|HMRC Data loss.
||Dear Sir George,
If it is so easy to burn disks at HMRC, how can we believe this was not deliberate theft from the outset ? If the HMRC disks have in fact fallen into the wrong hands, whether by accident or deliberately, I suggest the data will be well abroad by now. The thieves will have had a month’s head start and it may be twenty years or more before any one person can be certain their details are not going to be misused in time by patient computer fraud experts. It would take minutes to sell copies of the data to the entire criminal cyber-world and years for the criminals to work through their various scams on the stolen data.
With two close-related families affected, and my own personal details held in several places by government agencies including HMRC, I have some issues that I have not heard yet raised.
If it is so easy for a junior official (apparently without authorisation and as they claim, in contravention of the guidelines) to burn disks (or memory sticks) of sensitive data from a secure government computer, for official purposes but without (apparently) setting alarm bells ringing or being stopped while the copying is actually taking place, how easy is it for the same official to burn the same disks for criminal purposes ?
It would seem that the very ability for anyone in HMRC to actually make and send disks is at the heart of the problem in this case. Guidelines and instructions are only words and are based on obedience and/or trust. That is no substitute for proper security like, for instance “The copying operation you have attempted is illegal and the computer says “No !” Your action has been reported to HMRC Security.” (NB You have to hold your nose while repeating this in a grating monotone.) Despite the blather of official reassurances from Downing Street, it does not appear that our personal details have so far been accorded anything like a realistic degree of modern security or protection.
Without proper security, the perpetrator would only have to claim the stuff had been “copied in good faith and foolishly sent unrecorded, and sorry it won’t happen again” in order to get away with a sacking or less, having deliberately not sent it to the correct addressee on the first occasion. The information that has been so easily copied and sent must be worth millions to criminals over the next few years, so a few hundred thousand bribe would be peanuts. Whether the official was genuinely foolish, or had been suborned, or knowing of the non-existent security, had volunteered the crime, is immaterial to the breach of security or the potential crime. The duty of care of the bosses to protect employees from their own easy temptation, has also been breached.
I hope such a scenario will be investigated, and I wonder if you might wish to raise any of these points with those responsible and with those who are involved in the several inquiries ?
|Date Issue Raised:
||21 Nov 2007
Dear Mr Hoar
Thank you for the email; I agree that the ease with which three copies were secured of this highly sensitive data raises key questions. I understand that all of this was in breach of the guidelines, so the enquiries should reveal what went wrong.
Best wishes, George Young