Last year provided plenty of news stories about lost laptops and CDs containing masses of personal data. Confidential data wasn't exposed by corporate systems being compromised by outsiders (foreign or otherwise) but by insiders doing dumb things, like sending unencrypted data in unregistered post. Gareth Niblett takes another look at the HMRC data loss.

With all the focus on complex and emerging threats it is sometimes too easy to overlook the simple threats that are still with us. Take, for example, the insider threat - not even a malicious employee or contractor, but the naïve, careless or overly helpful ones that disregard the policies designed to protect your business.

With the continuing revelations related to how the HMRC has managed our personal information over the years, and the ongoing review into breaches of data protection, I will try to avoid adding too much to the mass of speculation as to the detail of what went wrong, and take a look at some of the broader issues.

Protection of data?

Recent data losses by the HMRC, including CDs (ironically sent for audit purposes) containing some 25 million records, secured only by a password, provide excellent examples of how not to process and protect personal data. If they were a business, would they still have our custom and revenue?

Unfortunately, these losses only highlight weaknesses in internal controls and the powers and sanctions available to the Information Commissioner's Office (ICO). They could be fined or have their ability to process personal information curtailed, but to what gain and who would ultimately pay? Prevention is better than cure.

I welcome the Poynter Review into this fiasco and hopefully the government responds positively and swiftly to its initial recommendations on the urgent measures needed to strengthen data security at the HMRC and any further recommendations given in the full report when it comes out in the spring.

Hopefully the lessons will be learned before the launch of the new database of every child in the country - ContactPoint. This will feature name, address, gender, date of birth and a unique number for every child, as well as information about parents, carers, schools, doctors and other relevant organisations.

One of the benefits (no pun intended) this fiasco may bring is the introduction of stronger legal remedy with respect to data protection breaches and new powers for the Information Commissioners' Office to an effective right of audit and be able to conduct spot checks on government data security. We can but hope.

Oh calamity!

As for the impact - well, the sky isn't falling; fraudsters can't suddenly empty your bank account (unless you use personal details for authentication); identity thieves can't steal your identity (not that they ever truly could); your children are as safe as they were before. Breathe deeply, count to 10, and continue.

That's not to say that mislaying such personal information isn't a concern and potentially of value to would-be fraudsters, if they were to get hold of it, as it is likely that much of their legwork would have already been done, with a large volume of fairly accurate information presented in a ready-to-use form.

The information contained on the mislaid HMRC CDs included our children's names and dates of birth, our addresses, National Insurance numbers and the bank or building society account details used for Child Benefit payment. Not in itself a total disaster, but combined with other data bad things could happen.

Imagine, for one instance, that it wasn't a fraudster that got hold of this sort of information, but a paedophile. They could identify children of a particular age and gender in a local area, and know things that could be of use in grooming, such as parents' names, address and potentially figure out what schools they attend and so on.

I don't for one moment suspect that this is something that has happened with the CDs lost last year, but the same information is held on the HMRC database and it has already been adequately demonstrated that this has not been effectively controlled, with overly broad outputs and information retained by contractors.

Policy, schmolicy

Simply having policies in place is clearly insufficient. It may be enough to placate a disinterested auditor, but unless the policies sit within an effective framework of governance, compliance, education, authorisation and controls, you will not be able to manage your risk in an acceptable or consistent manner and be exposed.

If the information handled by a government department has an official classification, restricted or confidential, then there are clear rules governing its storage, access, transfer and destruction. The classification, sensitivity, relates to the impact if the information is lost or compromised.

Unfortunately, as far as government is concerned, the impact of the loss of a single record of an ordinary citizen is zero. Multiplied by 25 million it still doesn't add up to enough to encrypt it or send it by recorded delivery. Clearly this must change if we are to trust HMG with more critical data, such as our biometrics.

What has been amusing to watch is the security vendors popping out of the woodwork espousing how their product would encrypt / authenticate / secure / audit everything and all would be well. Technology doesn't offer a silver bullet to systemic failures to properly enforce policies, procedures and controls.

Rather, users need a modicum of common sense, to realise that our policies are there for a reason, have an understanding of the implications of their actions and to admit, and learn from, any mistakes. Security education is an absolute must, and should include coverage of any legal obligations, such as data protection.

Your Information is out there

In an amusing aside to a talk at a recent BCS Information Security Specialist Group seminar on industrial security, Ken Munro of SecureTest gave a worked example of how much information on an individual can be readily gleaned from freely available online sources. For his example, he chose one Richard Thomas.

Well, the job (Information Commissioner) was easy, and so too was date of birth, place of birth, address, mother's maiden name, email address, education and career history, work and travel arrangements, where he banks and types of accounts, plus plenty of other background information including details on his family.

Our Information Commissioner is not alone in revealing information about himself online; Alex Allan, the new head of the Joint Intelligence Committee (JIC) reveals his home address, phone numbers, private interests and photos of himself, friends and family - he oversees MI5, MI6 and GCHQ - and he's not alone.

All our information, to a greater or lesser extent, is available online. It could be in government or business populated information repositories - such as registers (births, marriages, deaths or electoral roll) and directories (telephone or business) - or it is information we have actively provided or put online ourselves.

What have you put online on social or business networking sites, photo galleries, blogs, websites, newsgroups, forums - directly or indirectly? What inferences can be made? This is on top of any private communications or photos that someone could forward or post online. You have only yourself to blame.

As future employers, and even educational establishments, make more use of online information, past comments or indiscretions may come back to haunt you even years hence. Seen in context, name, address, National Insurance number and bank details may seem like small change versus employment problems.