple and the good citizens of Warsaw and Belgrade will be complaining that the Brits are stealing all their jobs) is a government perceived to be a bunch of clowns. (Actually I want to use another word, but I’m trying to stay within the house style).

In 1983 Labour lost 120 seats in the General Election. I reckon they’re on course to repeat that.

I can’t agree more with Dizzy’s point that –

— ‘The fact that someone had 25 million records on their desktop machine to burn onto a cd (why did they have a burner?) is pure insanity.’

All very well blaming the junior muppet for posting the CDs, but the fact that he or she had access to the data on a CD shows the problem to be much more systemic than a simple ‘whoops’ moment. Unless there is a fundamental rethink of how data is treated from start to finish across all departments (local and central), and a value placed upon information, this is likely to reoccur.

If our personal data is viewed as ‘cheap’, small wonder it is treated with little respect. Call it £4 a record (would you value your personal data so low?), and ask which government techie thinks it should be remotely possible to courier £100 million between offices.

Innocent Abroad says: In 1983 Labour lost 120 seats in the General Election. I reckon they’re on course to repeat that. Bloody hell, we had better find a pile of seagull shit in the South Atlantic to have a war about then, because in 1981 Thatcher was set to be wiped off the planet!

Listening to the junior minister on Newsnight last night was just a joke. She assured us that procedures had been changed to make things safe, and then complained that the problem was with people not following procedures. That’s pathetic. The idea of procedures (and more importantly the infrastructure to back them up) is that it should not be possible to ignore them.

The metaphor I like is industrial machinery. They have light beams, guards and multiple operating buttons to ensure that you can’t chop your arm off unless you really really want to. As has been noted, how could a junior get access to this data, and a CD burner at the same time. If they could, it’s not the junior’s fault.

I get the feeling that the government’s IT security is just not a priority. It’s a detail, which gets tacked on when they have the time to think about it. Which mostly they don’t, and then as a quick fix they stick to methods that are more suitable for desktop systems.

Again, what GeorgeS says. The procedures need to be that someone really has to try hard to do the wrong thing and it is not oversight if it happens.

The Government is like the Windows PCs of the past, with all the firewalls switched off by default. Oh, and overpriced (for what you get), bloated, ugly, unreliable and intrusive.

This whole issue demonstrates the need to protect against identity theft. I have made a short video in response to these events, which shows what the government should have done.

This wouldn’t happen if the government didn’t have that data in the first place. Why can’t you see that is the root problem?

Max said
“This wouldn’t happen if the government didn’t have that data in the first place. Why can’t you see that is the root problem?”

Quite true. If there is no national ID database then there’s nothing to expose.
Ministers may still want their ID card project but the voting public will make it clear where they can stick it.


It’s a little more complicated than you suggest. Wait for pt2 and I’ll explain why…

soo Unity, kindly do explain. . . quite interestd in what you have to say –

Soo Unity,

kindly do explain. . . am quite interested in what you have to say –

another 600k were lost recently. . .

Reactions: Twitter, blogs
  1. There is a system problem « OurKingdom

    […] of information rather than the ID card itself. Two recent posts on the issues are by Unity in Liberal Conspiracy and also Dizzy whom Unity links to. The techies are getting cross at the superficial politicisation […]

  2. The Tories and the Data Protection Act « Flip Chart Fairy Tales

    […] Protection Act 22 November, 2007 Posted by Rick in Uncategorized. trackback Someone else has noticed that Conservative MP John Redwood wants to repeal the Data Protection […]

  3. The Great Blogging Divide

    […] Update. Well, there’s this by Unity. […]

Sorry, the comment form is closed at this time.