Data breach in Britain affects 25 million

Analysts warn of potential for massive fraud

Email|Print| Text size + By Eric Pfanner
International Herald Tribune / November 22, 2007

LONDON - Prime Minister Gordon Brown of Britain apologized yesterday for the loss of sensitive personal information on 25 million Britons, including some bank account numbers, in what analysts described as potentially the most significant privacy breach of the digital era.

The data went astray when two tax authorities' computer discs that contained information on families that receive a government financial benefit for children were lost in the mail in October. At a time of rising sensitivity about the collection and storage of personal data in government and commercial computer vaults, specialists said the news could lead to calls for tougher privacy protection laws and data handling procedures.

"This is the most horrendous example of this kind of thing that I have seen," said Mike Davis, a senior analyst at Ovum, a telecommunications and technology consulting firm.

In sheer numbers, the breach was smaller than several incidents in the United States. But the information contained on the discs that were lost in Britain last month included bank account numbers, along with names, addresses, and national insurance numbers - the British equivalent of US Social Security numbers. It also included data on almost every child under 16 in Britain.

All families with children are eligible for a weekly payment of 18.10 pounds, or $36.30, for the first child, and 12.10 pounds per additional child. Those who choose to have the money deposited directly into bank accounts must provide this information to the government.

"I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families that receive child benefits," Brown said yesterday in the House of Commons. "We have a duty to do everything that we can to protect the public."

Brown said he had ordered a review of the handling of private data by government agencies after the incident, which he said had resulted from improper procedures. The discs were apparently protected by a password, for instance, but were not encrypted. They were sent by Her Majesty's Revenue & Customs, the country's tax collection agency, to the National Audit Office via a parcel delivery company, TNT.

"In the digital age, information is ubiquitous, flowing through places it might never have been before," said Mike Maddison, head of security and privacy services at Deloitte in London. "In terms of privacy protection, expectations are certainly higher than ever before, but also the threat to information has never been more significant."

The government said a "junior" staff member was responsible for the security breach, though Paul Gray, chairman of the revenue and customs agency, resigned Tuesday, when the breach was disclosed.

But specialists on data security said there might have been systemic problems in the tax agency. Why, for instance, was a junior official allowed to download sensitive personal details on nearly half the population of Britain, put them on discs and send them out of the building?

"It sort of beggars belief how anyone could have access to that data," Simon Zimmo, commercial director for Europe, the Middle East, and Africa at SecuriData, a data security specialist. "Clearly the data in the internal environment was not being policed properly."

British Bankers Association member institutions had found no signs of unusual account activity back to Oct. 18, when the package containing the discs was sent, a spokeswoman for the group said yesterday.

But experts said the information could, in some cases, be used to commit identity theft or other financial crimes if it fell into the wrong hands. Some people, for instance, use the name of a child or part of an address as a password on a bank account, so the combination of these details might provide clues for would-be fraudsters.

"Even though there's no indication that anything illegal has happened, people might feel more secure if they changed any passwords that resemble these bits of information," said Lesley Mcleod, the spokeswoman for the bankers association.

The incident was an embarrassment to Brown's government, and particularly the chancellor of the exchequer, Alistair Darling, whose agency has also been criticized for its oversight of a troubled bank, Northern Rock. After gaining a reputation for his sound handling of the economy as the previous chancellor, or finance minister, Brown has now had to deal with several crises on his watch as prime minister.

"It all contributes to a growing loss of confidence in the government's competence," said a story in The Evening Standard, a London newspaper.

As in the case of Northern Rock, when the government guaranteed all deposits after the beginning of a run on the bank, the government has pledged that no individuals will have to bear any losses as a result of fraud relating to the security breach.

But David Cameron, the leader of the opposition Conservative Party, said in Parliament that the government had "failed in its first duty - to protect the public."

While newspapers were speculating about Darling's chances for keeping his post, Brown stood by him yesterday, saying he had done "an excellent job."

more stories like this

  • Email
  • Email
  • Print
  • Print
  • Single page
  • Single page
  • Reprints
  • Reprints
  • Share
  • Share
  • Comment
  • Comment
  • Share on DiggShare on Digg
  • Tag with Save this article
  • powered by
Your Name Your e-mail address (for return address purposes) E-mail address of recipients (separate multiple addresses with commas) Name and both e-mail fields are required.
Message (optional)
Disclaimer: does not share this information or keep it permanently, as it is for the sole purpose of sending this one time e-mail.