X
Business
Home Business Tech Industry

Reports in full: HMRC and MoD data breaches

News analysis: The damning findings and recommendations
Written by Nick Heath, Contributor

News analysis: The damning findings and recommendations

Three separate investigations have looked into HM Revenue & Custom's loss of 25 million people's personal details on 18 October last year.

These were a management and process review by chairman of PricewaterhouseCoopers Kieran Poynter, a review of staff by the Independent Police Complaints Commission (IPCC) and an unsuccessful search to recover the missing CDs by the Metropolitan Police Service.

Both the Poynter and IPCC review published their damning findings on Wednesday. A separate review of the Ministry of Defence's loss of 600,000 people's details and wider issues regarding data security at the ministry was held by Sir Edmund Burton.

A summary of the data breach report findings of all three reports can be accessed below:

The Poynter Review

The Poynter Review looked at changes to institutional management structures necessary to significantly improve HM Revenue & Custom's (HMRC) data handling performance in light of the data losses.

The inquiry focused on two National Audit Office (NAO) audits that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits of the department's £10bn expenditure on child benefit.

It was during the second audit, on 18 October, that the two CDs containing the personal details of 25 million people claiming child benefits went missing.

The report's findings were:

  • More than 30 officials from four HMRC departments and a number of NAO staff played some part in the data loss.
  • Events were a result of "an unfortunate catalogue of interlocking factors" and not malice, disregard for policy or procedure.
  • Institutional deficiencies not individual staff members were to blame.
  • The fragmentation of the 650 computer systems was identified as one of the fundamental problems afflicting the HMRC. It found that systems such as Paye, National Insurance, Child Benefit and Tax Credits are operating as separate systems, each with their own individual customer record. The constant need to bring information together from these systems increases the security risk. Problems of this nature arose out of the merger of the Inland Revenue (IR) and Her Majesty's Customs and Excise (HMCE).
  • Large amounts of data are transferred around HMRC without regard to risk and security. Instances included several thousand records being sent by unencrypted email and transfers of large amount of data on discs to other departments such as the Department for Work and Pensions.
  • Security risk was not a priority - with holes in risk assessment capabilities, poor command structure and lack of security staff.
  • Information security policies were too complicated for staff to navigate. The biggest gaps were in guidance on encryption and setting an audit trail for data transfers.
  • Widespread lack of awareness and training for staff on information security and no clear data guardian at the time of the loss.
  • HMRC continues to operate processes that hark back to a paper-based rather than digital world.
  • Morale is low in HMRC and management needs to focus on engaging with staff.
  • The October loss saw two serious breaches of policy, relating to the lack of authorisation for disclosure of the full data and its being sent via untraceable internal mail.
  • No appropriate authorisation sought or obtained for the release of the data in October.

Recommendations:

The report has made 45 recommendations, 26 of which it says the HMRC is making progress on, and 13 of which have been implemented.
It recommends:

  • HMRC holds the minimum necessary data for the minimum period.
  • HMRC moves to having single customer records across all systems.
  • HMRC begins to communicate with customers via email instead of paper.
  • HMRC phases out data transfers using physical media.
  • All computers and, in the short term, portable media should be encrypted.
  • All incoming post should be scanned and distributed digitally.

Changes:

HMRC says it has made widespread changes on the back of the report including:

  • Removing the ability of all staff to save data to portable media such as CDs and memory sticks.
  • Stopping all bulk data transfers that are not "business critical".
  • Restrictions on the bulk transfer of sensitive information, conforming to new cross government rules on the encryption of personal data.
  • Issuing every staff member with new data security rules written in "plain English".
  • Mandatory data security training for all staff.
  • Appointing Data Guardians across the department.
  • A new management structure that gives much clearer lines of accountabilities.
  • It also wants to work towards a single customer record, phasing out physical data transfers and working to eliminate paper records.

Independent Police Complaints Commission (IPCC) report

The IPCC was looking into events leading up to the loss of data and considering whether any criminal conduct or disciplinary offences had been committed by HM Revenue & Customs (HMRC) staff.

The report's findings were:

  • Processes for data handling at HMRC's offices in Washington in Tyne and Wear were "woefully inadequate".
  • Individual members of staff were not to blame for losing the missing Child Benefit data CDs.
  • There were failures in institutional practices and procedures concerning the handling of data.
  • It identified an absence of a coherent strategy for mass data handling and "less than effective" practices and procedures.
  • A complete lack of any meaningful computer systems, a lack of understanding of the importance of data handling and a 'muddle through' ethos.
  • Staff prioritised getting the data to the National Audit Office over the appropriate security measures.
  • Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.
  • Staff lacked understanding of how to protect data at the highest level.
  • An HMRC internal review of data procedures at the time of the event, which could have prevented the data loss, was given a low priority.
  • No attempt was made to check on whether the data transfer in October had been authorised or the password or encryption protection of the data during transfer.
  • It says that many reforms have taken place at HMRC and are continuing as improvements are rolled out across the department.
  • It referred its findings to the information commissioner.
  • Reluctance by HMRC staff to trim down the full amount of data contributed to the loss.
  • It found no visible management of data security at any level.
  • There was a lack of appreciation of data protection principles in the act.

Recommendations:

  • HMRC should review the security controls and protocols associated with generating large volumes of data, and the subsequent handling of that data.
  • HMRC should develop a data security strategy, training strategy and communication strategy for all HMRC staff to raise awareness and understanding of data protection and data security.
  • HMRC should take steps to ensure it complies with the requirements of the Data Protection Act at all times.
  • HMRC should report any breaches of security promptly, something that did not occur in this case.

Burton Review

Chairman of the Information Assurance Advisory Council Sir Edmund Burton looked into the theft on 9 January 2008 of a Ministry of Defence (MoD) laptop containing the personal details of 600,000 armed forces recruits and potential recruits and considered the broader MoD approach to data security.

The report's findings were:

  • The report is highly critical of the department's general treatment of information, lack of awareness of the threats to data and of the requirements of data protection legislation.
  • Both the Royal Navy and Royal Air Force version of the Training Administration and Financial Management Information System (TAFMIS) recruitment system were unencrypted at the time of the loss.
  • An earlier attempt to encrypt the system through an upgrade was successful for most of the system apart from 55 TAFMIS laptops containing the Royal Navy/Royal Air Force recruit database.
  • The review was unable to pinpoint why these 55 laptops were not encrypted and why those using the system falsely believed they were.
  • For periods in 2006 and 2007 the 55 unencrypted laptops were being used in breach of MOD laptop encryption security policy.
  • In certain respects the TAFMIS system is still in breach of data protection regulations.
  • The stolen laptop on 9 January is one of 51 TAFMIS laptops with 600,000 people's details on. The report found there was "no robust reason for so much personal data to be carried around on laptops by recruiting officers".
  • A total of 10 MoD laptops were stolen or lost, including the one on 9 January, since 2003, at least five of which were unencrypted.
  • These included a Royal Navy laptop stolen in Bristol in August 2004 and an RAF laptop stolen in Leeds in July 2006, both containing a subset of the 600,000 people's details on the 9 January laptop. A Royal Navy laptop was also stolen in Manchester in October 2006 and an Army laptop was stolen from a recruiting office in Edinburgh in 2005.
  • Such data loss incidents cause significant operational and reputation damage.
  • A substantial proportion of cases in the 600,000 records, included limited information about next of kin and contact details for referees and 1,000 of the records dated back to 1977.
  • Aspects of the TAFMIS project were poorly managed both by the Army Recruiting and Training Division internal project manager and contractor EDS and the chief of general staff has ordered an inquiry into this.
  • There is a shortage of IT expertise across government and its private-sector contractors, posing a significant risk to the MoD.
  • MoD data security policies and procedures are generally fit for purpose. Examples were measures introduced after the loss, which were effective in preventing similar damaging losses.
  • Burton made 51 recommendations and the MoD has prepared an action plan to implement them.

Recommendations:

  • Increase individual and collective awareness of legal liabilities.
  • Introduce risks and mitigation procedures.
  • Keep data on any particular systems to a minimum.
  • Adopt a disciplined approach to carrying data on mobile devices.
  • Put the strongest feasible encryption on data.
  • Ensure effective audit and compliance procedures.
  • Focus on training to raise awareness and compliance.

Changes:

  • The MoD took immediate steps to bring the TAFMIS system into compliance with the Data Protection Act.
  • Introduced an enforced policy exists on the sharing of personal data outside the MoD.
  • Controled access to personal data, reported and dealt with all IT equipment losses.
  • Set out the importance of record management for staff and contractors.
  • Implemented a data retention policy that complies with the Data Protection Act.
  • Introduced new personal data management and system security procedures.
  • Retained only the minimum amount of information necessary and reviews potential risks to information regularly.
Editorial standards
Show Comments

Related

ChatGPT Plus

How to use ChatGPT Plus: From GPT-4o to interactive tables

ChatGPT vs Copilot vs Gemini

ChatGPT vs. Microsoft Copilot vs. Gemini: Which is the best AI chatbot?

The display of the Samsung Galaxy Tab S9 FE+ leaning on a railing.

Samsung's flagship tablet looks better than ever. And it's only $399 for Memorial Day