HMRC loses personal data for 25 million people in the post

LONDON – The chairman of the UK’s HM Revenue & Customs (HMRC), Paul Gray, resigned yesterday (November 20) after it was announced HMRC had lost the names, addresses, bank sort codes and account numbers for 25 million people.

Chancellor of the exchequer Alastair Darling – already under fire over his £24 billion Northern Rock rescue – admitted to parliament yesterday that the loss occurred over a month ago and that the government had known about the disks lost in the post since November 10.

It emerged that a junior employee sent the entire child benefit database on two CDs to the National Audit Office against all security protocol – they were then lost in the post.

UK police are making inquiries at HMRC, which does not believe the details have fallen into the hands of identity thieves. A single set of personal address and bank details could sell for £10 to £50 on the black market.

Gray – until his resignation one of the UK’s best-paid civil servants – might not have prevented political repercussions with his decision to take personal responsibility.

The impact of such lapses of security has been highlighted in recent years with high profile losses from a number of organisations, mainly in the US: “America has seen major security breaches in both the public and private sector,” says Jonathan Armstrong, partner at international law firm Eversheds. “Last year the US Department of Veterans Affairs, a government agency which deals with the payment of benefits to current and former servicemen in the US, lost data on 26.5 million people. Store group TJX, who own TK Maxx stores in the UK also lost the bank data of more than 90 million customers. Breaches involving the loss of audit data are also not uncommon - again in the US audit firms have been involved in incidents with the loss of over 240,000 records in a single breach.”

“The effect on the banking system should also not be underestimated,” he adds. “Some of the banks whose customers were involved in the TJX breach have started proceedings to recover their losses which they put at between $68 and $83 million. It is common in the US (where a different credit system exists) to pay for credit monitoring for all of those affected in addition to the actual losses suffered.”

HMRC was created in 2005, when the Inland Revenue and Customs and Excise institutions were merged to create the largest UK government department, cutting 25,000 jobs. “The HMRC breach will undoubtedly focus attention on the security procedures of the private sector as well as Government. Now is the time for businesses to update their response plans,” says Armstrong.

The news came as a study by CA and research consultancy YouGov highlighted growing fears in the UK about identity theft and the inadequate security of consumer details.