Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

CyTRAP Labs disaster monitor – 25m child benefit records are lost – 7 questions that must be answered to learn from this disaster

November 21st, 2007 · No Comments ·

Recently we brought you:

5 data security breach regulation – judge is spelling out the exact costs for TJX

CyTRAP Labs regulation watch – Annual Report to Parliament 2006-2007 – Privacy Commissioner of Canada

What have HSBC, UBS and the Bank of England and others in common? Insecure onlin banking services

UK Government loses personal data of 25m child benefit records
2007-10-18 the UK’s entire child benefit database was sent by a junior official from HM Revenue & Customs in Newcastle to the audit office in London using TNT as the courier.
We tell you the facts and more

The 25 million records contain the personal details of all child benefit recipients in the UK. with information including:

dates of birth,
bank account (7.25 mio child benefit recipients’ bank account details) and
National Insurance numbers.


The status of these discs is unknown, with the Metropolitan Police currently investigating the event. The Chancellor of the Exchequer, Alistair Darling MP, has stated that there is no suggestion that anything untoward had happened as a result of the discs’ loss to date.

Nonetheless, of concern is that should any of the two CDs fall in to the wrong hands, the information could be useful to criminals, and aid identity fraud or identity theft.

The lost information will be extremely useful to any paedophile who might target children and pose as their parents.

And no, the above disaster is not just a British problem as this story shows:

3 security – data theft: the failures in the U.S.

Below it shows you the screen shot that we found on e-Bay Yes, apparently somebody found the CDs and thought to open a bidding session – what a nightmare .

bidding has ended for this item

If you cannot view the above – Bidding for this item has ended on e-Bay

But the person also give some more information as outlined below:

bidding has ended for this item

If you cannot view the above – 25m people’s personal data leaked – find it on e-Bay

Timeline of the disaster

Date it happened days passed # days since day 0 description of event(s)
0 2 CDs are being shipped using an internal mailing system handled by TNT
16 days after 21 senior managers are told first package has been lost
2 days after 23 Gordon Brown (Prime Minister) and other ministers are briefed
2 days after 25 HMRC tell ministers that 2 CDs will probably be found
2007-11-14 Wednesday 4 days after 27 When HMRC searches fail, Metropolitan Police are called in
2007-11-16 Friday 2 days after 29 Richard Thomas, Information Commissioner (2007-11-20 he published a press release), says remedial action must be taken before public is informedBANKING INDUSTRY IS FINALLY INFORMED
2007-11-21 Friday 5 days later 34 days after day 0 HMRC Chairman Paul Gray resigns; Chancellor Alistair Darling makes announcement to House of Commons = public is being informed

Get detailed timeline of UK’s data security breach regarding Child Benefits data

You can view a nice TV segment about this disaster from BBC here:

2007-11-20-BBC 2 Newsnight 22:30 – 6 min news segment – Inland Revenue records lost


The above has happened and should not have happened but unless some serious questions are answered and the appropriate measures taken it will happen again pretty soon with another set of data.

Answering these questions will result in set of lessons learned from this disaster.

1 Why was the Audit Office being sent these data, what were they going to do with them?

This would would answer if it was even necessary to send these data…. a basic question. Even if the Audit Office needs all of these, can the transfer not be done electronically and, most importantly, in encrypted form?

2 What checks and balances are used before these type of data can be copied onto another medium from the system by an authorized person

Apparently the system allows the copying of these data not being encrypted onto a removable medium. Should the default not be that

a data is always stored on the system whilst being encrypted

b can be copied onto another medium — however in encrypted form only , and

c copying of such high risk/confidentiality level of information can be copied only, if it has been authorized by 2 other people (counter signed) before it works, and finally,

d who copies, who counter signs etc. is all being logged and documented by the system

e arrival at the other end is also being documented in some form

3 What kind of principle-based standards regarding the work, storage and shipment of confidential data does HMCS have to follow and were these applied in this case?

Normally, security or data protection policy would require that such data must be encrypted before being saved onto any kind of removable data storage unit. And if such a policy were to exist, how are violations being tracked and followed-up in the organization?

Should there be criminal penalties for reckless disregard of procedures….? If yes, are the UK’s current laws ready to impose these? If not, this must be addressed – see below regarding European regulation that is coming our way.

Chancellor Alistair Darling said the civil servant had broken the rules by downloading the data to disc and sending it by unrecorded delivery. Nonetheless,

a why was the employee even able to download and store this massive database unencrypted on 2 CDs,

b) why was this violation of a procedure not recorded by the system and, most importantly,

c) why did this not trigger some type of alarm?

4. Was there a critical incident response system in place including a description and definition of what represents a critical incident – surely this case?
critical incident system

If you cannot see the above click on critical incident graphic

If there was a plan in place, how was the incident (i.e. CDs shipped from Washington, Tyne and Wearwith not arriving in London within 24 hours) handled…. why did it take 21 days after day 0 until senior managers were informed.

How can it be that if there is a critical incident response system in place, it takes 29 days until the BANKING INDUSTRY is informed about these lost data containing 7.25 mio child benefit recipients’ bank account details?

The above indicates that things went wrong regarding the handling of a criticla incident in several places!

5 What does this mean for the future of ID cards in the UK? Is Alistair Darling right when he says biometrically protected data would make things safer?

According to the research we have discussed previously, far from it and the UK is one country that has most certainly managed to screw things up regarding its biometric passports:

e-passports cracked 2 – German, Dutch and UK citizens beware and take care

6 How does the Data Protection Act 1998 (c. 29) deal with data breaches

Even if the UK’s Data Protection Act says lots about breaches but little about the consequences if it happens. Many European countries to not have legislation in place that addresses security breaches. The EU is considering bringing a directive:

2 data security breach regulation – data theft: will EC bring new regulation that helps citizens?

By 2007-10 the European Commission should have been forthcoming with a proposal regarding such regulation – but nothing has been published so far. The UK incident suggests that this cannot be soon enough.
Currently the UK has data protection and notification rules limited to financial services firms. Those firms have specific procedures to follow if they discover a breach with notification of officials depending on the type of information breached. But what about the government?

7 How can we help business and government agencies to make a better business case for security and data protection?3 data security breach regulation – soon we should be able to make a business case for securityAs the above suggests, approving the necessary regulation regarding data security breaches is an important first step.Naturally, data costs (Please click on the link, choice option – Login as guest – click on this link again and voila free access) as well as how much value is given to such data are all being considered when assessing risks regarding what the fall out (e.g., trust, costs, etc.) of a data security breaches would be. So far it has cost some people their jobs and may damage one or two politicians’ reputation ….. but what else?

For businesses it is clear, once such legislation has been enacted and violators must act accordingly while damaged parties can take violators to court, the costs skyrocket. CyTRAP Labs studied companies that experienced a data breach and costs for each compromised record are around Euro 200 (25 mio x 200 Euro = 5,000 mio). This a significant increase over 2006. Costs resulting from a data breach can include but are not be limited to:

– printing and postage of notification letters,

– costs of public notices in newspapers about the data breach,

– hiring a law firm to address legal issues,

– offering credit monitoring subscriptions to customers whose data have been breached,

– implementing a customer support hotline and contract call center,

– being required to pay consumers some type of compensation (e.g., TJX had to provide customers with vouchers for free merchandise) starting at 30 Euro and up
– customer defections.

IT has no direct costs other than to put subsequent preventative measures in place. Usually, these costs are borne primarily by marketing to avoid customer turnover and customer support.

How the above can work with public organizations has yet to be determined because in the UK case, it is the citizens that are paying the price for this data breach and government competence.

security incident – UK data disaster – a case for why critical incident response procedures do make a difference


For better risk management, compliance and protection – become a member of the 60% of our READERS THAT HAVE MADE SURE THEY GET A SUBSCRIPTION

advisory, zero-day exploits and regulatory intell via alert, newsletter or RSS feed

or just make your choices at CyTRAP Labs subscription portal


banking industry response to HMRC potential data compromise

HM Revenue & Customs – Child Benefit customer update


→ No CommentsTags: brought · clue · kiss · machines · quick · update · updated · updates