Opposition MPs have attacked the government’s failure to encrypt sensitive data on members of the public in a parliamentary debate over HM Revenue and Customs loss of 25 million people’s records.
The HMRC data loss occurred when unencrypted data on two CDs, including names, addresses, bank details and other confidential information on child benefit claimants and their children, was lost in transit to the National Audit Office.
In a stormy debate in the Commons, Liberal Democrat MP John Hemming – who has a background in IT and data security – said one of the biggest problems with the HMRC breach was that data was “not encrypted, but merely password-protected”.
He asked: “Why, therefore, has the department not said that while the review continues, any data discs should be sent out in an encrypted manner? Merely having a sign-off from a senior manager would not prevent exactly what has happened from happening again.”
Acting Liberal Democrat leader Vince Cable followed up, warning that the lost data, if it fell into the hands of criminals would be worth “around £1.5bn”.
But the lack of encryption at HMRC was not a one-off, he said. “I understand that that was not a simple oversight and that almost all the data that have been lost and all those that have been shipped around in government are not encrypted,” Cable said.
“Encryption is simply not happening. What are the reasons for that? My understanding, from talking to some of the specialists involved, is that IT specialists, mostly freelancers, are needed to encrypt data. The big IT companies are not interested in using them and the civil servants who oversee them do not understand the problem, so encryption is not happening.”
Conservative MP John Redwood said it was ”pathetic” that, many days after the breach was reported, the Treasury had not made a straightforward statement that “elementary protections and precautions for data handling and transmission have been put in place”.
Such defences “would be expected in any medium-sized company, let alone a large one”, he added.
In reply, chancellor Alistair Darling said: “Part of the procedures that have been put in place, and which require the sign-off of a senior manager, ensure that if a large transfer of material were being made encryption would be looked at.”
But after further challenges his more junior ministerial colleague, Jane Kennedy, offered a firmer statement that HMRC would now encrypt any outgoing discs. “Where directors decide that a data transfer by disc is absolutely unavoidable, such media must in every case be securely encrypted at the appropriate level. Those changes are already in place.”