The HMRC's 25m lost data files

AFTER the reports about the loss of personal data of over 7 million families, thought to have been "lost in the post" by HM Revenue and Customs, hit headlines it became apparent just how big an error has been made. The crisis erupted after two CDs containing bank details, addresses and other personal information on millions of families were lost after being sent in the post from a H.M.R.C. office in Tyne and Wear, to the National Audit Office (N.A.O.) in London. The N.A.O. had asked for sensitive data, such as bank details, to be stripped from the CDs, but later it has been revealed that not only had this information not been removed but worse still, the information was not encrypted. It is of great concern that, just after this massive blunder and laps of security had been revealed, in a press release issued to the media, Mathew James, Managing Director of UK Biometrics Ltd said that: - "The recent loss by HMRC of personal data on 25 million people would never have happened had the data been protected by biometric security." This issue was also raised by Chancellor Alistair Darling (speaking on BBC Radio 4 Today program) who said:- "We need to ask ourselves is how we can ensure in the future that information is not passed on to third parties without the consent of the individual. Using biometric details, you can be surer of the identity of the person who is requesting the information." This may be all well and good, but even the best encryption can be broken and as one security expert told us:- "The industry has been warning the UK Government for years about its lack of security. As news in the UK broke, a groundbreaking report, which was funded by the EC, shows that the issue of trust in public authorities and technology systems is a major challenge for governments across Europe. The report also looked at the issue of how much data is held in one place and the matter of the security of large data deposits has come into question. In the UK, it is yet again a case of acting after the horse has bolted, It seems to demonstrate that our government cannot be trusted to hold massive amounts of data in one place. On the face of it, it would look like a good idea to store all the data in one location. Don't forget though, if that failed, then the loss of data would be devastating, so it would still have to have a back up system in another location. That would in itself open up problems. Sadly also, the data would have to be accessed from all over the place, by different departments of the government, emergency services and so on, and that too would open up a massive security issue. If there is any access to a system, information there is potential risk. It just stands to reason. The more data there is that is personal and of use for a criminal, the bigger the attraction of hacking into it is. Keeping a trace on all the systems being accessed would be impossible! The encryption key, being a biometric one is a good idea and a good step in making data more secure, but this would only work for a while. I do however agree with Mathew James, that an IT savvy criminal would not even bother trying to hack a biometric systems at this point in time, but as computer systems get faster, the encryption key, no matter what it is, can easily be broken. Also, the amount of eyes that would have to be scanned would be unbelievably high, inevitably leading to errors further becoming likely? Mathew James in his press release said:- "Biometrics offers the one key that cannot be lost, stolen, hacked, forged or passed to an unauthorised person - the human fingerprint." Remember the Enigma Code? Errors on computers happen all the time, no matter how good a computer system is. As you have witnessed with this simple mistake, one small error has massive fall out. Just think what could have happened if this involved more data! After all, files are still files, even when encoded and you can use any computer system..."...continued...

...continued... "to decode any file. Ok, at current computing standards, the biometric scan would prove virtually impossible code to break, but remember that these files were lost in the post. The fact the files are lost, gives anyone who has them all the time in the world to unlock the data. No matter how it is saved, it can always be accessed, if you know how to make the key. Simple errors like this could and will open large gaps in security within larger centralised databases, and that is more worrying! 

Once again it has been suggested that getting ID cards for the public with biometric scans would help. Quite how that would solve the ID issue is unclear. Certainly it clarifies a user's ID at a personal level, but, as records get mixed up all the time because of the massive amounts of data now being saved by the government, how well this would work is any one's guess? If information becomes muddled, as it frequently does at present, it may prove someone does not correspond to a given file but may not help the hapless individual, whose details have been garbled, establish a case. Especially as he or she would be regarded with suspicion and, if current practice is assumed, no further discussion could ensue! Just look at the National Tax Credit system!"

Southport based MP John Pugh also added his concerns:- "Although all organisations make errors, this is one with the potential to cause national havoc and it shows that in the age of the computer the blunders of one individual can have consequences on a huge scale. This is very worrying with a government committed to amassing national databases in health and at the Home Office. The privacy and security of information held about us is no longer a fringe issue."

What is far more worrying was a statement made to the press by a Home Office spokesman who hinted at making this system compulsory for all… by saying:-, "The biometrics mean that it will be much more difficult to use somebody else's identity, as they will have to provide the correct fingerprint or facial image at the same time. You can't create a fingerprint or a face."

But do people really know how safe a system would be for all to use it? Remember that Chip & Pin was meant to stop fraud, yet ID theft a card and fraud have increased dramatically since its introduction in the UK. Although it may sound like something out of a sci-fi movie, a whopping 83% of Mancunians say they would be happy to swap their Chip and PIN keypad for a finger print reader, if it meant their personal details were safer; according to research conducted by Life Assistance firm CPP. They also found 93% think that using fingerprints to prove who you are is much more secure than the traditional signature.

According to the CPP Group Plc report, released on 9 November 2007, finger print and eyeball recognition, otherwise known as biometrics, is already part of everyday life in America, as all visitors have to be finger printed before they enter the country. In Holland, iris scanning is used to fast-track frequent fliers through its security checkpoints at Schiphol Airport. Also a poll of 3,000 Brits, by Life Assistance, revealed that a staggering just under three quarters of Mancunians think the UK should follow suit. 71% think it will help to protect against fraud and 11% say it would be a good thing because they struggle to remember all the various PIN numbers and passwords they need and find it irritating to always use them.

Send us your views by email or by Skype or discuss them on our Liverpool Reporter Live Chat Room with others!