HMRC data loss recalled one year on

News by Dan Raywood

The 21st November marks the first anniversary of the HMRC data loss.

The 21st November marks the first anniversary of the HMRC data loss.


Setting a benchmark for data loss in 2008, the loss of two CD-ROMs and the reported details of 25 million people, has led to huge change in the security industry.


One year on from the incident, the government has revealed that it has suffered an average of one data breach per week since then. Research by CPP found that six in ten Britons have been put at risk of ID theft by their employers' lax approach to data security.


As a result, British workers are calling for their bosses to be punished for data breaches – four in ten want companies to be fined and more than a fifth want employers imprisoned for repeat offences.


Michael Lynch, ID theft expert from life assistance company CPP said: “The number of government departments holding our personal data is growing. This can put us at greater risk of identity theft as the potential for security breaches and subsequent loss of personal data increases – regardless of how careful we are with our details.


“Questions need to be answered as to what HMRC have done in the intervening year to prevent a similar breach. It is becoming too frequent that negligence is putting members of the public at risk from fraud.


“ID theft is now a real concern for British workers and we are at greater risk than ever before. Consumers need to consider their options to guard against this, such as taking out identity protection, but they should also push for change to ensure that government departments toughen up their act. The time for complacency is over – there can't be a weak link in the chain.”


Paula Barrett, partner at Eversheds, believes that upcoming legislation could see changes enforced that will aim to prevent data loss.


Barrett comments: “One year on from the HMRC data breach the lessons are still being learnt. In a recent report the Information Commissioner's Office (ICO) revealed there were 176 data breaches in the public sector in the last year, twice as many data losses than the private sector, which clocked up just 80 reported cases. A breakdown of the public sector cases revealed that 75 were in the health sector, 28 by central government and 26 by local authorities.


“The Data Handling Review is but one component of the response from Government. It is an enormous exercise to implement, not least because at its heart is the need for a cultural change. New standards are being drawn up within government and implementing them through the root and branches of government will be an ongoing task.


“There is no overnight fix to this. Organisational and technical changes are needed but so too is widespread raising of the awareness of what those standards are. This is not something that can be implemented by information assurance personnel alone, buy-in has to come across the department. Accountability is therefore also a key element."

Proposed legislative changes are currently being discussed and will include a requirement to report serious breaches, which some experts feel may not necessarily be a positive step. Experience from countries where is has been implemented, such as the US, show that this can create a plethora of reporting which does little to improve security.

Barrett said: 
“The number of reported breaches are only the thin end of the wedge, others are going under the radar and this may well be set to change. Some of the proposed legislative changes being discussed include a requirement to report serious breaches and this may not necessarily be a positive step. The experience from countries such as the US is that this can create a plethora of reporting which does little to improve security.


“Await with interest the content of the Queen's speech in a few weeks time. Legislation is already enacted which gives the ICO the ability to levy fines in the event of serious breaches but the unknown is how significant the fines will be. The ICO has been lobbying for equivalent powers to the FSA to fine up to ten per cent turnover. Other suggestions have been made to create a greater sense of accountability amongst the public and private sector, as well as higher notification fees to help fund greater enforcement action.”


A survey by Logica revealed that companies are still failing to report data security breaches to clients, as 60 per cent of those who experienced a data breach, did not tell their clients and half failed to tell the police or authorities.


Surveying 300 public and private sector organisations over the last two months, it showed that more than half (57 per cent) of those surveyed, have ‘no idea' or understanding of the impact of a security breach on their business or organisation.


A continued lack of engagement with the issue is evident, with just 16 per cent of firms having a ‘value at risk' profile for information assets it owns/controls; with half of respondents believing that security is solely an IT departmental issue.


Dave Martin, security consultant at Logica, commented: “Data losses put customers at risk and can lead to large contracts being withdrawn. With some organisations failing to disclose security breaches, this complacent attitude not only increases the likelihood of financial and reputational consequences but also highlights the inadequate security policies and protocols that UK organisations have in place.


“It is time to take action – it should be mandatory for all organisations to report significant breaches of confidential personal information to the Information Commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied.” 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews