A major data breach in the United Kingdom could expose the personal data of more than 25 million people – nearly half the country’s population. The data relates to details about families with children, including names, dates of birth, addresses, bank account information and insurance records.The information was contained on two computer discs which were lost when they were sent to an audit office by means of an internal mail service, reportedly by a junior employee of the British Revenue and Customs Office.
The loss was disclosed to the House of Commons on Monday by British Chancellor of the Exchequer Alistair Darling – who leads Britain’s equivalent of the Treasury Department – who said the discs were sent via ordinary mail between government departments.
Larry Magid talks to British technology safety expert John Carr about the snafu at the British equivalent of the Internal Revenue Service.
Members of Parliament, according to the Times of London, “gasped as they heard the scale of the catastrophic breach of security guidelines.”
The Times says Darling, who admitted that the tax agency made the same mistake several times in the past six months, said he was informed of the security breach on Nov. 10th and four days later asked police to investigate.
The chairman of the tax agency, Paul Gray, resigned Tuesday as a result of the security snafu, which has also generated criticism of Darling in his leadership of the Treasury.
“Let us be clear about the scale of this catastrophic mistake,” George Osbourne, a prominent member of the Opposition who serves as Shadow Chancellor, told The Times. “His department has compromised the security and safety of every family in the land.”
Authorities say there is no evidence that the missing discs have fallen into hands of criminals.
Considering the percentage of the British population affected, this is an enormous data breach and, because it involves children, it’s particularly worrisome.
“This is a source of great worry on a number of different levels,” said John Carr, a British technology safety expert, in an interview with CBS News. “If the names, addresses, ages, dates of birth of all 15 million children were to get into the hands of sex offenders, for example, then who knows how they would exploit that data.”
They would certainly have a list of targets and know quite a lot about them.
Carr also worries about the banking system. “The British banking industry is almost in meltdown, because the discs also got the details of the bank accounts of all the families as well.”
This is, said Carr, “the third breach from our equivalent of your I.R.S., so there are all kinds of questions being asked about how they are handling sensitive data.”
The government, said Carr, “delayed the announcement for four days in order to give the British banking industry time to prepare for a deluge of telephone calls and inquiries from members of the public.”
One concern about losing a database with both names of family members and banking data is that family member names are often used as passwords by individuals (although, for security reasons, that is never a good idea). Carr said that the banking industry has issued a security alert recommending people immediately change any passwords associated with family member names.
Barclays Bank UK has set up a customer hotline to advise depositors about security precautions and has posted on its website a notice asking for “our customers’ understanding if this involves us asking more questions than normal to identify that a customer is who they say that they are.”
The bank’s website further reassures customers “that there is no evidence that the data is in the hands of fraudsters. A British banking industry safety website, banksafeonline.org.uk, advises depositors to be “vigilant and follow existing security advice to help you spot and stop ID fraud being committed using your details. This includes always checking your statements, opening post and checking bills, and if you spot an unfamiliar transaction you should contact your bank, building society or service provider immediately.”
The site further states that “If you are the innocent victim of banking fraud as a result of this incident, as a UK customer, you are protected by The Banking Code, which means you should not suffer any financial loss as a consequence.”