HMRC fiasco: Security experts predict fallout

The loss by HM Revenue & Customs of 25 million child-benefit claimant records has understandably sparked a host of reactions from security and legal experts.

Ovum principal analyst Graham Titterington encapsulated the scale of the event by saying: "This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from HM Revenue & Customs in just three months."

Titterington continued: "If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations. The UK government and the nation is reduced to hoping that these two CDs are languishing in a rubbish bin somewhere."

At the moment, it's difficult to predict the full implications of this disaster. Jonathan Armstrong, principal partner at law firm Eversheds, drew parallels with a similar security breaches in the US last year, when 26 million armed forces veterans' personal data was lost and when retailer TJX lost more than 90 million customers' bank data.

Armstrong predicted a likely outcome of this week's revelations will be a rash of phishing scams, where fraudsters will try to trick bank details out of people already worried about the data breach.

Armstrong said: "Even if the data on the CDs [sent by an HMRC official to the National Audit Office] does not get into the hands of fraudsters, it is likely that even now a large email campaign is being planned to prey on the British public. A similar scam in Scandinavia recently led to a bank losing £800,000."

It seems one of the few organisations under-reacting to the crisis is the government itself. The best advice it can come up with is that citizens likely to be affected should keep a close eye on their bank accounts. However, credit-checking service Experian says this may not be good enough.

Helen Lord, compliance director at Experian, said: "Fraudsters are more likely to attempt to use the data to apply for new credit in their victims' names. Monitoring your bank account is no defence against this crime. Children who are between 15 and 17 years old are especially at risk. Fraudsters will wait until they turn 18 to apply for credit products in their names. That could have a catastrophic effect on their ability to get on the housing ladder, obtain a loan or even open a bank account."

It is likely banks will suffer as a result of the breach, according to Gartner analyst Avivah Litan, as they are forced to go into emergency-response mode.

Litan said: "UK banks may be forced to shut [down] the 15 million accounts [affected] and reissue new ones at an enormous cost to them and major inconvenience to customers, especially since customers typically set up automated payments and transfers. Debit cards that link to the old accounts may also have to be closed and reissued."

Even before the dust has settled, some pundits are looking at how the government needs to change its data-security policy. Security software specialist Check Point is just one security industry player to wade into the debate.

Check Point technical manager Caroline Ikomi said: "By encrypting automatically, the chances of data being intercepted for criminal purposes are far less likely. It can literally protect organisations from their own mistakes."

John Colley, former head of information security at Royal Bank of Scotland and now European managing director of the International Information Systems Security Certification Consortium, believes the solution is more about educating government employees to handle citizens' personal data with more care. The data in question was password-protected, but sent through an unsecured courier service.

Colley said: "Government must ensure information security is indoctrinated as a shared responsibility for all employees. This information was lost by people who most likely did not understand the enormity of the risk that was being taken."

As far as government policy over the handling of citizens' information goes, this breach is a pretty damning indictment for the proposed ID card scheme. Protest group NO2ID has not been slow in jumping on the issue.

Phil Booth, national co-ordinator of the NO2ID anti-ID card campaign, said: "This data disaster shows up the madness behind the government's ID schemes. People had no choice about giving up that information. It makes the government the biggest identity thief of all."