UK Government Loses 15 Million Private Records

bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.

25 million now...

[Sirch]

Or so says The BBC [bbc.co.uk]...

Re:25 million now...

[Slashidiot]

Aiming for the World Record of record losing!

Re:

[DaedalusHKX]

Weren't these the same idiots who just passed a law to "punish irresponsible data loss"? So I guess the rule is as always "trust us with your safety, even if we let the enemy into your house, keep waiting for us to save you, keep submitting, obey, and all will be well... we promise, you can trust us. Don't you dare do anything without permission. Trust us, we'll take care of you."

And the results, as I'm forced to keep saying... "are very very visible, and completely predictable."

Re:25 million now...

[Bloke down the pub]

Weren't these the same idiots who just passed a law to "punish irresponsible data loss"?

No, that would be Parliament. The people who lost the data were HM Customs & Revenue. These are two different bunches of idiots.

Re:

[Archtech]

"No, that would be Parliament".

True in theory. The facts of the matter are these:

1. The UK parliament consists of two houses: Commons and Lords. By constitutional convention, the Lords cannot block legislation agreed by the Commons; they can only delay it for a while and urge them to think it through.

2. Because the British constitution does not separate the legislature from the executive branch, the Prime Minister is the leader of the party with a majority in the Commons. That means that the Commons becomes

Re:

[CountBrass]

Get your facts straight. HMRC enjoy crown immunity and cannot be prosecuted.

Personally I think it was honourable of Paul Grey (HMRC's Chairman) to resign. And in sharp contrast to the reaction of the Metropolitan police chief, Blair, how's organisation murders innocent members of the public and he feels no need to resign. Or the government in general who never resign regardless of their behaviour.

Re:

[mpe]

Get your facts straight. HMRC enjoy crown immunity and cannot be prosecuted.

Even if they didn't since they are not a person it's kind of hard to put them in prison.

Personally I think it was honourable of Paul Grey (HMRC's Chairman) to resign.

It's not a good sign when doing the right thing becomes the exception rather than the rule. Wonder if he's taking good care of his P45 and UB40...

Re:25 million now...

[Black.Shuck]

Weren't these the same idiots who just passed a law to "punish irresponsible data loss"?

The data isn't lost. It's just been inadvertently shared.

Re:

[uncqual]

Loosening the tinfoil a bit... ah, there, feels much better... crawling out of basement... ah, there, the view is much clearer from up here... (but, what is that big glowing yellow/orange thing the sky - that is truly terrifying looking...)

Shutting down the ability to withdraw funds for six months for this reason would also require preventing transfers and check payments for the same supposed reason. Doing this would, by itself, probably destroy the entire economy of any modern commerce based society so

Re:

[mpe]

Obviously, they'll have to block everyone from taking money out of their bank accounts in order to ensure that the bad guys who stole the account numbers can't take money out.

IMHO part of a solution here would be to change things such that the only thing someone can do if they know the bank account details on these records is to put money into these accounts. i.e. that the information is insufficent to take money out of any accounts... Similarly that the only thing that someone can do with your National I

Re:

[imipak]

No, it's complete nonsense. What, the govt is going to shut down the economy? Do me a favour.

Re:

[Cassius Corodes]

What do you need?

Re:

[mpe]

No, the British government are considering a law to punish data loss.

Which IMHO is really the wrong approach. Far better to make the kind of information involved of little value to anyone else.
Which means rethinking the concepts of "identity" and "proof of identity". Such that knowing lots of facts about someone is of little use in impersonating them. There already appears to exist a group of people who's biographies are easily available who are not constantly plagued with impersonation.

Re:25 million now...

[ilovegeorgebush]

Indeed. I was going to post the same thing. I'm absolutely shocked they could be so careless. Apparently, it was sent via normal post, without recorded delivery. There's a full summary from the BBC on Alistair Darling's announcement here [bbc.co.uk].

Of particular interest is the fact that it was sent twice. Once again, by recorded delivery, after the initial package was lost in transit.

Re:

[Billosaur]

How can you be shocked? This is government we're talking about... doesn't matter the country. As soon as you give one group of people anywhere the power to run the whole show, they break down into three categories:

1. Power Brokers - the people who actually run things (and not necessarily having been elected to do so)
2. Bureaucrats - the paper pushers, who created the red tape that keeps anyone from actually know what's going on or where the money came from/went to
3. Grunts - the people who do the actual work, u

Re:

[bloobloo]

It WAS sent by courier.

Three times!

[Dr_Barnowl]

The first time this happened was in March - the discs were not lost, and were returned to sender after use, not that that actually makes any difference, since the data could easily have been copied.

The real WTFs here are

• That the database was being sent in it's entirety to the audit office when they only asked for a sample.
  
• That the whole data was sent when they only wanted a subset of the fields.
  
• That junior officers in the civil service have enough access to dump entire databases.
  
• That they trusted a third-party courier instead of delivering it by hand.
  
• That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).
  

Ok, it's probably worse than that though.

Re:

[caluml]

That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).

Although doesn't WinZip now use AES for its encryption - which is perfectly adequate for symmetric (password) encryption.

Re:

[caluml]

Replying to myself, but yes, it does. WinZip AES [winzip.com]. Better than nothing. (Assuming they used WinZip). Hope they're not meaning a "hold the Shift key down while opening the Access Database 'password'"

Re:Three times!

[Anonymous Cowpat]

no no, why would you think that the people in the UK government would be that incompetent? The files were no doubt secured with a 30 character password, with no dictionary words or contiguous number sequences, a mixture of capitals and lower-case, numbers & other characters with not a single person's mother's maiden name in sight. Obviously, with such a complicated password, it would have to be included on a post-it note with the disc so that the audit office could actually use them.

Re:

[imipak]

yeah, they think "out of band" is what happened to Brian Jones and Roger Waters...

Re:

[oliverthered]

AES is a fast algorithm, making it fast to crack the password if it wasn't long enough.

Re:

[Ed Avis]

Also - that they were sending it by post at all instead of transferring it electronically (encrypted of course)...

Re:

[Anonymous Coward]

This is 25 million people who receive child benefit, which is a small amount paid to people with children under the age of 16. So what it really means is that nearly half the population has children.

Re:

[amw]

I know such a thing would require effort, but if you were to read TFA you may notice that the loss covers _child_ benefit, not _unemployment_ benefit. Take a step forward. And then note that when the information was first lost, they simply sent a second copy ...

Re:

[imipak]

(Why, yes, I am a Randian Libertarian.)

Am I right to surmise that's another American expression with which I am unfamiliar, roughly equivalent to the contemporary British colloquial usage "twat" or "arsehole"?

Re:

[DrSkwid]

Why? To try and ensure a *minimum* of care. *ALL* children receive it, via their parents, from the state.

Let them eat cake.

Re:Three times!

[Cassius Corodes]

You are completely right sir! We shouldn't let the incompetent government near us! Lets put all our services in the hands of model corporations like Enron. They are never inefficient!

Re:

[Jaseoldboss]

half the population is "on the dole."

Receiving child benefit you mean. ie. you have at least one child.

Irrespective, I wonder how long before we can expect to see the .torrent on TPB!

Re:Three times!

[jonbryce]

Child benefit is paid to everyone who has a child regardless of how much other income they have.

Re:Three times!

[EnglishTim]

You want worse than that? Take a step back... If 25 million records were lost and the entire population of the UK is 60 million, that means darn near half the population is "on the dole."

It's Child Benefit, not 'the dole'. Child Benefit is paid to the primary carer of all children in the UK, and is not means tested. According to the article, 7.5 million families are affected, which from the figure of 25 million people, results in an average of 3.3333 people's details per family.

Re:

[johnw]

Apparently, it was sent via normal post, without recorded delivery.

Not quite - it was sent by an internal courier service, provided by TNT. It seems however that the service did not include step-by-step tracing of the package's progress and TNT don't know what they've done with it.

Had it been sent by normal post, it would make absolutely no difference whether it had been sent by Recorded Delivery or not. Recorded Delivery just gets you a signature at the point of delivery, so that if there's a dispute at a later date you can prove (up to a point) that the item arrived.

Re:

[imipak]

That's just the (obvious) tip of the iceberg. The real question is how was one person able to "download" (export) the entire contents of the database? Do the phrases "access control", "separation of privileges", "log reviews", "business rules", "sanity checks", and dare I say "access entitlement review" mean anything at all over there?!

(Obviously not yet... but I suspect a whole lot of ISOification, COBITisation and ITILement will heading their way real... soon... now. I wouldn't wish that on my worst ene

Re:

[aproposofwhat]

Poor Alistair.

He's having a shit week, what with Northern Rock potentially costing taxpayers half a billion, and now this fiasco.

How do you lose 15 million sets of personal data in the post?

Don't the government have couriers for this sort of thing?

However, I don't think he'll be doing the honourable thing and resigning - none of these second-rate ministers ever seem to take responsibility for anything done under their 'leadership'.

The only time they resign is when they're caught shagging or with suspect fin

Re:

[cliffski]

half a billion? no way more. heres what vince cable had to say:

"As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees).

When Tony Blair was Prime Minister he was widely and rightly criticised for squandering £800 million on the Millennium Dome. This Prime Minister and this Chancellor have invested the eq

For crying out loud

[Colin Smith]

heres what vince cable had to say:

"As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake[1] in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees).

You and Vince Cable need to go learn where money comes from.

It's a bank loan from the central bank. Not a penny of money you have paid in tax has been given to Northern Rock. Not a penny of government borrowing has been given to Northern Rock.

[1]I'm a LibDem supporter and I don't like Fractional Reserve Banking but this is just complete bollocks. Vince clearly has no clue where this money comes from, which I find almost as worrying as the fact that the Chancellor of the Exchequer also continually refers to

Re:

[cliffski]

please explain where this money came from?

Re:

[Colin Smith]

From the pen of the governor of the Bank of England. He created the money. From nothing. By writing it down in a ledger...

Or rather, these days, he typed it into a computer screen, so literally, from his finger tips.
 

Re:

[imipak]

Enlighten me please, I thought I knew basic economics and I certainly thought it was "taxpayers money". What other sources of income has the government got? (Yes-yes, bonds and whatnot, but those bits of paper only have value because they're worth more than their face value. Where does the interest or dividend or whatever it's called come from, or rather where does the Treasury get it from?)

I understand that tax doesn't get paid into a single large government bank account, from which they have removed this

Re:

[Colin Smith]

Enlighten me please

The Bank of England simply created the money as an entry in a ledger. Then gave it to Northern Rock, they took NR's mortgages as collateral for the associated debt. This is what banks do.

They can just 'print' it of course but that's just devaluing the currency currently in circulation.

Yes, basically, that's what loans do. These £24 billion loans would be inflationary if they weren't primarily replacing already existing loans from other banks which are no longer willing to lend on the money markets.

At no point did any of this money pass through the government coffers, the taxpayer didn't contribut

Re:

[segedunum]

"As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees).

I hear this bandied about time and again, but there is no way the BofE handed over £24 billion to Northern Rock. It doesn't have £24 billion of loose change for a start, and it isn't taxpayer's money. What will have happened is where the BofE

Re:

[Znork]

"How do you lose 15 million sets of personal data in the post?"

I dont find it the least surprising. I find it more amazing that anyone can actually believe this isnt an everyday occurance; they must never have worked in either IT or a government run organization.

The only surprising part is that a) it actually reached someone that high and b) that someone in the middle didn't immediately slap a 'national-secrets cover your ass and throw anyone blabbing in jail' order all over it. There must have been a drast

Re:

[MrAndrews]

Yes, but only 15 million of them are part of the government program to help the Russian economy [pttbt.ca]...

Re:

[keithius]

And these are the clowns I'm supposed to trust with all my personal information in their joined-up-mega-database-and-ID-card scheme?

Yes.

And this is precisely the point that needs to be made. Whenever governments start throwing around words like "central" and "database," you need to point to events like this and ask "have we fixed this sort of thing yet?"

Until the answer is a resounding (and verifiable) "YES," I'd ask my government to keep their noses out of my personal information, thank-you-very-much.

Re:25 million now...

[TheRaven64]

That was my first thought. The one good thing about this kind of disaster is that there is now a strong concrete example of why it is a bad idea to give the government any more data than they absolutely need. Whenever someone suggests a massive central database we can say 'you lost 15 million private records, why should we trust you with any more?'

Re:

[mikael]

UK population is 65 million people, with 28 million households. But, 25 million people on benefits? Half the population is below or at the poverty level? No wonder taxes are so high.

But it's fairly easy to lose that amount of data. The actual amount of information for each person could easily be stored within 256 bytes. Even uncompressed, that would only be around 6 gigabytes of data, which could be stored on a couple of DVD's, which is probably what they lost.

Re:

[Winckle]

Bloody hell, you may be ignorant of how child benefit works, but you could at least not complain about taxes in my country.

You receive child benefit if you have a child. That's it, not about being poor.

Re:

[Winckle]

Yes it is a very small amount, but increases depending on the number of children.

If you let people have a tax break, people who don't deserve it will fake it, whereas it is harder to be a benefit fraud.

yeah, it'll weigh on them

[Nursie]

And the government will give itself a nice fat getout clause so that it's immune when it loses everyone's data, but any company or individual outside the government is in trouble.

Just watch and wait.

Re:yeah, it'll weigh on them

[paeanblack]

At that time, they refused to say 'on security grounds' whether the information was encrypted.

That should read 'on job security grounds' ...

Re:

[P3NIS_CLEAVER]

Perhaps this is just a cover up for a government worker selling data to a company.

Re:

[imipak]

From what the Chancellor said in his statement, the Chair of the Revenue approached him some time ago and said he accepted full responsibility and tendered his resignation. That is highly honourable in my book, it'd be by no means impossible for him to have argued that it was a junior official, blah blah. He has correctly assumed responsibility for the organisation allowing a junior member of staff to (a) read, and (b) export or save that data.

It makes me worry about who else has access to which servers co

And they expect us to trust them...

[ditoa]

With a nationwide DNA database? Please. They can't be trusted with anything.

Re:And they expect us to trust them...

[magarity]

Ah, but with a national database of everything, the missing disks could be located with a simple search query!

Re:

[dintech]

Ah, but with a national database of everything, the missing disks could be located with a simple search query!

And one of these? [badscience.net]

15 or 25?

[kevmatic]

Hm, must be something in the English-Metric conversion, because TFA says there's 25 million lost.

Anyway, Names and phone addresses aren't really that hard to get, but to have your bank account information compromised must SUCK.

Of course, banks should require more than that to allow a withdrawal. Its a lot easier to put money into an account than to take it out.

Re:

[pev]

Hm, must be something in the English-Metric conversion

Eh? The English have been using the metric system for a very long time now - do you mean Imperial to Metric conversion?

~Pev

Re:

[profplump]

It seems unlikely that people who complain about their weight in stones being related to the beer consumption in pints, while driving their cars at the posted 60 MPH speed limited would be considered to be using the metric system.

For all practical purposes, the English are still using the Imperial (that's Imperial England mind you, so your correction is rather indistinct anyway) system, and will likely continue for the foreseeable future. In the past few years they've declared that certain types of trade go

Trust them with the national ID card program now?

[Gandalf_the_Beardy]

15,000 records for the pension provider and now somewhat like a third of all peopl in the UK sent on what appears to be unencrypted discs. When I queried this with Standard Life they said that they had no choice but to accept the data like that and that the Govt refused to encrypt it. This being the same Govt that wants to hold all of our medical records in one national database, along with all of the ID card details. For the US peope reading, the National Insurance number is synonmous with your SSN, although not of quite as much use for fraud. It's still not something that you want to allow out into the wild.

Was this data loss deliberate?

[Cheesey]

Perhaps the next thing we will hear is that we all have to register immediately on the national ID register, in order to avoid being defrauded!

Trust the Government

[Vanders]

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector. Apparently they were being sent to the Audit Office, but why the Audit Office needed an off line copy of the data, and a complete copy at that, isn't addressed: no doubt some ridiculous bureaucratic idiocy that makes Brazil look sane.

The idea of burning an unencrypted copy of your sensitive data to a DVD and handing it to a random delivery company should horrify even the most incompetent sysadmin or DBA. Apparently no one in HM Customs & Revenue thought anything of it.

These are the sorts of people who want to build a massive database of all our personal details and tie them to ID cards. They tell us the data will be "perfectly safe". I wouldn't trust them to run a mail server.

Re:

[catmandi]

The audit office specifically asked that they be sent only the national insurance numbers - with ALL personal data removed. This was very clearly stated in the debare in parliament. Their requirements for the data apprear to have been in order to set up an auditing algorithm that would allow them to then go on site and inspect the records. They felt (quite fairly I would argure) that the only impartial way to set up the audit would be to pick numbers at random, without any other information about what the n

Re:

[jesterzog]

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector.

Actually I'd say it's representative of the competency of large organisations in general. Just think about how easily your email address gets around once you've given it to a few companies who say they'll never disclose it. The fact that government entities tend to deal more with information about people whom the government governs, that they're not suppo

Re:

[Cheesey]

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector.

I worked at a large software corporation a few years ago, and was amazed to discover that master CD images were sent to the duplication plant by courier. To this day, I do not know why. The duplication plant was owned by the same corporation and was connected to their global intranet along with the office I was working at. Sending the files electronically w

Re:

[tttonyyy]

At least the data was encrypted this time - or at least 'password protected' according to the Beeb article.

"two password protected discs" does not necessarily imply the use of encryption.

What we do know is that the individual(s) that sent the discs weren't overly concerned about the security of the data they contained. Pure speculation, but if the same individual(s) also chose the password, it probably isn't very strong either (and probably wasn't delivered to the recipient in a safe way).

Odds are its one of these:

http://www.eribium.org/wp-content/uploads/2007/01/common_passwords.txt [eribium.org] ...or at least crackable b

Re:

[MrNemesis]

Password protected? I think that's soon to become NewSpeak for "we didn't use proper encryption". Knowing what I know of some of the incredibly ridiculous levels of beauracracy inside the UK public sector (although I've never been invloved with anything outside of legal) I wouldn't be surprised if this amounted to anything as secure as a password protected zip file, with a short password at that.

But the fact that the whole fecking database went out in the mail is utterly inexcusable. This is akin to me emai

Re:

[jesterzog]

Thanks for pointing this out, which I entirely agree with. I also agree with the first response to your post, which is that it's like this all through the private sector, too. The difference is that government organisations actually have to be directly accountable to people sooner or later, and in that sense they have a much harder time. It's not really a surprise that a lot of people don't want to work for them.

Lately I've been doing IT work for a government department (in New Zealand in my case) which i

EpicRaidGet

[EmperorKagato]

Oh wow. I wonder who is behind the lost records?

Where's the Backup?

[digitaldc]

Didn't anyone learn ANYTHING from the last 5,000 years of record keeping?

Re:

[Billosaur]

Yes... destroy all the records! Leave 'em guessing!

Seriously, it's preposterous to talk of data retention strategies and forcing people to be part of national data banks when there's absolutely no talk about how you're going to make it secure. I would like to think a data center where personal data for users/citizens is kept would be run more like Fort Knox than the McDonald's Drive-Thru.

Re:

[larien]

It's marginally misleading - I read it as "lost, gone forever", but it sounds more like they sent a copy of the data to another department and it disappeared somewhere in the post.

Not quite as bad, but still very careless and possibly in violation of data security laws.

This give us hope

[owlnation]

We've been heading towards the totalitarian Peoples Democratic Republic of (formerly Great) Britain for some time now. This kind of thing is actually encouraging.

In a country where you are watched by security camera most of the day, and can be detained without charge for longer than anywhere on Earth, it is reassuring to note that the UK Government is so incredibly incompetent that there will always be a way to escape. No need for tunnels, gliders, or under the floor of a Trabant -- it should be pretty much possible to just walk through the border with a library card altered in crayon.

Re:

[MadMidnightBomber]

"If you want a vision of the future, imagine Brazil (the film) run by Dilbert's boss - forever."

Those who ignore history....

[southpolesammy]

Sure glad that this has never happened before... [slashdot.org]

I wonder how they'll ever figure out how to punish the offenders.... [slashdot.org]

Offering 100,000 - 1 odds it was clear text

[lena_10326]

At that time, they refused to say 'on security grounds' whether the information was encrypted.

Then it wasn't. If it had, the first thing out of their mouths would have been "relax, it was all encrypted".

Re:Offering 100,000 - 1 odds it was clear text

[Zelos]

Exactly - all they'd have to say is "it's encrypted using AES-256/whatever, everyone whose details are on the disk will be dead by the time it's decrypted".

Although, considering that the government is using the time taken to break decryption as an excuse to raise the time they can hold 'terrorists' without charge, they probably want to avoid mentioning that.

Re:Offering 100,000 - 1 odds it was clear text

[TheRaven64]

- STOP BUGGERING ME!!

I strongly suspect that this doesn't mean what you think it means...

Of course

[Zelos]

This is from the bureaucracy that thought putting confidential personal details in a public folder on a web server was secure as long as they didn't tell anyone they were there:

http://www.channel4.com/news/articles/society/health/exclusive+junior+doctors+details+exposed+online/469137 [channel4.com]

and that's currently £6.2bn over budget on implementing a medical record database:

http://www.theregister.co.uk/2006/06/16/nhsit_budget_overrun/ [theregister.co.uk]

Why are UK government IT projects always doomed to failure?

Re:

[RegularFry]

Why are UK government IT projects always doomed to failure?

Because civil servants have no idea how to protect themselves from getting shafted by software suppliers, and no financial incentive to learn, essentially. Also, the government has an extreme aversion to suing its suppliers, so the same suppliers do the same thing every time.

Re:

[ditoa]

Because MP's are not IT project managers and they don't employ skilled IT project managers. They treat all projects as the same so you get somebody who thinks they know about computer as they once wrote an Excel macro and give them some fancy job title.

Re:

[Zelos]

Also, as I understand it they emailed each doctor a URL to their details like "http://website.gov.uk/1234.html", so by changing the 1234 you could easily find other details.

Oh please.

[Harold Halloway]

"The Chancellor will try to evade responsibility..." In what way could be held responsible? The data was copied and sent in clear breach of the agency's (and the Government's) rules. The last time I checked, it wasn't the Chancellor's responsibility to monitor personally all packages sent by Government agencies. Had the security breach happened due to actions which did NOT breach any rules then I might agree with you, however this is not the case here. Put it this way: If ministerial resignation (and that is what you are implying should happen) is to follow every breach of security then that is a green light to every ne'er-do-well and Tory malcontent working in Government to start posting confidential data left, right and centre.

Just wait till it's our DNA and Fingerprints

[MrSteveSD]

At some point, if the UK government gets its way, everyone will have their DNA and fingerprints stored in a central database. How long will it be before some backup hard drive goes missing with all the data?

Just trying to help

[ZorbaTHut]

Did they look behind the couch?

That's where I always lose things.

They might be there.

wrong, wrong, wrong

[imipak]

It wasn't the government, it was HMRC Her Majesty's Revenue and Customs - for the constitutionally challenged, this is a non-political part of the apparatus of the state. Secondly, Darling's commons statement (which I watched) included the minor detail that it's 25 million, not 15 million.

Speaking as a security professional, this is fantastic news. I seriously doubt anyone's data is really at risk (the discs are almost certainly down the back of the metaphorical sofa, not in the hands of Dr Evil.) However

Incompetent fools

[Unlikely_Hero]

Wow...I'm not surprised at all. What fools. In my own code of ethics I'm very very very lenient on just about everything in a "as long as it doesn't hurt anybody else do as you will". Yet, not only is it hurting people, but this is from someone who has made it their work to handle other people's lives in their hands.
Moron.
He should have to pay for what it takes to help these 25 million or 50 million or however many people get their lives back in order.
Himself.

No accident, these are

[unity100]

Just think, how many of similar 'data losses' have happened in the last 2 years ? and i mean 2 years, not 3, 4, 5 or 6. Discs have been in use since 1995, top level govt. organizations have been using various backup mediums even before then, yet, there is an inexplicable boom of 'record theft/loss' in the last 2 years. in u.s. a few times, in u.k., 2 times.

some sh*t is happening. so many 'coincidence' in a small time period means there are no coincidences involved.

Thankyou please to send password

[jammo]

Thankyou for responding to my the very generous proposal. The money will be put into your bank accounts very soon, but please to be sending password for this 'zip file' which you have sent. Or please to be sending me the sum of $30 for a shareware for opening this files. I await your happy response with great anticipations and to look forward to putting the monies into bank accounts. Yours, Mr Ongbgudgbu Bungongdgogi

More to this than incompetence

[CtrlShiftEsc]

Although this is a monumental cock-up, I am not that surprised. HMRC is a recent merge of two big heavyweight Government agencies - Inland Revenue and Customs and Excise. If that wasn't hard enough to deal with, during the last year or so, the Government has decided that there are too many civil servants (might well be true) but has simply decided to lay off huge numbers of employees with little consultation of forethought as to how the work would continue under the same pressures and targets. Let's not

Why refuse to tell if it was encrypted or not?

[ewhenn]

Look... It's not going to help prevent authorized access by keeping it secret.

If it's not encrypted, when the files are opened it will look like (or something really obvious):
Joe Public DOB: xx-xx-xxxx 12345 Main Street .... balh blah blah..

If it is encrypted it will look like:
982n5o39y8h5014u9m9p!#$`15235098h14n12#$!@3476bwfSFR2387rn@!#12987ksafdkjD

It doesn't take a fucking genious to figure out if a file is encrypted or not. And its not like they are going to told what alog it is encrypted with if it is encrypted. I can see no reason NOT to tell the public if the data is encrypted or not, so the public knows what kind of precautions or steps may be needed to protect their identity.

Re:

[Gandalf_the_Beardy]

Child benefit is given to *everyone* - my sister in law takes home £40k and still gets it. http://www.hmrc.gov.uk/childbenefit/index.htm [hmrc.gov.uk] so some peoples accounts will be ripe for plucking if there is enough data.

Re:

[threaded]

You mistake the UK economic system: they basically take an awful lot away in taxes and then give it back in benefits. Most UK families are in receipt of one benefit or the other. There are even people in receipt of incapacity benefit for bad acne...

Of course one can point out that if they didn't take the money, via taxes, from the hard working families in the first place they wouldn't have to give it back, as benefits, and side effects such as this data loss, fraud, etc. could never happen... Such consid

Re:

[Dr_Barnowl]

I'd lay odds that "password protected" means "password protected ZIP file", in other words, virtually unprotected, especially since there are enormous numbers of cribs in a data sample containing so many names and addresses.

The debate in parliament was using the words "encrypted" and "password protected" but at no time was the lost data ever accused of being "encrypted". This suggests that they are aware of the correct usage and that the data concerned was not encrypted using any strong algorithm.

Re:

[pev]

Knowing our government it's probably an autoexec script that ejects the CD if you don't have the password so you "can't access the files".

~Pev

Re:Listen up, Brits

[Anonymous Coward]

Not offended old bean, we were more than pleased to get rid
of that bunch of God-bothering homophobic nutjobs. Enjoy the
Turkey.

Toodle pip!

Re:

[ditoa]

He should have got his department to kill somebody, that way he could have kept his job!

Re:

[TheRaven64]

The phrase 'The Crown' is often used in British English to refer to any government departments. It's a phrase that dates back some hundreds of years to when the crown was the central symbol of authority and other parts of government only acted via powers delegated by the crown. If you read the BBC then you will see this use quite often.

And, as an Englishman, I am absolutely delighted with the crown on hearing this news. I couldn't have created a better argument about a national ID database if I'd tried.

Re:Another reason for the bank account monitoring

[jweatherley]

'How can the public sector cost our country so much and yet be so damn incompetent ?'

I think the clue is in the question.

Secure identification?

[Anonymous Brave Guy]

The solution isn't more government regulation, it's not tying the concept of identity to a couple commonly known pieces of information like date of birth or SSN.

Oh, no, I think heavy regulation is still in order. Regardless of what personal information is being kept about you, anyone with legitimate access to it has a responsibility to keep it safe.

The problem with your argument is that people simply can't remember lots of unique, strong passwords, which is why despite all these secret words and "memorable" numbers all the financial services use, they'll still talk to you when you've forgotten yours as long as you know a handful of obvious (to you) facts that i

Re:

[meringuoid]

of course Sir Humphrey would come up with some kind of solution.

Not a solution to the problem, of course - only a solution to the blame.