1. Lost in the Post
It became apparent on the 20th November that two compact discs containing the personal and financial details of some twenty-five million citizens of the United Kingdom, previously in the possession of Her Majesty's Revenue and Customs (HMRC) had been 'lost in the post', thereby giving rise to what The Independent described as "the biggest security blunder in history".
The scandal arose because one junior official at the HMRC offices at Waterview Park, Washington in Tyne and Wear had adopted the practice of sending requested Child Benefit data to the National Audit Office (NAO) in London simply by the means of copying the data onto CD and posting it to them. As the HMRC later admitted (or claimed, as we shall see later); in doing so the individual concerned acted "completely outside their job remit" and "contrary to all HMRC standing procedures" and was therefore responsible for "a colossal error".
The official concerned first did so in March of this year without any apparent problems, however in response to another request, a further package was sent on the 18th October using the courier TNT to the National Audit Office in London. When this failed to arrive a replacement package was sent on the 24th October. Although this time round it was sent using TNT's consigned service with "full track-and-trace visibility" and it duly arrived at its destination on the following morning.
The staff member concerned apparently believed that the first package might have gone missing because of the postal strike or because of an office move by the NAO and therefore kept quiet about the whole thing "hoping that it would turn up". It was therefore not until the 8th November that managers at HMRC were informed of the loss, after which they informed the Chancellor of the Exchequer on the 10th November. However the police were not called in until 15th November, and the Chancellor waited another five days before making the loss public in order to give Britain's banks "as much time as possible".
Full credit must however go to Paul Gray, Chairman of the HMRC who accepted responsibilty for the whole debacle and decided to resign. (Cynics have even suggested that it was his insistence on resigning over the issue that forced Alistair Darling to go public on the 20th.)
2. The Missing Data
The missing CD's contained details of every recipient of Child Benefit, which is a non means-tested benefit paid out in respect of every child in the United Kingdom. The discs therefore contained the names, dates of birth and National Insurance numbers of all 15.5 million children in the country, together with the names, addresses, National Insurance numbers, addresses and bank details of 9.5 million parents. Which means that every parent in the country has been put at risk of fraud and identity theft.
Although in his statement to the House of Commons on the 20th November Chancellor Darling was at pains to point out that there was no evidence the information had "found its way into the wrong hands", he advised those individuals affected to "check their bank statements for any unusual activity" whilst giving an assurance that any "innocent victims" of fraud would be compensated and that therefore no one would suffer any financial loss as a result of this unfortunate lapse. (Except of course to the extent that they were taxpayers, and might therefore ultimately foot the bill.) Darling also "admitted that it was "highly likely that there have been breaches of the Data Protection Act" which raised a laugh or two, since it was pretty bloody certain that HMRC had broken the law on data protection. (Of course, as a government department they enjoy sovereign immunity and will not therefore face prosectution.)
Of course it remains to seen whether anyone criminally inclined has actually obtained possession of the discs, which have probably fallen behind somebody's desk and are quietly gathering dust. However it has been suggested that should the data make its way into the wild, there could be a whole new generation of phishing campaigns, whereby fraudsters could now quote an account number and other details to make their initial communication more genuine, and thereby persuade individuals to reveal their passwords or PIN numbers. To make matters worse a number of children's charities warned that the data could prove "extremely useful" to paedophiles since it could enable them to pose as a child's parent.
3. The Ministry of Mayhem
HM Revenue and Customs is the relatively new super-department formed in 2005 from the merger of the Inland Revenue and the Customs and Excise. The Inland Revenue was the agency that dealt with taxes on people (both real and corporate), whilst the Customs and Excise dealt with taxes on goods and services, and one of Gordon Brown's bright ideas was to stick the two together and tack on the additional responsibility for Child Benefit, in the belief that this would result in greater efficiency (that is job cuts) and generate cost savings. However it is widely believed that this attempt to bring together two very different organisations has not been entirely succesful, as most descriptions of the current state of affairs at HMRC make frequent use of such words as 'chaos', 'meltdown', 'fiasco' etc, etc.
Under the headline 'Life inside the beleaguered HMRC' BBC News quoted one former and anonymous HMRC employee stating that "Morale is non-existent. Mistakes happen continuously. Rooms full of unopened post are not uncommon." Many blame the introduction of 'lean processing where jobs are split up into their individual parts for the sake of 'efficiency' and thus no-one has overall responsibility for any given job. Faced with hourly targets set for their part of the overall task, individuals focus on meeting those targets and pay no heed to whatever mistakes are being made because they won't be held accountable. The HMRC dismisses such claims as "exaggerated" although this doesn't explain why professional bodies such as the Institute of Chartered Accountants have also complained of the deterioration in service standards at HMRC, as in letters being left unopened for weeks on end, frequent clerical errors, etc etc.
Naturally in such an atmosphere it would be no surprise if such
small matters as data security got shunted aside. The National Audit Office had already conducted a review of security back in 2003 which had identified "serious risks" of data being intercepted and recommended that data should be encrypted, whilst the Information Commissioner, Richard Thomas had repeatedly warned the Government that its data protection procedures are not up to scratch. In July he offrered his opinion that the extent of data protection breaches in Government departments were "frankly horrifying", presumably having in mind the fact that HMRC had suffered 2,111 security breaches in the past year.
Despite having three years or more to organise encryption, the HMRC admitted that the dics were not encrypted, but did claim that the files were password protected. However the Daily Telegraph found a hacker named 'G-man' who claimed that he could crack password-protected CDs within five seconds, and in any case, a number of people came forward to claim that they regularly received confidential data from HMRC in CDs with the password written on the disc itself. What was worse was that this wasn't the first time that HMRC had lost CDs containing such personal data. It was noted that a CD containing the names, addresses, dates of birth and bank details of UBS customers was lost in the post in September 2005, whilst as recently as the 3rd November 2007 it had been reported that another CD went missing in September 2007 on its way to Standard Life's pensions department with details of 15,000 of its customers. At that time HMRC announced that it was "urgently reviewing procedures to make sure this type of incident does not happen again".
4. And things got worse
Having started off badly, things rapidly got worse when it was claimed that Alistair Darling's account of events was "inconsistent" with new information that had emerged.
Firstly Chancellor Darling originally claimed that the reason he'd waited five days before informing the country was simply because the banks wanted time to prepare. This explanation was promptly challenged by the banks in question; the British Bankers' Association (BBA) announced that they "did not ask for more time and none of our members asked for more time", whilst the Association of Payment Clearing Services (APACS) made it clear that they were told of the problem on Friday 16th November and "were given until Monday to sort it out. There was no request for a delay." Another bone of contention also emerged when it became clear that, when the Chancellor said that individuals would be compensated for any losses suffered, he meant that their bank would pay up. Britain's banks were naturally of the opinion that they should be refunded by HM Treasury, and on the 23rd November the BBA wrote to the Chancellor making just that point. Not that anyone was allowed to see the contents of the letter as, despite the BBA's request that it be published, the Treasury simply refused permission.
Secondly (and entirely coincidentally) it happened that John Bourn, the outgoing Auditor General, was giving evidence before the Public Accounts Committee on the 22nd November. Although this was nominally a secret session, the committee's chairman, Edward Leigh (Conservative) felt obliged to reveal the pertinent information that Mr Bourn had suggested that senior officials at HMRC had indeed authorised the transfer of data by CD. This claim prompted the NAO to released copies of various e-mail exchanges in an apparent attempt to prove that senior officials were not involved.
As it turned out these emails revealed that all that the NAO actually wanted was the anonymised data of child benefit recipients in order to conduct its annual audit of the HMRC's child benefit accounts, and specifically asked on the 13th March that the it did "not need address, bank or parent details in the download". However HMRC declined to do so because "it would require an extra payment to the data services provider EDS". The Daily Telegraph subsequently discovered that the extra payment involved was just £5,000. No doubt with the benefit of hindsight, all parties concerned would later have seen the expenditure this £5,000 as a very wise investment indeed.
The emails also revealed that the NAO had written to the HMRC on the 2nd October specifically telling them to ensure that the CDs were delivered "as safely as possible due to their content"; a message that was clearly not heeded by anyone at the HMRC. It was also noted emails had been copied into an individual identified only as the 'Process Owner for Child Benefit', but believed to be Nigel Jordan, an assistant director at the HMRC. This seemed to many to show that the 'Process Owner' had been involved in the decision making process. However the official line was that just because they had been copied in on the email did not mean that the recipient had actually read it, or that they were "actively involved" in the process, thereby rather missing the point that they bloody well should have been.
Apparently the Treasury were apparently extremely annoyed that the NAO had decided to publish this material, since (of course) their purpose was to demonstrate that no senior official at the NAO had any responsibilty for the scandal, and therefore passed the buck firmly to HMRC.
5. The junior official in question
Although there were various claims that civil servant at the centre of the fiasco had been suspended and now faced disciplinary action, the Public and Commercial Services Union claimed that he had not resigned and had not been suspended. Indeed according to the Daily Mail he was in hiding at a hotel somewhere in the North-East accompanied by a HMRC '24-hour minder' in order to "shield him from media pressure or criminals".
Although it had been reported that he was "a 23-year-old man", he was not named, and indeed HMRC issued dire warnings to staff at its Washington office regarding the application of the Official Secrets Act should anyone leak his name to the media. The Sunday Times however managed to track down a colleague who told them he had spoken to the individual concerned and that he was "very concerned that he is being made a scapegoat by the government", and was claiming not to have broken any guidelines simply because there weren't any. They also tracked down Nigel Jordan who refused to say anything more than "Don’t believe all you read".
The Guardian identified a Ross Anderson, the professor of security engineering at Cambridge University who was willing to point out the bleeding obvious; "The government's been trying to portray this as a bungle by a junior member of staff, but it's far more than that. The mere fact that a kid could print out all this information and put it on to a CD shows that these systems are a million miles away from where they should be." A point further emphasised when The Sunday Times found a "senior HMRC source" who told them that only "two or three" managers actually had access to the child benefit database, which meant either they downloaded the database on his behalf, or they simply gave him their password.
There are currently three inquiries being conducted, one by the HMRC themselves and another by the Metropolitan Police, whilst the government has also ordered an 'independent review' by Kieran Poynter of the accountants PriceWaterhouseCoopers. Whether any of these inquiries will result in the truth entering the public domain is another question entirely.
6. The political fallout
All this was, of course, deeply embarassing to the government, particularly as when Gordon Brown decided not have an election he explained his decision by arguing that having demonstrated his "competence" he simply wanted time to set out his "vision".
Losing supposedly confidential data relating to 40% of the nation's population hardly displayed "competence", and even the Guardian, a normally reliably pro Labour journal, could find little good to say about the government in its leader under the headline 'Another day, another disaster'. Although they did not go as far as the Shadow Home Secretary David Davis, who branded the affair as "the worst and most catastrophic loss of data in the history of humankind".
To makes matters even worse, other cases of missing discs (perhaps as many as ten) emerged together with other instances of government departments despatching data similarly containing unnecessary confidential data without worrying too much about security. Embarassment was then heaped upon embarassment when HMRC decided to send a letter to each of the seven and a half million or so families effected in order to apologise for losing the discs whilst claining they they were "likely to still be on government property". One Stuart Gray received one of these letters only to then to discover that it actually contained the details of another claimant named Karen Cromar, who once lived at his property.
And if that wasn't bad enough, when the Minister for Data Protection, Michael Wills found himself before the Joint Parliamentary Committee on Human Rights, he was forced to admit that he had only found about the missing Child Benefit discs when Darling had made his statement to the House of Commons and denied knowing anything about any other data breaches that had been reported. The Earl of Onslow then spoke for the nation when he posed the rhetorical question; "So there are lots of leaks and you know nothing about it - and you're minister for data protection?"
Of course as with all such government scandals, the accusation that the government had organised a cover-up proved just as damaging as the original scandal itself, when it became clear that the single gunman theory of a one rogue employee making a mess of things did not appear to stand up to any rigorous examination. All this has naturally undermined the position of Chancellor Darling, who was already facing criticism over his handling of the Northern Rock crisis, the recently announced changes to Capital Gains Tax and a few other things besides, and led to calls for his resignation. As Brown's right-hand man it is likely that he will soldier, although insiders claim that the whole debacle has left him "very shaken" and "very upset".
Opinion polls conducted in the wake of the scandal showed a dramatic fall in public confidence in the government and increasing levels of dissatisfaction with both Chancellor Alistair Darling and Prime Minister Brown. Indeed the whole Child Benefit Data Fiasco has been compared to Black Wednesday, that is the defining moment that has destroyed any pretence that Gordon Brown's administration possesses the capability to govern sensibly. Faced with such slurs, Jack Straw (Secretary of State for Justice and Lord Chancellor) was wheeled out onto Sunday AM to pronounce that "The idea that this an equivalent to Black Wednesday is utter nonsense", and the Secretary of State for Business, Enterprise and Regulatory Reform, John Hutton similarly appeared on television to declare that "This government is full of ideas and it is full of ambition for our country. We are not going to get distracted." Whether such proclamations have any impact on the public remains to be seen.
Of course back in the day Teflon Tony would have smiled and smiled and wheeled out his charm and pretended that the whole thing was only a minor distraction from the real business of government, but all that Calamity Brown can do is stomp his foot, lose his temper and act petulant. Of course the next election remains some distance away, but one imagines that David Cameron is very happy man indeed.
Based on reports from BBC News, The Guardian, The Times, The Daily Telegraph, The Independent in the period between the 20th and the 27th November 2007.