HMRC breach would have been avoided for just £15,000

News by Richard Thurston

The catastrophic loss of information of 25 million UK citizens last year would have been avoided if Her Majesty's Revenue and Customs had spent a maximum of £15,000 on the extraction of data, but it turned down this expenditure because information security was such a low priority, one of the breach investigators revealed today

The massive data breach at Her Majesty's Revenue and Customs, in which the records of 25million people were lost, could have been avoided for a maximum cost of £15,000, it emerged today.

But instead of spending the money, HMRC decided to save the cash because information security was not a priority.

The revelations were made this morning by one of the key authors of the main report into the breach, Philip Wright. Wright, a partner at PriceWaterhouseCoopers, was one of the executives investigating HMRC for the report, which bore the name of PwC chairman Kieran Poynter.

The HMRC records were lost on two CDs which the department had posted to the National Audit Office in October last year. The NAO had requested just 100 records from HMRC to carry out its work, but HMRC posted the full database of 25million.

Wright revealed that EDS - one of HMRC's IT suppliers - had quoted the department £15,000 to extract the information required. Had HMRC accepted the quote, just 100 records would have been lost. Alternatively, because of the smaller file size, the records could have been sent electronically.

Wright's team also found the majority of the NAO's demands could have been met for free by using an earlier sample of information. Another quote for extracting the information required came in at £5,000.

"It would have been possible at a cost of £15,000 to copy it, but it was felt that was a cost not worth paying because information security was not a priority," Wright said, speaking today at an event organised by Westminster Forum Projects.

Asked whether spending this money would have allowed the breach to be avoided, Wright answered: "Yes".

But he said he wasn't surprised by the breach. "They needed a shock like that to take it seriously. It was a hell of a shock," Wright said.

Wright said that 30 individuals were in some way involved in the catastrophic loss, across the IT, operations and compliance divisions.

"Any of them could have stopped it happening," he said.

The findings are hidden deep in the 103-page Poynter Review, which was published late last month.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews