The National Audit Office has released the email trail showing how two discs containing records of 25 million child benefit recipients has been lost by HM Revenue and Customs.
The collection of emails, letters and other documents - now published on their website - shows that the road to the data breach began in March when the NAO first requested data sets for an audit. It also confirms that cost concerns limited the ability to screen personal details from the data, shows that the discs were password protected, and suggests that senior managers did indeed have oversight.
In a November letter to the HMRC, Caroline Mawhood, the assistant auditor general, explained that the emails regarding the transfers of data in March and again in October were indeed sent by a junior HMRC manager, but said that the message was copied to the Process Owner for Child Benefit - a senior manager.
In March, two discs containing records were sent via internal post, arriving safely. But heavily-redacted emails, marked confidential, have shown that the junior manager sending the data was reluctant to do so in the filtered form requested by the NAO, because of a fear of charges from their data management firm, EDS.
In the first email, dated 13 March, a junior manager wrote: "I must stress we must make use of data we hold and not over-burden the business by asking them to run additional data scans/filters that may incur a cost to the department."
In a reply, the NAO official requests that address, bank and parent details be removed, not for security reasons but in order to make the file smaller. Throughout the emails, the use of CD discs to send the records is assumed.
The first set of discs arrived safely, and the NAO carried out its audit and returned the discs in April. Months later, however, the process was repeated with different results.
On 2 October, a NAO official again requested data sets, and noted: "Last time we had a 100 zipped files on 2 CDs. Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content."
The next message, from the HMRC to the NAO, asked the recipient of the CDs to call when they had arrived, in order to receive the passwords for the discs. This confirms that the discs were indeed guarded by a password, and that contrary to some concerns, were sent separately from the mailed discs.
In a briefing note created for the chancellor, the NAO said they contacted HMRC on 24 October saying the discs had not arrived and requesting a second set be sent. The second set arrived, but the first set was still missing.
Complicating matters, the NAO moved offices over three weekends on 3 November, as did the HMRC audit team.
The HMRC contacted the NAO on 8 November, prompting a search of the expected route of delivery and an email to staff asking if they'd seen the package. Several subsequent searches have happened, but the discs remain missing.
The NAO also released a document explaining that they had requested the data for auditing purposes. A Second Director, whose name has been redacted, said he or she should have better communicated with the HMRC about how the data was to be used, and how the NAO might better be able to "sample" the child benefit data.
The director added: "We do take seriously our data protection responsibilities and I recognise that the security incident that has arisen here has occurred solely as a result of a data request that we initiated; and I accept responsibility for that."
-
The IT industry’s shift to circular, low-carbon solutionsMaximize your hardware investment and reach your sustainability goals with HP’s Renew Solutions
-
Lenovo ThinkPad X9 14 Aura Edition reviewReviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
Podcast transcript: Why is email still a thing?IT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
The IT Pro Podcast: Why is email still a thing?IT Pro Podcast Despite a proliferation of newer collaboration platforms, email stubbornly refuses to go away
-
Cisco patches bug that could break its email security service with a single messageNews A carefully crafted email could freeze Cisco's Email Security Appliance interface and stop it processing messages
-
Google targets phishing with full BIMI email logo authentication supportNews Gmail will tie logos to DMARC authentication
-
How to sign off an email professionallyTutorials Your email signoff can make or break your business’ communication
-
Flash flooding takes down TalkTalk web servicesNews Midlands floods leave customers angry at TalkTalk outage
-
Outlook and Hotmail email accounts hit by spam attackNews Users were bombarded by spam emails apparently because Microsoft's spam filters weren't working properly
-
Google pulls April Fools' Day prank after barrage of complaintsNews Many users accidentally pressed the 'Send + Mic Drop' button in emails to bosses and business contacts
