Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

UK data disaster – a case for why critical incident response procedures do make a difference

November 22nd, 2007 · No Comments ·

UK Government loses personal data of 25m child benefit records
Loosing these data is terrible and represents a critical incident that should have been handled systematically and much faster (e.g., took 29 days for the BANKING INDUSTRY to be informed that 7.5 mio customers account details had been compromised
We tell you more about why a critical incident response system including procedures is proper risk management

The NAO (National Audit Office) requested data from HMRC as part of its preparations for the 2007-08 audit. According to the NAO itself, the data it requested was restricted to the- child benefit number,- the recipient’s National Insurance number and- their name.This would enable the NAO to confirm the completeness and accuracy of a sample of child benefit payments.It is not clear why the junior official supplied the entire database.Credit card fraudsters could use personal data to apply for credit cards or loans. Hence, children whose personal data has gone missing could be at risk of identity fraud for many years

Threat of fraud ‘looms for years’ for the UK children whose Child Care benefit information was breached as we reported about yesterday:

CyTRAP Labs disaster monitor – 25m child benefit records are lost – 7 questions that must be answered to learn from this disaster

In fact, credit cards fraudsters could use personal data to apply for credit cards or loans. In turn, children whose personal data has gone missing could be at risk of identity theft or identity fraud for many years.

Various procedures may have failed when these data were shipped on 2 CDs – where they apparently went missing.

Chancellor Alistair Darling said the civil servant had broken the rules by downloading the data to disc and sending it by unrecorded delivery. Nonetheless,

a why was the employee even able to download and store this massive database unencrypted on 2 CDs,

b) why was this violation of a procedure not recorded by the system and, most importantly,

c) why did this not trigger some type of alarm?

We outlined what needed answering so we could learn from these mistakes to reduce the risk for a future disaster similar to this one.But besides why and how the disaster happened, a great concern is how the government employees and public administrators including the leadership handled this incident.ssss

critical incident system

If you cannot see the above get critical incident graphics

For instance, was there no procedure in place regarding what had to be done if something would go missing. To illustrate, if the recipient would not receive the CDs the next morning, what is he or she supposed to do immediately. Call TNT doing a trace, and so on.

Moreover, what would TNT have to do within what timeframe. In turn, it seems reasonable to suggest that management would have to be informed about the missing CDs immediately if they did not arrive with the delivery as scheduled. In turn, a police investigation would have to be called within 24 hours after the CD’s have gone missing (i.e. did not arrive with the delivery they were scheduled to arrive with).

Instead, it took 23 days until Prime Minister Gordon Brown was informed that the CDs had gone missing and it took him another 5 days before he asked Metropolitan Police to investigate.

Just imagine, Estonia would have used the same procedures and response mechanisms when they were attacked this April and May whereby their critical infrastructure was attacked (e.g., electronic payments by debit cards no longer worked):

7 lessons learnt from the Estonian attacks


Class 101 in criminal justice teaches one that the longer the investigators wait after a crime has happened, the less likely it will be that one finds information that is helpful in solving a case.

It is clear that mistakes have happened enforcing procedures but, as bad is that the critical incident response mechanism (if there were any) failed to work properly. In turn, too much time was wasted from day zero until the public was informed (34 days after it happened – details in Table)


This disaster will be on the radar for decades. Worst is that the fraudsters will wait until today’s children turn 18. By that time fraudsters will start applying for loans, credit cards, mobile phone contracts and other credit products using names from the Child Benefit database.

This means a blemished credit record affecting victims’ ability to get on the housing ladder, rent a flat, obtain their first credit card, obtain a loan for their first car, even open a bank account.

Gordon Brown’s has ordered security checks on all government departments to ensure data is properly protected after the loss of 25m child benefit records. While this is a step in the right direction giving the privacy commissioner (called information commissioner in the UK) the powers to carry out spot checks – a move previously rejected by ministers, it will not stop a lower-level employee to make the same mistake again in the near future unless the procedures are improved including checks and balances.

As well, the lack of proper incident handling procedures is not being resolved with spot checks either. In fact, ordering these spot checks implies that there is a gap between what the public is told about data protection and the reality – meaning these kind of data are apprently not encrypted when being stored on servers or storage mediums – why else do we need spot checks?

For information security handlers SANS has put together a list of tools (some open source) that help information security officers to deal better with security incidents.

Holiday/Family Incident Response – tons of tools and questions that must be asked when dealing with a possible critical incident regarding information protection


CyTRAP Labs Radio Show – disaster monitor – threat of fraud ‘looms for years’ in the UK


To stay informed about new trends and threats, CyTRAP Labs invites you to subscribe to our news being delivered via e-mail, daily alert, newsletter and/or RSS feed — why not benefit from the intell your colleagues already do?

advisory, zero-day exploits and regulatory intell

Stay better protected – JOIN THE 60% OF READERS of this news item WHO ARE SUBSCRIBERS


→ No CommentsTags: answered · banking · benefit · child · disaster · fraud · incident · records