Britain hit with huge privacy breach

Data discs on 25 million lost through mishandling

November 22, 2007|By New York Times News Service

LONDON -- The British government struggled yesterday to explain its loss of computer discs containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era.

It has defended its decision not to reveal the loss until Tuesday, 10 days after it had been informed, saying banks had asked for time to put heightened security measures in place first.

The data went astray in October, after two computer discs that contained information on families that receive government benefits for children were sent out from a government tax agency unregistered, via private delivery service.

The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the exchequer - including the sending of a second set of discs when the first did not arrive.

In sheer numbers, the breach was smaller than several incidents in the United States over the past few years. But the discs lost in Britain contained detailed personal information on 40 percent of the population: besides the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16.

"This particular breach would dwarf anything we've seen in the United States in terms of percentage of the population impacted," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group based in California.

The head of the tax agency, Paul Gray, resigned Tuesday. Prime Minister Gordon Brown apologized to the nation yesterday and said he had ordered a review of the government's handling of all private data.

David Cameron, the leader of the Conservative Party, said in Parliament that the government had "failed in its first duty - to protect the public."

Bank officials said they had scrutinized their records back to Oct. 18, when the discs were mailed, but had discerned no unusual account activity, and the government pledged that no individuals would be responsible for any losses related to the security breach. British families are eligible for a weekly payment of $36.30 for their first child and $25 per additional child. Those who choose to have the money deposited directly into bank accounts must provide account information to the government.

The discs were protected by a password, the government said, but were not encrypted. They were sent by Her Majesty's Revenue and Customs, the country's tax collection agency, to the National Audit Office, which monitors government spending, via a parcel delivery company, TNT.

According to the chancellor of the exchequer, Alistair Darling, who delivered a lengthy explanation to the House of Commons Tuesday, a "junior" staff member sent out the discs. Three weeks later, the tax agency's managers were informed that the discs had not arrived.

Darling said he was told of the problem two days later, but first had law enforcement officials hunt for the discs and then alerted banks.

Yesterday, a spokeswoman for the British Bankers Association, Lesley McLeod, said that the group had been informed only Friday and that its security measures had been completed by Monday.

Darling noted two other instances in which the tax agency had sent sensitive information to the National Audit Office that were not in keeping with security rules: in March this year and then in October, when the audit office first told the tax agency the two discs had not arrived.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.