Gallery

1. Disappearing disc act

Posted on 17 Jun 2008 at 10:41

Gaffe rating: 987

The government can't resist getting IT security wrong. However, when Chancellor of the Exchequer Alistair Darling admitted to Parliament on 20 November 2007 that HMRC had "lost" two discs containing personal information - including the bank account details of 25 million people - in the post, security breaches hit a new low.

In what has become generally accepted as the biggest single loss of personal data in the world to date, it appears the discs were sent from HMRC to the National Audit Office using a standard mailing service with no packet-tracking capability. Apparently that would have cost too much, as would have just retrieving the specific data that had been requested from the database.

As it turns out, cutting corners to save pennies has been an expensive lesson in IT-security best practice for the government. Not only did the civil servants concerned ignore departmental security policy, but they were able to do so without anyone further up the management chain preventing them.

There are so many solutions that could have avoided this idiotic breach. How about a mechanism to prevent a relatively junior employee from being able to make a copy of the Child Benefit database? How about transferring data via a secure VPN rather than the postman? Or, how about employing serious encryption to protect data being moved externally rather than entrusting your security process to a simple access password?

If all that data had been encrypted, 7.2 million families wouldn't have to worry about the potential threat of ID fraud if the (still missing) discs fall into the wrong hands. And Alistair Darling would still be best known for his funny eyebrows.

The 10 worst security gaffes

Author: Davey Winder