UK government loses 25 million identity records

You've probably already heard about this. It was front page news in the UK all of last week. They haven't stopped talking about it and commentators all over the place are taking pleasure in chastising the UK government for the problem. I've been in Seville (Spain) for work and haven't had time to chime in until now.

I'm referring to the fact that HM Revenue & Customs (HMRC) managed to lose 2 CDs filled with 25 million child benefit records in the process of sending them to the National Audit Office (NAO). In short, if you have children and have tax records in the UK, chances are your personal records and bank details were on those CDs.

Of course, being such a high profile incident, the Internet and news channels are already filled with articles and comments. Also, every software vendor and consulting firm is more than likely trying to call on HMRC with the line "have we got a solution and deal for you"! Despite this, the failure is not primarily because of a lack of technology. It is all about the lack of a security culture, lack of education and awareness and badly defined procedures.

In September, they also managed to lose 15,000 records when sending details to Standard Life and an estimated 400 customer records in a separate incident. Here's a time line that summarises the incidents over the past few months if you want a high level view. HMRC's chairman Paul Gray has resigned over this incident. Someone had to fall on his sword over this and I suppose he was the logical first casualty.

This article at Techworld says that the NAO had actually only asked for National Insurance numbers and explicitly asked for the other information to be stripped out. But some bean counter "business manager" at the HRMC instructed that this not be done because they would have to pay their IT provider EDS to do it. Sound familiar to you? Yet another case of the need to save of dollars winning out over good security and privacy practices. It happens all the time because of uneducated "business individuals" with no sense of the need to protect sensitive information. That's why there have been so many incidents over the past few years and this is just the latest and highest profile one this year.

I'm frankly not surprised that this happened. It's a harsh thing to say, but I know a little something about a very small part of HMRC's systems and how EDS manages it. I should point out that I've never had anything to do with the EDS HMRC account or HMRC itself, but I do know some people who work on the account and it's a shambles. Identity controls are practically non-existent. Access controls are practically non-existent. There are also allegedly people working on those systems without a proper security clearance! This is not to say they don't safeguard some of their data. I'm sure they do, but it says something about the general culture and management mentality in place. I know for a fact that internally, BIG security holes are observed and brought to management attention by a lot of the guys on the ground, but their protests fall on deaf ears. It's almost always because dollars speak louder than the need to have good security controls in place. This is just unacceptable and it's not even totally EDS's fault, although they play a part. It's the fact that HMRC seem to have a culture of penny-pinching when it comes to IT and they've now suffered as a result. If you're unwilling to spend money on adequate security, you deserve to be called out as being incompetent and they've shown themselves to be exactly that. Unfortunately, millions of people have had to suffer as a result.

The main thing that strikes me out of all this is that EVERYONE (including British Prime Minister Gordon Brown) is blaming a "junior official" for the gaffe. This deflects from the actual problem. Even if the official was "junior", it was not their fault that this happened. In fact, being "junior" gives them a valid excuse for being stupid. The problem is just bad process and even worse IT management. This incident is inexcusable, especially if you are the Government and are responsible for the security, privacy and protection of your citizens. You CANNOT be losing information because you want to save a few bucks.

The "junior official" shouldn't even have had to think about what they were doing. They should NOT have had access to this information in the first place. And if an official does come along who should have access and is properly given the access, they should NOT be able to copy all this information onto something like a CD and have it sit there unencrypted and unprotected! Security should be put in place to make access to data "idiot proof" because most users are "idiots" when it comes to data protection. Even those of us who should know better violate security policies all the time because it's just easier. We do it without even thinking about implications because we all have the “it won’t happen to be” mentality. It’s even more rare that an incident occurs where there are such massive implications and on such a high profile and scale. In other words, most of us suffer from “she’ll be right mate” (borrowing a term us Aussies like to use) syndrome.

The chances of something like this occurring would have been far less if HMRC had properly implemented the following (in order of importance):

1. Decent security awareness training and education - User awareness will drastically reduce bad practices. People don't want to do the wrong thing. They just don't know when they are doing the wrong things.
2. More security training and education - Keep it fresh and up-to-date. Things change VERY quickly in the IT security game. It also helps to remind people from time to time that security is important. It NEEDS to be part of corporate culture because otherwise, things just fall in a heap.
3. Properly defined identity and resource/data access policies - Know what systems, applications, resources and data you need to protect and who should have access to them. Without this, all the technology in the world will not help.
4. Properly implemented policies supported by relevant technology solutions - Policies alone will not protect you against the bad guys and the "idiot" (too stupid to understand the security policies) or "lazy" (can't be bothered reading the security policies) user. There are also many of us who fall into the "I know I shouldn't be doing this but I'm not doing this as a bad guy - I just want to make my job easier" category.

In other words security awareness, training and education are paramount. It should be noted that this needs to be pushed from top down. If the business stakeholders do not buy into security being important, no one else will. Bottom-up security awareness and culture change NEVER works. Having some semblance of a security function is the next most important thing. Without it, all the best technology in the world will not help. And finally, put in the proper IT solutions to enforce these policies because you need the "virtual traffic police" to ensure that laws are met.

As a simplistic level, technology alone could have prevented this from happening in the first place, but it does not solve the over-arching lack of security that is apparently there for all to see. In fact, many commentators and so called "security experts" are saying they should have put in encryption technologies and it would have solved all their problems! This is just not true. By this I mean that they could have implemented basic stop-gap encryption technology to enforce that everything that gets written to CDs and DVDs gets encrypted. If that was the case, the loss of the CDs would not have caused this much debate and analysis around what went wrong. It would have simply been "oh, we lost some CDs and these things happen sometimes when you post things, but the data was all encrypted". That would have called into question their processes rather than their lack of focus on security and inadequate IT controls. The implications to the public would have been far less severe. If that had been the case, all it would have done was to delay their major incident. If all you do is put stop-gap measures in place rather than a proper identity, access and information security layer and accompanying controls, it is only a matter of time before the "water leaks from another part of the dam" (apologies for the cliché, but I'm too tired to think of a witty and original analogy).

The only positive from all this is that HMRC have now got a compelling reason to act and spend money on a first step towards an adequate security infrastructure. Keep in mind that being the Government, "adequate" is NOT GOOD ENOUGH. But it's a start. Unfortunately, many Governments do not even have adequate security. I dare say many other Governments in the world have similar issues but just haven't had the high profile incident to catch them out yet. Losing 25 million records is going to be very difficult to top however, so I dare say the UK Government's incompetence will be in the spotlight for some time.

I'm not privy to the processes that have been put in place for the scenario that took place so I'm not about to comment on the specifics. They probably have some sort of security awareness and education. Maybe being a "junior official" pushed the person down the list of people who could attend classes and they hadn't been given the requisite training (in which case they shouldn't have been able to access sensitive information at all - sadly this pre-requisite is often overlooked by security policy makers and even more often left unimplemented in security systems). If they had been given the training, then perhaps it was the "idiot" factor. If we give HMRC the benefit of the doubt and assume their education program is great, their operational and security processes are sound and their security policies are well defined, then this should have been prevented by the security measures and IT systems they have in place.

The whole process should have gone something like this:

1. NAO formally requests the 25 million records via the proper channels using the pre-defined and approved process.
2. Process is executed and approved after which the work assigned to an authorised official.
3. Official (who has undergone proper security education and training AND has this fact marked in their user profile to allow for rudimentary access to systems) picks up the task and is authenticated to the environment at a certain clearance level. If official has not undergone security awareness training, they cannot get access to anything sensitive.
4. Official retrieves information and based on credentials and their entitlements is only given the parts of the data they have approval to view. If this does not include the required information (e.g. names and national insurance numbers), the official should be able to request that the relevant entitlements be given to them and have this request approved by the relevant managers or security personnel. Access should not include the ability to retrieve information that is not required (such as bank details). In other words, there should be fine grained access controls in place for access to sensitive data.
5. Once allowed, official retrieves information and saves it to required media for transport to NAO. If the approved and documented process is to burn the information onto DVD or CD, then this is done. Upon the action of burning to CD or DVD, the information should be transparently encrypted without the official having to intervene or know that it is being encrypted. The decision on what to encrypt should be made by the system.
6. DVD/CD is packaged up and securely transported to the NAO securely and properly tracked.
7. The whole end to end process should be digitally audited and tracked in a central location for forensic purposes. Then there would be no need to pay PWC a truck load of money to “investigate” as they have had to do in this instance.

You may still be able to poke holes in the process I’ve outlined (the best processes do not cover off 100% of the potential risks, they just help mitigate the overall risks), but it would still be better than what HMRC currently have in place…and it took me 5 minutes to come up with it. If nothing else, it would have at least shown that they had been pro-active about protecting their data from a process and procedural standpoint. There is obviously more to information security than this and I’m not blind to the fact that implementing what I’ve outlined is no small task. If it was this simple, there would be no need for information security professionals. They need to start with the easiest bits and work their way up from there. Defining the procedures and policies is the first step. Putting in the encryption is an obvious easy win. The identity and access/entitlements part is a little trickier, but they need to think big to start to get somewhere. At this stage, I doubt they even know how to spell “entitlements”.

All I’ve done here is over off a small part of the big picture…but a part that would have potentially prevented the loss of the 25 million records. And even if they somehow managed to lose the CDs, they would only be useful as coasters or Frisbees to anyone who found them. The 25 million record data loss incident would have been averted and we would be talking about something more interesting this week rather than the UK Government’s incompetence.