Child Benefit Details Lost

[Paul Clement]

From BBC News:

Darling admits 25m records lost

Alistair Darling
The chancellor urged people to monitor their bank accounts

Alistair Darling
Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing.

The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people.

Chancellor Alistair Darling said there was no evidence the data had fallen into criminal hands - but urged people to monitor their bank accounts.

The Conservatives described the incident as a "catastrophic" failure.


CHILD BENEFIT HELPLINE
0845 302 1444

In an emergency statement to MPs, Mr Darling apologised for what he described as an "extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines".

MPs gasped as Mr Darling told them: "The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families. "


Police at HMRC Tyne and Wear
The police are not aware of any evidence that it has been used for fraudulent purposes or criminal activity
Alistair Darling
Chancellor

Point-by-point: Darling
Q&A: Records lost

The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.

Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT.

The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO."

He added: "The police tell me that they have no reason to believe that this data has found its way into the wrong hands.

"The police are not aware of any evidence that it has been used for fraudulent purposes or criminal activity."

Fraud protection

The HMRC has set up a Child Benefit Helpline on 0845 302 1444 for customers who want more details.

The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November.


MISSING DATA INCLUDES...
National insurance number
Name, address and birth date
Partner's details
Names, sex and age of children
Bank/savings account details

Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible.

He added: "If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result."

Mr Darling said people should monitor their accounts "for any unusual activity".

Chairman resigns

He said police were investigating the disappearance of the two discs. He also announced that the Independent Police Complaints Commission (IPCC), which monitors HMRC, was likely to investigate the incident.

It is the latest and by far the most serious of a string of missing data incidents at HM Revenue and Customs.


WHAT CAN YOU DO?
Check your bank statements for odd transactions
Monitor your account if you bank online
Change your account password if it is a date of birth or name
Source: Apacs

How worried should you be?

HMRC chairman Paul Gray resigned earlier after the latest incident came to light.

Shadow Chancellor George Osborne said: "Let us be clear about the scale of this catastrophic mistake - the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post, and the bank account details and National Insurance numbers of 10 million parents, guardians and carers have gone missing.

"Half the country will be very anxious about the safety of their family and the security and the whole country will be wondering how on earth the government allowed this to happen."

'Ancient' computers

He urged the government to "get a grip" and said it was the "final blow for the ambitions of this government to create a national ID database" as "they simply can not be trusted with people's personal information".

Liberal Democrat Acting Leader Vince Cable said it was now the Treasury and not the Home Office that was "not fit for purpose".


CHILD BENEFIT
Part of child benefit form
Available to the parents, normally mother, of every child in UK under 16
Older children in full-time education still eligible
Taken up by almost 100%
It amounts to £18.10 a week for a first-born child
For subsequent children - it amounts to £12.10 a week

Timeline: Benefit records loss

"Why does HMRC still use CDs for data transmission in this day and age? The ancient museum pieces it is currently using for computing must be replaced.

"After this disaster how can the public possibly have confidence in the vast centralised databases needed for the compulsory ID card scheme.

"Where does the buck stop after this catalogue of disasters?"

Giving his reaction, the Information Commissioner, Richard Thomas, said: "This is an extremely serious and disturbing security breach."

Mr Thomas welcomed the Chancellor's announcement of an independent review of the incident by Kieran Poynter of PricewaterhouseCoopers and said he would decide on further action once he has received the report.

"Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO," said Mr Thomas.

The prime minister's official spokeswoman said Gordon Brown has "full confidence" in Mr Darling. She added that Mr Darling has not offered to resign.

[Paul Clement]

What really bugs me about this is how the Conservatives are jumpin on the Government about this. It's terrible that it's happened, but the procedures in place are similar to those that have been in place for a number of years and this could have happened just as easily under a Conservative or Liberal Government.

The fault lies with the HMRC and hopefully the incompetents who did it will be sacked, though we'll probably never find out.

[Si Hunt]

I agree it would have been refreshing if the shadow chancellor had stood up and said "Fair dos, anyone can make a mistake!" but... sorry, the government deserve all they get over this!

It's the scandal of the decade! Twenty three million peoples bank details popped into the post, unrecorded and untracked! And then LOST! What ON EARTH were they thinking!?

Si.

[Paul Clement]

How is that the Government's fault though? It was Civil Servant's at the HMRC who were responsible for the disks being lost, not the Government.

I agree that the loss is disgusting, but the blame should be laid at the feet of the people responsible and not at the feet of people that never had contact with the disks in the slightest.

[Si Hunt]

Okay, I'm not sure who's responsibility this is. I only caught the seriousness of the story on the evening news, when the chancellor was having to stand up and say "sorry". I took that to mean the Government were taking responsibility for this.

Si.

[Captain Tancredi]

To put it in perspective, I dealt with a much smaller but similar kind of thing in work today. We've taken a charge over some shares, and the share certificates are supposed to be sent up to us and then we send them special delivery to our nominee company, who control them for us. On this particular occasion, they weren't sent special delivery (which could be something as simple as one of the post room staff missing the fact that the parcel had "DX Special Delivery" on the front, or putting it in the wrong basket) and (sod's law) have gone missing. Unfortunately systems break down and people make mistakes- the only really reliable means of transferring confidential information between offices is by courier, where a known individual has the disks/papers/whatever until somebody signs for it at the other end. Perhaps one person didn't write the right thing on the envelope and somebody else in the post room put it in the wrong pigeonhole- it's as easy as that. Nobody has yet found a cure for human error.

[Larry]

How is that the Government's fault though? .

I work for HMRC, and believe me this latest incident is typical of the incompitant way the department is run - and there won't be to many people at the lower grades who will be sad to see chairman Paul Gray, resign.

but Paul, in the last few years we have seen office closures plus almost 12,000 job cuts in HMRC over the last few years. The government then want to axe a futher 12,000 jobs by 2012 ,with more office closure.

Staff are working under tremendous preasure with new impossed work practices and moral is almost non existant and customer service is suffering as a result. so it is very unfair of you to blame HMRC.

Paul Grey, is not the only one who should resign over this who ever gave the ok to send these discs in the post in strict breach of department regulations should also be made to resign.

But it makes me bloody mad is they are blaming junior officals - The blame for this in no way should be put on those people working in the post room at the office concerned as they will not of known what was being sent out.

[Si Hunt]

Unfortunately systems break down and people make mistakes- the only really reliable means of transferring confidential information between offices is by courier, where a known individual has the disks/papers/whatever until somebody signs for it at the other end. Perhaps one person didn't write the right thing on the envelope and somebody else in the post room put it in the wrong pigeonhole- it's as easy as that. Nobody has yet found a cure for human error.

I'm going to play devil's advocate and say that I don't think it's good enough to say "people make mistakes". These are peoples bank details here for goodness sake! There should be procedures, and people MAKING SURE they are implemented. And other people watching them! Some things are so important you ensure that they can't be lost by human error. And twenty million peoples bank details is one of them!

Si.

[Larry]

". These are peoples bank details here for goodness sake! There should be procedures, and people MAKING SURE they are implemented. And other people watching them! Some things are so important you ensure that they can't be lost by human error. And twenty million peoples bank details is one of them!

Si.

problem is if as I suspect the decision to send these discs was made at inspector/senior management leval it is not for those of us at the lower grades to question them and as I said those people sending them out were probably unaware of what they were.

[WhiteCrow]

But it makes me bloody mad is they are blaming junior officals

This is the way of the world. When I worked at EDS there was a huge cock up by the company, and they lost an important contract.

There was an investigation and it was announced it was all employees fault for not communicating problems to management. I knew people who worked there and they said everyone had tried doing this, but management just ignored such talk, or sidelined such people.

The high level corperation was so impressed they promoted the morons, I mean managers to where they could wreak even more damage, whilst everyone who worked on the project had a black mark and a pay freeze.

[Captain Tancredi]

I'm going to play devil's advocate and say that I don't think it's good enough to say "people make mistakes". These are peoples bank details here for goodness sake! There should be procedures, and people MAKING SURE they are implemented. And other people watching them! Some things are so important you ensure that they can't be lost by human error. And twenty million peoples bank details is one of them!

Si.

Thing is, if you have sensitive financial information there are only so many ways you can send it from one part of officialdom to the other. You could have a secure portal between the HMRC and NAO networks to enable it to be sent electronically, but that would cost money to set up. It looks to me as if the management responsible for deciding how the details are sent has taken a cheaper option and ended up paying for it- they paid for a courier service, but not a traceable one, and now they're having to face up to that. It's certainly something I've come across in the past when for various reasons management have decided that all post goes out second class unless requested otherwise, or on one occasion to sack all our temps and re-hire a new lot three weeks later so that our staffing budget balanced at the year end.

[Paul Clement]

but Paul, in the last few years we have seen office closures plus almost 12,000 job cuts in HMRC over the last few years. The government then want to axe a futher 12,000 jobs by 2012 ,with more office closure.

Staff are working under tremendous preasure with new impossed work practices and moral is almost non existant and customer service is suffering as a result. so it is very unfair of you to blame HMRC.

I work in a Government department that has faced similar closures and job cuts, and yes, we too have poor moral in the workplace, but at the end of the day, we are still expected to go about the work we are paid to do in a professional way. Someonee, somewhere within the HMRC didn't on this occasion and I agree that the responsibility shouldn't be placed on the lads in the post room, but the person responsible is definitely going to be a HMRC employee as opposed to a member of the cabinet. Which seems to be overlooked by the baying opposition party at present.

[WhiteCrow]

Sounds like one of the biggest Goverment organisations is woeful in it's adherence to the Data Protection Act.

[Si Hunt]

It looks to me as if the management responsible for deciding how the details are sent has taken a cheaper option and ended up paying for it- they paid for a courier service, but not a traceable one

But it was two discs! Surely it can't have cost that much to have it recorded, given they were already paying for it to be couriered! In fact, what courier DOESN'T keep a trace? What's the point of it otherwise, apart from speed? Royal Mail charges 65p for a package to be recorded!

So it can't be cost, it just can't. It's incompetence, pure and simple. And staggering incompetence at that!

Si.

[Pip Madeley]

I'm with Si on this, it's absolutely idiocy that such valuable information was lost in this way. The advice of the experts is to check your bank statements for any irregularities, and change your banking password/question if it involves any information to do with your benefits records.

[Larry]

But it was two discs! Surely it can't have cost that much to have it recorded, given they were already paying for it to be couriered! In fact, what courier DOESN'T keep a trace? What's the point of it otherwise, apart from speed? Royal Mail charges 65p for a package to be recorded!

So it can't be cost, it just can't. It's incompetence, pure and simple. And staggering incompetence at that!

Si.

it's been many years since I last worked in the post room so I am out of touch with how and what should be recorded the company involved TNT, are used by HMRC, to deliver all internal and post going to other offices. I don't believe that all the post sent via TNT is recorded and it is possible that these discs were just put in one of our plastic polypack envelopes passed on to the post room with no instructions as to what to do with them.

But the reality is who ever gave the order for these records to be down loaded onto a cd should be sevearly disciplined and sacked for gross negligance.

[Si Hunt]

it is possible that these discs were just put in one of our plastic polypack envelopes passed on to the post room with no instructions as to what to do with them.

Why was that? Is it to keep them confidential, or due to error? That's just ludicrous isn't it!

But the reality is who ever gave the order for these records to be down loaded onto a cd should be sevearly disciplined and sacked for gross negligance.

I agree. Who-ever was responsible for the data should be reprimanded.

So is data not usually downloaded onto CD then? You'd hope if it was there'd be some kind of version control/tracking.

The quality control people (TickIt or whoever) are going to have a riot at your next audit!

Si.

[Pip Madeley]

They should send that kind of information by Securicor, never mind a mail courier.

[Si Hunt]

http://cgi.ebay.co.uk/Two-CD-Rs-Have...QQcmdZViewItem

Si.

[Dirk Gently]

@Si's link. Do you think it's going to last the day before e-bay get rid of it?

[Jason Thompson]

One thing that sprung out at me:

Why does HMRC still use CDs for data transmission in this day and age? The ancient museum pieces it is currently using for computing must be replaced.

What the hell is this person talking about? Is there something wrong with CDs as data records? They're a universal medium that virtually every computer in existence can read. What does he propose instead? Was he seriously suggesting transferring 2 discs' worth of information by e-mail?

[Rob McCow]

Apparently, 25 million names and addresses would fill up more space than is available on 2 CDs. Either DVD's were used or the files were heavily compressed.

Isn't it more common to hold data like this on a central server and make it accesible to those who need it?

[Pip Madeley]

Is there something wrong with CDs as data records?

Depends on the quality of the disc, really. A hard drive with protective case is better.

[WhiteCrow]

Apparently, 25 million names and addresses would fill up more space than is available on 2 CDs.

No - its possible. Assuming the database is an SQL database, and the idiot responsible did some kind of SELECT statement to extract the data, I worked out how many bytes of data you'd need per record based on my work for the DCA, and it should be possible to have over 4 million households of data on each CD, with people's ID crosslinked against address using a linked list.

Seems adequete.

[Larry]

I have to be honest I'm a bit curious as to why the Audit office even wanted this info - ok they don't as far as I know have access to the HMRC Data base - I can't see them wanting to review 25 million records.