Loss of United Kingdom Child Benefit Data (2007) - The Loss

The Loss

The discs were sent by junior staff at HM Revenue and Customs (HMRC) based at Waterview Park in Washington, Tyne and Wear, to the National Audit Office (NAO), as unrecorded internal mail via TNT N.V. on October 18. On October 24 the NAO complained to the HMRC that they had not received the data. On November 8, senior officials in HMRC were informed of the loss, with Chancellor of the Exchequer, Alistair Darling being informed on November 10. On November 20, Darling announced:

The lost data was thought to concern approximately 25 million people in the UK (nearly half of the country's population). The personal data on the missing discs was reported to include names, addresses and dates of birth of children, together with the National Insurance numbers and bank details of their parents.

The "password protection" in question is that provided by WinZip version 8. This is a weak, proprietary scheme (unnamed encryption and hash algorithms) with well known attacks. Anyone competent in computing would be able to break this protection by downloading readily-available tools. WinZip version 9 introduced AES encryption (with unnamed hash algorithms), which would have been secure and only breakable by correctly knowing the passphrase.

In a list of frequently asked questions, on the BBC news web site a breakdown of the loss was reported as being:

• 7.25 million claimants
• 15.5 million children, including some who no longer qualify but whose family is claiming for a younger child
• 2.25 million 'alternative payees' such as partners or carers
• 3,000 'appointees' who claim the benefit under court instructions
• 12,500 agents who claim the benefit on behalf of a third party

Whilst government ministers claimed that a junior official was to blame, the Conservatives said that the fault lay in part with senior management. This was based on a claim that the National Audit Office had requested that bank details be removed from the data before it was sent, but that the HMRC had denied this request, because it would be "too costly and complicated". Emails released on 22 November confirmed that senior HMRC officials had been made aware of the decision on cost grounds not to strip out sensitive information. The cost of removing sensitive information has been given as £5,000. Although the cost was found to be substantially less (£650) in an academic study.

According to a IT trade journal Computer Weekly, it said that back in March 2007, the NAO had asked for completed information of the child benefit database to be sent by post on CDs, instead of a sample of the database. The first time this was done, things went smoothly, and the package was registered post. However this time, it was unregistered through the courier.

It was later revealed on the 17 December 2007, that the data protection manual for HMRC was in itself under restriction to only senior members of staff, not junior civil servants who had just a summary of what the manual says on security.

This was followed by several other data scandals. On the 17th of December, it was revealed by Ruth Kelly that the details of three million L-drivers were lost in the USA. However, name, address, phone number, the fee paid, the test centre, payment code and e-mail were the only details lost, so not much of a panic was caused due to little risk of fraud. On the 23 December, it was revealed that nine NHS trusts had also lost the data of hundreds of thousands of patients, some of it archive information, some of it medical records, contact details and soft financial data. A few other trusts also lost data, but found it fairly quickly. Several other UK firms have also admitted security failings.