Two reports slam HMRC for data breach

The massive loss of data by HM Revenue and Customs last year was "entirely avoidable", an independent report has said, as the government confirms 155 million to be spent on data security to prevent another breach.

In October of last year, HMRC lost two discs containing child benefit records of 25 million people. Today, two major reports were released on the breach. Both agreed that the loss was avoidable and entirely HMRC's fault.

In a report commissioned by the government, Keiran Poynter of PricewaterhouseCoopers said: "The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC," he wrote in the report.

According to Poynter, some 30 HMRC officials across four departments as well as staff from the National Audit Office (NAO) "played some part of the story." At the time of the breach, the blame was mostly put on a junior staff member who has never been identified.

The report identified both general and specific factors which lead to the breach. In general, the HMRC had weak information security policies, poor awareness of data security, and there was a lack of clarity on accountability of data guardianship.

More specifically, Poynter looked to a precedent set in March 2007, where discs were sent in a similar fashion without redacted data as in, a full data set was sent unnecessarily. He also highlighted a failure to adhere to "single point of contact" protocol and the low priority of information security risk concerns.

Between March and October, several staff members noted that possible implications of sending large amounts of sensitive data back and forth, but their concerns were not told to high-level officials and data was not redacted over cost concerns.

Last, he cited insecure data storage transfer as a specific factor in the loss, which should come as a surprise to no one.

The Poynter report did say that HMRC had accepted the findings and had already implemented 13 of the 45 recommendations.

The Independent Police Complaints Commission (IPCC) released a separate report today, echoing Poynter's findings. This report also said the problem was institutional, and said no individual should take the blame.

"I'm absolutely satisfied that none of the blame can be attributed to any member of staff," IPCC Commissioner Gary Garland told reporters, saying employees had been trying to do their best without proper training amid ignorance about the importance of data handling.

"The real problem was the woefully inadequate data-handling systems and the muddle-through ethos," Garland said.

In response to both reports, Chancellor Alistair Darling told MPs today: "The public is entitled to expect government departments to ensure their personal details are kept safe and it is therefore essential that we do everything we can to minimise the chances of this sort of loss happening again."

He confirmed that the lost discs have never been found and added that no fraudulent activity is yet to be detected in relation to the lost data.

Darling added: "Poynter also makes a number of recommendations in relation to the way in which HMRC operates and the fragmentation and complexity of its IT systems. The organisation is already addressing these issues and will be spending 155m improving data security over the next three years."