Capita takes the blame for tax security lapse
Summary: A Labour councillor is demanding an inquiry after an IT upgrade exposed the details of Lambeth council tax payers
IT services company Capita has apologised for the "regrettable error" that saw the personal information and credit card details of local residents in Lambeth, London, emailed as plain text.
One member of Lambeth Council has called for an inquiry into the incident, which was first reported by ZDNet UK on Tuesday. Capita is still refusing to reveal how many residents were affected by the glitch, which affected Lambeth's online council tax system.
The incident took place last week and only came to light after an alert council tax payer in Lambeth warned the council of the problem.
According to a statement issued by Capita on Wednesday, the incident "was caused by a member of Capita staff who, during a complex software upgrade, omitted to activate the encryption code which masks certain customer details". As a result the details were shown in plain text in the emails sent to confirm payment and as a result could be seen by anyone who intercepted the email.
"Lambeth Council and Capita apologise for this regrettable but isolated error," said Capita in a statement. This "affected a small number of citizens", Capita added, without revealing how many had been affected.
The mistake is particularly serious, given the risks posed by ID theft today. Capita insisted that it was "an isolated error that has never occurred before" and said it has " reviewed its processes and staff training to mitigate such a situation recurring".
Capita also said that it "took prompt action to rectify the error within 48 hours", but did not explain why it took two days to rectify the mistake.
"This is quite clearly unacceptable," said Councillor Daniel Sabbagh, the finance spokesman for the opposition Labour Party in Lambeth. "We will be asking for further information, and demanding a full inquiry to ensure that no resident has lost out as a result of this security breach."
On Tuesday, a Lambeth Council spokeswoman said that it was "unacceptable for this information to be displayed [in this way]".
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I am always amazed when outsourcing comapnies are quoted as saying that the issue was down to an error on the part of a single person. The whole point of outsourcing service delivery is that it should provide a competent and safe pair of hands for running the service to good industry practices and against the framework of a decent security policy.
What happened to the processes that provide the checks to stop something like this happening and why did they fail?
Why was the encryption of personal data switched off in the first place? Do we infer that live data which had not been made anonymous waas being used in testing?
And since "we" (our decision makers) keep repeating the same old mistakes and never really learn from the past (why should they? no real liability, remember? comes with having no clue) the only signal we're sending out is: please milk me more, oh, slap me again, master. How strange that markets react to that.
Sigh.
In order to change behaviour you need to change attitude and that requires intervention with the right stimulation (countering unwanted motivating factors).
Education also helps but some people seem to have turned such a blind eye that teaching sign language and such might be in order.