British Government Leaks Bank Details of 25 Million

The British government has admitted losing a compact disc containing the personal details of 25 million people. The scandal has led to concerns that criminals could use the information for identity fraud or to access online bank accounts.

The disc, which contains details of every family receiving child benefit (a form of social security paid for all children), was produced by a junior official at Her Majesty's Revenue and Customs (HMRC), the British tax department.

The official put two passwords on the disc, but did not encrypt the information. They then sent the disc to another government office through an internal courier service which did not use any tracking or registration. The disc, sent on 18 October, is still missing.

The database copied onto the disc includes the name, address, date of birth and national insurance number (equivalent to social security number) for every person receiving the benefit. It also contains the bank details for everyone who receives the benefit by bank transfer.

Opposition politician Vince Cable said such confidential information should never have been sent in such a way. ""Why does HMRC still use CDs for data transmission in this day and age? The ancient museum pieces it is currently using for computing must be replaced." (Source: BBC.co.uk)

Brian Spector, an expert in data protection, said "It is staggering that an organisation responsible for the data of over 25 million child benefit claimants is still copying data onto CDs and not ensuring its full protection through encryption techniques." (Source: vnunet.com)

Banking chiefs have retorted that even if somebody got hold of the CDs and cracked the passwords, the discs don't contain enough information to access most bank accounts.

Still, they warned that anyone who uses a child's name or birthday as a password or PIN code for an on-line account should consider changing it. They also warned that the information could be used for fraudulently setting up new financial agreements, such as cell phone accounts. (Source: Apacs.co.uk)

So far there has been no evidence that the CDs have fallen into criminal hands. But, the incident is a perfect example of why unencrypted removable media is such an inadequate way to transmit confidential information.