UK Government Slammed for Storage Snafu

An independent review body has slammed the U.K. Government for losing two disks containing personal information on some 25 million people.

The disks, which contained welfare information on almost half of the U.K. population, went missing last October when Her Majesty's Revenue and Customs (HMRC), which is the British equivalent of the IRS, sent them to the National Audit Office (NAO).

A report presented to the U.K. Parliament today by PricewaterhouseCoopers (PwC) hammers both organizations for what has now become arguably the worlds most spectacular storage snafu:

“The loss was entirely avoidable,” it said, adding that the data breach followed a breakdown in communications between junior officials at HMRC and the NAO. “Information security simply wasn’t a management priority as it should have been.”

The review by PwC chairman Kieran Poynter explains that more than 30 HRMC officials, from four different departments, and a number of NAO staff, played a part in the data loss, but does not identify any individuals.A number of “institutional factors” at HMRC created the environment in which the disks were lost, according to the auditor. These included “weakness in specific information policies, inadequate awareness, communication and training in information security, and a lack of clarity around the governance and accountability for data guardianship.”

The report was also scathing about HRMC’s attempts to secure data on removable media, explaining that the department relied on a proprietary software with only limited alphanumeric password protection.

“Given the amount of sensitive customer data on the disks and the portability of such a medium, the level of encryption was clearly insufficient to protect the information in the event that the disks were lost,” it said.

A report by the Independent Police Complaints Commission, also released today, heaped yet more blame on HMRC, describing its data handling processes as “woefully inadequate”.

The report revealed “the absence of a coherent strategy for mass data handling,” and found that HMRC staff were working without adequate support, training, or guidance on how to handle sensitive data.The fallout from the missing disks continues to send shock waves through Gordon Brown’s government, which faced a barrage of criticism on the floor of the U.K. Parliament today.

Chancellor Alistair Darling informed MPs that the government had already taken measures to improve its data security, and apologized unreservedly to the British public, according to the BBC.

The Chancellor also called for a “change of culture” across the British government, making security “first and foremost in people’s minds.”

These words prompted yet more ridicule from rival political parties, which pointed at the Labour government’s poor track record for losing sensitive data.

"There will be no culture change unless there is a clear understanding about the consequences of failing to respect citizens’ privacy,” said Liberal Democrat politician Chris Huhne, in a statement. "This [PwC] report was commissioned more than six months ago, yet in the last two weeks alone a Cabinet minister lost a computer, and two sets of secret documents were left on trains.Last year it was estimated that the HMRC disks, which have still not be found, could be worth up to $3 billion if they were to fall into the wrong hands.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.