Public confidence shaken by data breaches

The majority of UK citizens do not trust the government with their data following the HM Revenue & Customs data breach, according to security vendor Symantec.

The personal details of 25 million people claiming or receiving child benefit were lost on two unencrypted CDs in November.

A survey of 1,000 members of the public, which was sponsored by Symantec and conducted by IPSOS Mori, found 62 percent of respondents felt that their personal data being held by government departments was at risk. The survey was conducted in the aftermath of the data breach.

"Public confidence has been shaken," said William Beer, Symantec's European security practice director. "Six out of 10 people is a sizeable majority, but I won't say the results surprised us. This is impacting people, and it's not to do with their behaviour online. With this breach, it wasn't possible to change their behaviour to improve security. If this had been a merchant or online store, people could consider not doing a transaction."

Public confidence in the government's ability to safeguard data would have been shaken further by other recent government data breaches, said Beer.

In the past week, UK government departments have admitted losing the names and addresses of thousands of citizens. The Driver and Vehicle Agency in Northern Ireland admitted to losing over 6,000 motorists' details in the post; Norfolk police admitted losing the details of dozens of prisoners; and Sefton Primary Care Trust sent the salary and pension details of thousands of its employees to four unnamed companies.

"There will be serious repercussions considering what has happened this week," said Beer. "There seems to be a continuous leakage of data."

The latest security concerns follow worries over the security of public database schemes such as the National Identity Register for the ID cards scheme, and ConnectPoint, a database that will contain details of every child in the country.

"The new databases are causing a fair amount of legitimate concern in the public's eyes," said Beer. "If the government can't manage the current data set, how will it manage more sensitive data like biometrics?"

The public does not have much confidence in corporations to guard data either, the survey found, with 61 percent of respondents saying they did not trust businesses to safeguard personal details.

Beer called for a UK data-breach notification law, which would require organisations that suffer a data breach to notify affected parties. He said the law would incentivise companies to better look after their data and that technical means were not enough to secure data.

"It's a myth that technology is a silver bullet," said Beer. "Encryption will definitely help, but there are times when you can't use it — there may be issues with keys, or passing the data set. There is a lot of focus needed on awareness [among end users of potential security problems, which is] often a challenging part of a security project. Companies have policies in place and technology in place, but the weak link is the individual."