IT security failure causes UK Revenue & Customs (HMRC) chairman to resign

Two weeks ago, I raised serious questions about IT governance in the UK at HM Revenue & Customs (HMRC). At that time, the agency lost a CD containing private information belonging to 15,000 people in the UK.
Written by Michael Krigsman, Contributor

Two weeks ago, I raised serious questions about IT governance in the UK at HM Revenue & Customs (HMRC). At that time, the agency lost a CD containing private information belonging to 15,000 people in the UK. Today, the agency acknowledged a far worse situation: two computer discs, containing 25 million personal records, have also disappeared. These discs include the personal information for every family in the UK with a child under 16 years of age. As a result of this breach, HMRC Chairman, Paul Gray, has resigned.

The BBC offers details on this incident:

[Chancellor of the Exchequer Alistair Darling] told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT.

The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO."

This situation is remarkably similar to the previous HMRC security breach, where yet another data CD was lost. In both cases, sensitive, unencrypted data was transmitted via ordinary courier, with no special precautions. What's truly remarkable is that the agency appears to have take no remedial security steps following the previous incident. It's also amazing the agency uses such an unreliable courier service.

According to Times Online, the agency has suffered numerous IT, administrative, and data security issues over the last few years:

October 2007. A laptop containing data on up to 2,000 people with investment ISAs is stolen. In Parliamentary answers Ministers reveal that 41 laptops were stolen from HMRC in the past 12 months

September 2007. A CD containing names, national insurance numbers, dates of birth and pension data of about 15,000 Standard Life customers goes missing. The data was lost en route from the Revenue office in Newcastle to the company's headquarters in Edinburgh

May 2007. HMRC forced to extend the self-assessment filing deadline to 28 May and mitigate penalties for late filing, after tax agents complain that the online serivce is so slow that the only way to file a return is at 4am or weekends

May 2007. Parliamentary Accounts Committee reports again on the tax credit system. Committee says £5.8 billion was overpaid to claimants in the first three years of the current tax credits scheme, due to administrative errors by HMRC

December 2006. A National Audit Office report indicates that 5.7 million taxpayers may not be paying the right amount of tax because they are using the wrong tax code. HMRC estimates are that taxpayers have overpaid around £500 million via PAYE, and that £1 billion of tax may have been underpaid

January 2006. HMRC apologises to 10,000 firms after fining them at least £400 each by mistake because of a basic flaw in the design of automatic systems that issue penalty notices

May 2002. Ten months after its launch, the Inland Revenue's self-assessment online tax returns service suffers a major security breach when taxpayers filing their tax return online were able to view each others' personal information.

It's highly unusual for a senior official to resign over an IT process and controls issue. However, in this case, the public outcry was particularly severe, most likely because the data breach affects so many people across every sector of UK society. Fellow Enterprise Irregular, Dennis Howlett, describes the outpouring of anger:

While the government has been quick to quell fears over identity theft and possible impact on personal bank accounts, public confidence has been shattered.

The BBC opened up a comments section on its site and within 2 hours had received over 1,500 comments, as shown from the snapshot I took a few moments ago. Nearly all berated the government which it blames for presiding over a litany of IT failures.

Why do so many government IT projects fail? Too often, there's a disconnect between the source of funding and the obligation for responsibility and control. In this case, as reported by the BBC, the "chancellor blamed mistakes by junior officials at HMRC, who he said ignored security procedures." Some low-level guy didn't do what he was supposed to. Well, what about the last time, and the time before that? That's why the chairman resigned.

Editorial standards