Tuesday, 20 November 2007

More on the latest Government department cock-up

According to Computer World a Gartner analyst has warned that "UK banks could be forced to close the accounts of all child benefit claimants affected by an HMRC “operational failure” that resulted in the loss of 25 million records stored on discs. And if the banks were forced to take such a step because the data fell into criminal hands it could cost as much as £300m to the UK banking system... Avivah Litan, a Gartner distinguished analyst, said the data loss is especially serious because it includes bank account details, and the security and fraud detection systems for bank accounts are much less advanced than those for credit cards. “The data lost – bank account numbers, names and addresses – represents a goldmine for the thieves and is much more valuable to them than credit card numbers or taxpayer ID numbers,” said Litan. “Even the possibility of such a move will throw the UK banks into emergency response mode, and they will need to closely monitor all fund transfers out of potentially affected accounts.” Litan said the issue was especially problematic as the UK is shortly due to implement its Faster Payments initiative, which will usher in nearly immediate funds transfer.
Litan said the banks would be on high alert looking for suspicious activity related to the accounts and “at the first sign of any activity would shut down accounts.”"

The article concludes "Philip Wicks, a consultant for business and technology consultancy Morse, said: “Organisations should put in place technology controls that prevent sensitive and confidential data being copied to disks or any other devices that can be taken offsite. “If and when there is a need for data to be taken offsite, a special request should be made and granted only when assurances are given on how the data will be secured.” The lost data appears not have been encrypted, and security specialist McAfee said the data breach was “yet another example of the danger of putting sensitive information on an easy to lose format such as discs and the result of internal policies not being backed up by good security practice.”"

As I was saying earlier ...

1 comment:

Anonymous said...

operational protocol allowing this type of information to be sent via standard mail (?) on hard disks (?) unencrypted (?) seems to be the type of thing one would have to intend to do to compromise data security. Therefore, I say it's criminal negligence.