HMRC breach must act as security warning, say IT chiefs

A week on from the UK suffering its worst-ever data breach with the loss of 25 million records by HMRC, IT chiefs have warned that the security lessons of the loss should not be overlooked once the debacle disappears from public view.

Share

Chancellor Alistair Darling has been widely castigated since he blamed a breach of internal procedures at HMRC for the loss of the records. In his address last Tuesday he told a packed Commons that a junior employee was chiefly responsible because he went against orders when he fatefully used the department’s untracked internal mail system to send password-protected discs containing a full, unecrypted copy of HMRC’s child benefit data to the NAO.

But IT chiefs have said that the incident should not be used simply to bait the government but must serve as a reminder about organisations’ ongoing security obligations and strategies while maintaining service and efficiency levels.

Richard Gifford, IT director of construction and property firm Rok, said the lost data “serves as a good reminder to all of us to make sure we have the appropriate security measures in place and to think before transmitting information.”

He said it was “clearly worrying” that government agencies that are used to handling sensitive information could make such mistakes, and the breach should prompt “a review of all agencies, with the scope extending to people, processes, technology as well as physical access.”

Colin Simpson, group systems manager of brewery and pub retailer Fullers, said it was “clearly difficult to legislate for someone not following procedure but this is really a management issue rather than an IT one.”

And among public sector IT chiefs, there was even more strong worded concern that systems are put in place to stop such fundamental lapses.

Richard Steel, CIO of Newham council in East London, said he was “appalled” by the HMRC breach, while Hampshire council’s IT chief Jos Creese said: “It is essential for all public service organisations, if they are to have the confidence of the public regarding the way in which they hold and use confidential and private information, that the necessary procedures and controls are in place.”

Find your next job with computerworld UK jobs