Vast trove of missing data roils Britons

The British government was reeling under a political firestorm Wednesday brought on by revelations that the personal identity and banking details of 25 million Britons had been lost in the government’s internal mail system.

Treasury chancellor Alistair Darling called the loss a “catastrophic” and “unforgivable” breach. Government officials acknowledged that they still had no idea what happened to a pair of computer disks that contained birth dates, addresses, government ID numbers and bank account details for nearly every family in Britain with a child under the age of 16.

Financial analysts said the missing information could allow anyone who found it to apply for loans or even mortgages under an adopted identity. Child welfare workers said the loss compromised children’s safety because the disks contained the names, birth dates and addresses of millions of children. Banks were bracing for a flood of queries from account holders worried that their account security could be compromised.

The government of Prime Minister Gordon Brown, who has been in office only five months, is taking a pummeling over the security breach, mainly because it is not the first. At least two other significant security lapses have occurred under his watch.

The new crisis follows the Brown government’s controversial bailout of the nation’s fifth-largest mortgage lender, Northern Rock, after fallout from the sub-prime lending crisis in the United States in September led to the first run on a British bank in more than a century. Already over the weekend, Brown’s approval rating had slipped to 33%, compared with 48% during his first full month in office in July.

“I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families who receive child benefit,” Brown said as he underwent a blistering attack in the House of Commons, the lower house of Parliament.

Wednesday was the second day in a row that opposition leaders criticized the government for what appears to be a government data loss of unusual proportions, involving up to 41% of the population.

The loss involves records on Britons who receive government stipends of about $38 a week for their children under the age of 16 -- nearly all British families with children, because there are no income restrictions on the payments.

The payments are often deposited directly into families’ bank accounts, meaning account numbers and routing codes are included in a large number of files.

“Let us be clear about the scale of this catastrophic mistake: The names, the addresses and the dates of birth of every child in the country are sitting on two computer disks that are apparently lost in the post; and the bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing,” the opposition Conservative Party’s shadow chancellor, George Osborne, said when Parliament was first alerted to the loss Tuesday.

“Half the country will be very anxious about the safety of their family and the security of their bank accounts, and the whole country will be wondering how on Earth the government allowed this to happen,” he said.

The head of Her Majesty’s Revenue & Customs, where the loss occurred, has resigned. The prime minister said he has ordered a full review of procedures on data protection across the government and commissioned the head of PricewaterhouseCoopers to make recommendations to avoid future security breaches.

“This is an extremely serious matter,” Darling told the Parliament. “HMRC has a responsibility towards the general public, who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it. . . . I deeply regret that, and apologize for the anxiety that will undoubtedly be caused.”

Officials said they had been in contact with the nation’s major banks and there had been no evidence of fraudulent activity connected to the data breach.

But there were already scam e-mails apparently circulating, inviting recipients to “confirm” their account “security details” on a fraudulent website, citing the data loss, according to unconfirmed reports from visitors to the BBC’s website.

The two disks, whose information was protected by password but not encrypted, went missing Oct. 18 when a junior HMRC employee dispatched them in contravention of department regulations to the National Audit Office in an unregistered interoffice mail envelope. The same data had apparently been sent successfully to the audit office in March, also a breach of security procedures, and returned.

The second parcel, handled under contract by the private TNT courier service, never arrived. A third parcel containing another set of disks was sent in a registered envelope when the second one was discovered missing, on Oct. 24.

But the frantic search for the original disks apparently got underway only when senior officials were told of the mishap on Nov. 8, three weeks after they went missing.

TNT officials said there was no way of tracking the parcel if it wasn’t registered in the company’s consignment system. It could have been mistakenly delivered to another government office if the handwriting was hard to read, some analysts suggested; it may even have been mislaid somewhere inside the HMRC, though a search has failed to produce it.

Privacy International, an advocacy group that has campaigned in favor of stronger privacy protections and against a plan to require national identity cards in Britain, said the missing data were “more than enough to nourish even the most incompetent criminal” should the information fall into the wrong hands.

“This leak is equivalent to dumping 25 million paper records on a street corner,” said the organization’s director, Simon Davies.

Scotland Yard has launched an investigation to try to locate the parcel and is working with banks to track any possible fraud.

The revelations of the security breaches have only added to Brown’s woes. Under his tenure, two other such incidents have occurred.

In a remarkably similar breach in September, the records of 15,000 taxpayers who were clients of Standard Life were misplaced when they were sent on a computer disk from HMRC to the insurance company’s Edinburgh office, but never arrived.

In August, a laptop containing the personal details of 400 taxpayers was stolen after being left in a car overnight.

Brown said existing regulations allow only authorized staffers to access private information. Such data cannot be removed without proper authorization, and regulations require such data to be encrypted whenever information is sent. “Those were the procedures. They are in existence now, and they should have been operated,” the prime minister said.

But Conservative Party leader David Cameron, with shouted encouragement from the benches, rejected the government’s defenses.

“I have to say to the prime minister that if a junior official in an organization can access so much information and send it not once, not twice, but three times, that is evidence of systemic failure,” he said.

“This appalling blunder comes at a time when the government is planning a national identity register to draw together private and personal details of every single person in the country,” Cameron added. “Will the events of the past few days cause him to stop and think about that policy?”

--

kim.murphy@latimes.com