Thread: British Government Loses Private Data of 25 Million Citizens

Oops! Time to change your bank account, credit card, etc. Apparently it's the largest security breach of its kind in history.

Data breach in Britain creates potential for massive fraud

Prime Minister Gordon Brown of Britain apologized Wednesday for the loss of sensitive personal information on 25 million Britons, including some bank account numbers, in what analysts described as potentially the most significant privacy breach of the digital era.

The data went astray when two computer discs from the British tax authorities, containing information on families that receive a government financial benefit for children, were lost in the mail in October. At a time of rising sensitivity about the collection and storage of personal data in government and commercial computer vaults, experts said the news could lead to calls for tougher privacy protection laws and data handling procedures.

"This is the most horrendous example of this kind of thing that I have seen," said Mike Davis, a senior analyst at Ovum, a telecommunications and technology consulting firm.

In sheer numbers, the breach was smaller than several incidents in the United States, including a loss of records from the U.S. Department of Veterans Affairs last year, which affected the names, birth dates and social security numbers of 26.5 million former service personnel. In 2004 the Internet company AOL had 92 million e-mail addresses stolen by a former employee.

But the information contained on the discs that were lost in Britain last month included bank account numbers, along with names, addresses and national insurance numbers - the British equivalent of U.S. social security numbers. It also included data on almost every child under 16 in Britain.

All families with children are eligible for a weekly payment of £18.10, or $36.30, for the first child, and £12.10 per additional child. Those who choose to have the money deposited directly into bank accounts must provide this information to the government.

"I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families that receive child benefits," Brown said Wednesday in the House of Commons. "We have a duty to do everything that we can to protect the public."

Brown said he had ordered a review of the handling of private data by government agencies after the incident, which he said had resulted from improper procedures. The discs were apparently protected by a password, for instance, but were not encrypted. They were sent by Her Majesty's Revenue & Customs, the country's tax collection agency, to the National Audit Office via a parcel delivery company, TNT.

"In the digital age, information is ubiquitous, flowing through places it might never have been before," said Mike Maddison, head of security and privacy services at Deloitte in London "In terms of privacy protection, expectations are certainly higher than ever before, but also the threat to information has never been more significant."

The government said a "junior" staff member was responsible for the security breach, though Paul Gray, chairman of the revenue and customs agency, resigned Tuesday, when the breach was disclosed.

But experts on data security said there might have been systemic problems in the tax agency. Why, for instance, was a junior official allowed to download sensitive personal details on nearly half the population of Britain, put them on discs and send them out of the building?

"It sort of beggars belief how anyone could have access to that data," Simon Zimmo, commercial director for Europe, the Middle East and Africa at SecuriData, a data security specialist. "Clearly the data in the internal environment was not being policed properly."

A spokeswoman for the British Bankers Association said Wednesday that member institutions had found no signs of unusual account activity back to Oct. 18, when the package containing the discs was sent.

But experts said the information could, in some cases, be used to commit identity theft or other financial crimes if it fell into the wrong hands. Some people, for instance, use the name of a child or part of an address as a password on a bank account, so the combination of these details might provide clues for would-be fraudsters.

"Even though there's no indication that anything illegal has happened, people might feel more secure if they changed any passwords that resemble these bits of information," said Lesley Mcleod, the spokeswoman for the bankers association.

The incident was an embarrassment to Brown's government, and particularly the chancellor of the exchequer, Alistair Darling, whose agency has also been criticized for its oversight of a troubled bank, Northern Rock. After gaining a reputation for his sound handling of the economy as the previous chancellor, or finance minister, Brown has now had to deal with several crises on his watch as prime minister.

More at: Data breach in Britain creates potential for massive fraud - International Herald Tribune

Originally Posted by Hootad Binky

"In the digital age, information is ubiquitous, flowing through places it might never have been before," said Mike Maddison, head of security and privacy services at Deloitte in London "In terms of privacy protection, expectations are certainly higher than ever before, but also the threat to information has never been more significant."

Snail mail is not using the digital age.

We've done this today already.

It's times like this when I am gratefull that I never had any kids. I hope they write to everyone and grovel.