Losing the plot

IT COULD have been prevented for £65, but this was a disaster waiting to happen. However shocking and catastrophic the Inland Revenue's security breach may seem to the families left wide open to the threat of identity theft, last week's debacle came as no surprise to the UK's top technology experts.

With the estimated cost of the data disaster standing at more than £200 million and millions of British households now squarely in the sights of international organised crime gangs, the incident has exposed a fundamental flaw in the public sector's approach to IT that many experts have long recognised.

"The most shocking aspect to the loss of 25 million records is that for £65 the data on the two CDs could easily have been stored on an inexpensive and easy-to-use encrypted USB drive. This would have absolutely guaranteed that our most private records would have stayed private, and it beggars belief that a government department could have saved our most personal data on such an insecure medium," said Jim Selby of data storage specialists Kingston Technology.

This, in a nutshell, is the problem with government computing projects. Over the years they have become notorious in the IT sector, frequently taking years to complete, running wildly over budget and often ultimately failing to cope with the basic functions for which they were designed, when simpler and cheaper off-the-shelf products would have done the job.

If there is a bright side to the debacle, many commentators believe it is that the public sector can no longer pretend there is not something fundamentally wrong with its approach to technology.

"I believe this will be the tipping point," said Richard Archdeacon, Symantec's director of technical services. "The government clearly has some major issues to solve within its technology strategy, and can surely not continue without a far-reaching review of its IT policies and procedures."

This viewpoint is hard to counter. Earlier this month around 15,000 Standard Life customers were put at risk of fraud after an HM Revenue and Customs (HMRC) courier lost a computer disc containing personal information, while in October one of the department's employees lost the details of a reported 400 individuals when a work-issued laptop was stolen.

Most would hope that the missing discs will turn out to be lying under somebody's desk, but HMRC will not be the only organisation in the hunt. According to experts in the hacking community, a multitude of professional identity-theft gangs will also be hot on the trail, if one of them doesn't have the discs already.

"A dataset of name, address, national insurance number, birth date and bank account details for 25 million people is worth a lot of money," said Gunter Ollmann, director of security strategy for IBM Internet Security Systems. "I doubt that anyone but the big boys of organised crime could afford to buy all the information in one go. However, a common method of making money off large data sets is to break them down into smaller batches. Batched datasets containing this kind of data get bought and sold for variable amounts, but something like $2 per record in batch sizes of 1000 records is not uncommon."

A $50m haul is there for the taking. And even after the data has been sold, the potential for further criminal gain is enormous. Despite advice to monitor bank statements for suspicious activity, those contained in the lost discs are sitting ducks.

Fraudsters using the missing information will have enough information to open new accounts in their victims' names, and will be willing to wait until the children whose details have also been lost reach 18 so that they can start impersonating them, said Experian's Peter Brooker. "The damage to a victim's credit report and ability to obtain a mortgage, rent a flat, buy a car on credit, open a new bank account and so on will be severe and will last for years."

Even if the data never reaches nefarious hands, the cock-up is likely to precipitate a deluge of related criminal schemes. "It is likely that even now a large email campaign is being planned to prey on the British public. A similar scam campaign in Scandinavia recently led to a bank losing £800,000 when 250 victims fell for an email scam that preyed on their feelings of vulnerability," said Jonathan Armstrong, partner at international law firm Eversheds.

Among IT experts, the broad consensus is that training schemes designed to make civil servants at all levels aware of the issues surrounding data must be immediately introduced. This, combined with a policy of using the latest technology, would provide a strong starting point from which to ensure such disasters never happen again.

"At the end of the day, this isn't the first time this has happened, and it's about time they got their act together. Quite simply, the use of proper encryption should be a basic, everyday computer skill for anyone working with information like this," said David Tomlinson, managing director of security firm Data Encryption Systems.

"I'd hazard a guess that there are IT and security staff at HMRC who understand fully the security issues and exactly what is needed to take care of them. However, this awareness and information has failed to make its way down to the people dealing with the information on a daily basis."

Industry observers are also calling on the government to introduce breach disclosure laws compelling institutions to notify individuals of any breach in privacy. California has already seen the introduction of such legislation hailed as a major success, and the policy is quickly being adopted in other parts of the world.

Perhaps most importantly, many experts are also calling for a review of the government's fondness for outsourcing major IT projects. They believe this creates a dislocation between system and service that will always be difficult to overcome and also prevents in-house teams developing the skills required to manage such complex operations.

"If you outsource core skills, you won't have them to hand when it really matters. That is the nub of the HMRC debacle, and its almost certainly the reason that government technology always seems to be several years behind," said John Safa, chief technical officer of IT security company DriveSentry. "It's also worth noting that government IT jobs pay well below the industry average and, while it sounds cruel, if you pay peanuts you get monkeys."

It seems an unavoidable conclusion that something is very wrong at the heart of the government's technology strategy. It represents a fault at the core of the national infrastructure that, unless remedied, could wreak havoc on British public life for decades to come.

"After all the recent debacles involving public-sector computing, this latest disaster only seems to add to the weight of evidence that the public sector is not taking the security of our data seriously enough," said digital security expert Matthew Tyler. "This certainly does not bode well for either the national DNA database, or, more importantly, the potential new identity card scheme."

This article was first published in The Sunday Herald