The UK government has released a scathing report, called the Poynter Review, criticizing Her Majesty's Revenue and Customs (HMRC), following the loss of confidential data belonging to 25 million UK citizens. The report concludes "the loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC."
The report describes organizational insensitivity around security issues:
Operational concerns placed ahead of security risks
These concerns [about releasing large amounts of data] were not escalated to a suitably senior level within HMRC and the suggestion to remove sensitive information from the scan was thwarted by concerns over cost and resources.
[It] would appear that, as a general rule, staff below the Senior Civil Service level, prioritise operational delivery over information security in the execution of their day-to-day roles. This finding is consistent with previously-mentioned lack of awareness amongst staff of the existence of security policies.
Insecure methods of data storage and transfer
HMRC specified the medium for this download, its format and the use of a certain version of proprietary software with limited alphanumeric password protection. Given the amount of sensitive customer data on the discs and the portability of such a medium, this level of encryption was clearly insufficient to protect the information in the event that the discs were lost.
HMRC's information security and governance policies were also lacking:
Information security policy and procedure could have been stronger and better communicated
HMRC has detailed policies and guidance around information security and the release of data to third parties....If these policies had been adhered to, it is likely that the data loss could have been prevented.
Lack of clarity governance, accountability and communication in respect of data guardianship
One of the problems faced by the HMRC staff involved was that there was no clearly assigned data owner or guardian from which to seek this authorisation....The fact that no senior HMRC official was involved in the events leading to the data loss raises serious questions of governance and accountability....
[I]t is highly unlikely that the discs would have been permitted to leave HMRC premises in March without the authority of the data guardian, nor would a properly trained data guardian have permitted the use of internal post for the October transfer....
Authority requirements and accountability for decisions relating to data transfer are neither well defined nor understood within HMRC. Staff neither sought nor believed they should have sought authority for the removal or removal method of large amounts of sensitive data from HMRC.
Finally, the report discusses how the data loss was "symptomatic of a wider problem" in the organization:
- Information security, at the time of the incident, simply wasn’t a management priority;
- Even had it been a priority, HMRC’s organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such;
- Even with a more suitable organisational structure, the fragmentation and complexity that has accompanied the changes that HMRC has had to absorb makes information security difficult to control;
- HMRC’s information security policies were inadequate and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them; HMRC continues to operate processes that hark back to a paper-based, rather than a digital, world; and
- Morale is low in HMRC and management needs to continue to focus on engaging with staff as the department embarks on a period of further change.
My take. The report's conclusions are not surprising, given the HMRC's terrible record on IT-related security, procurement, and systems issues; HMRC is the poster child for organizational failures driving IT disaster.
The Poynter report is required reading for anyone interested in how organizational, cultural, and management conditions give rise to IT failures.