Wednesday, 5 December 2007

A Question of Security

A Question of SecurityThere has been much "hoo hah" in the media and parliament recently about the HMRC data loss debacle.

That is hardly surprising given that the personal security of 25 million people has been put in jeopardy for the next 20 years or so.

However, when such large numbers are involved, it is sometimes easy to forget that these security lapses affect real people with real families and real lives. It is also worth remembering that this is not the first time (or, I suspect, the last) that HMRC has placed the security of individuals at risk because of its cavalier attitude to its "customers" and their personal data.

Here is one example of lax security, sent to me by Graham:

"Mr Peter Edmondson

Complaints Manager
HM Revenue and Customs
Debt Management and Banking
Complaints and Redress
Victoria Street
Shipley
West Yorkshire
BD98 8AA

C.C. Richard Summersgill,
Director,
Tax Credit Office,
Preston,
PR1 0SB.

28 November 2007.

Reference 1 : xxxxxxxxxx
Reference 2 : SAR ref: xxxxx

Dear Sir or Madam,

I am writing to complain about a most serious occurrence. This becomes even more serious when one takes into account the current publicity about the data protection fiasco that exists not only within HMRC, but throughout Government departments as a whole.

Yesterday I received some of the data requested in my Subject Access Request of 21 October 2007, in the form of a two-inch stack of A4 sized paperwork. Sometime after sealing, the package had been opened and then deposited inside a clear polythene bag, secured with a plastic tie-wrap, by Royal Mail.

The bag contained no communication from Royal Mail that the package had been damaged in transit. The opening on the “jiffy-bag” seems to have been made with a knife or other sharp implement of some description – I believe that it is too neat to have been an accidental opening.

The package was sent by second class, untraceable, mail and the postmark was not dated. The accompanying letter had a date of 20 November 2007, and I received the package on 27 November 2007. There therefore exists the possibility that the extensive data contained within the package could have been open to scrutiny, by the unscrupulous, for several days.

Also, because I had not received an acknowledgement from HMRC to my SAR request, I did not know whether to expect this information or not – and was, in fact, about to write another complaint letter on that very subject; it seems I have been pre-empted. To make the package even more attractive to interception, the return address that was printed on the address label informed the reader that this was from the SAR department – an open invitation for prospective data thieves.

The data printouts contained in the package included:

My address, my previous addresses, my NI number, my telephone numbers, details of my employer and MY BANK DETAILS.

My current partners’ address, NI number, telephone numbers, details of employer and her BANK DETAILS.

My former wifes’ NI number, details of employer and BANK DETAILS.

It is known, although not yet widely, that both internal and external fraud are major problems at the Tax Credit Office. The details, outlined above, are sufficient to pass your current security checks when talking to HMRC Tax Credit Officials or contracted Operatives on the telephone.

HMRC, unfortunately, are in the position of being Trustees of my personal and vulnerable data. I was in the Royal Navy Submarine Service for twenty years, working on Diesel, Fleet Nuclear, Polaris and Trident submarines and know quite a lot about security, security policies and data security. I, therefore, never leave things to chance:

With immediate effect, please issue me with a new NI number.

I will be contacting my bank to ask if it is possible to issue me with a new account number. I have held this account for 33 years! I demand that any costs incurred in changing my bank account number be reimbursed by the relevant Department within HMRC.

I am not in contact with my former wife. HMRC are to inform her of this probable breach of her personal details, and the possible dangers.

My current partner will be contacting you independently.

I have contacted the Police, and they have advised me to contact Royal Mail Investigations. I shall. This, however, will only deal with the probability that my package was intercepted within the postal system. The onus of the content and the method by which it was sent will fall on HMRC.

It is also worth highlighting that this complaint has implications for every communication that HMRC send, from the simplest letter, to award notices and beyond. As the bare minimum, everything should be sent by some traceable means.

Please note that I am forwarding a copy of this letter to my MP, other influential Politicians and The Information Commissioner, as well as several newspapers. I am also the WebMaster for Tax Credit Casualties and will be publicising it to their ever-growing membership.

I will, however, remove my vulnerable details before doing so!!

Yours Sincerely
..."

I wonder how many more of these cock ups are out there, yet to be discovered?

http://www.blogger.com/www.hmrcisshite.com is brought to you by http://www.kenfrost.com/ "The Living Brand"

1 comment:

  1. I am an adviser at HMRC. I am always surprised (having worked for the MoD as a submarine weapons technician) how lax the security is at my site. The security 'guard' (who is employed by the site management contractor, not HMRC) is often absent from his desk in reception while "tailgaters" stroll in unchallenged, and cleaners (also employed by the site management contractor) wander about the place unescorted. When I bring this up I am treated as a retard first(this doesn't work as I already know this) and then as a troublemaker. The management attitude is extremely lax and pitifully trusting. This state of affairs will continue until the next security scandal which I feel cannot be far away. It's at least a week since the last one...

    ReplyDelete