bells ringing throughout the banking industry
UK banks could face a monumental security challenge following the
country’s most serious data breach, warns Avivah Litan, an analyst
with research and consulting company Gartner. The data breach
occurred in October and involved the loss of two compact discs (CD)
by the UK’s tax and excise agency, HM Revenue & Customs (HMRC).
The CDs contain large amounts of confidential information,
including names, addresses, bank account details and dates of birth
of 25 million individuals, including recipients of child
The CDs were lost on 18 October while they were being transferred
by courier from an HMRC office in north-east England to HMRC’s
London headquarters and the loss was first reported to senior HMRC
officials on 24 October. Following a futile search, HMRC
acknowledged loss of the CDs on 20 November. HMRC chairman Paul
Gray resigned the same day.
The HMRC data breach is highly reminiscent of the 2006 loss of a US
Department of Veterans Affairs (DVA) laptop computer containing
confidential information on more than 25 million individuals, said
Litan. Indeed, she added, the HMRC data loss may be even more
damaging than the US incident because it may affect a large portion
of the UK’s population.
The US incident occurred during a burglary of a DVA employee’s
home. According to the DVA, the laptop contained Social Security
numbers of military veterans and their dates of birth.
Litan explained that in the HMRC incident the type of data lost
could be “enormously valuable” to criminals, who could, for
example, use stolen account numbers to take over bank accounts.
“This is why bank account numbers typically sell on the US black
market for as much as $400, compared with $5 or less for credit
card numbers,” said Litan.
Even the possibility that lost HMRC data had fallen into criminal
hands would likely force UK banks to take emergency measures,
including closely monitoring all fund transfers from potentially
affected accounts, said Litan. This would be very difficult once
the UK’s Faster Payments initiative, which will ensure
instantaneous funds transfers, goes into service.
“Perhaps fortunately under the circumstances, that initiative has
been delayed until 2008,” Litan commented.
She continued that if evidence emerges that lost data has fallen
into criminal hands, UK banks could, in a worst-case scenario, be
forced to close down millions of accounts and reopen new ones. “The
banks’ customers would also face considerable inconvenience,
because automatic payments and transfers would have to be set up
again, and debit cards might have to be reissued,” she said. She
added that the potential costs to the UK banking system are huge –
possibly as high as £244 million ($500 million), based on a
conservative cost estimate of £9.70 per account.
Fortunately, the chances of a true data loss resulting in identity
theft are usually extremely low, typically less than 1 percent for
any given individual, said Litan. “However, the media attention
this data loss is receiving means that criminals are likely to
pursue the lost data as vigorously as the authorities, so this case
has certainly not been resolved yet,” she warned.
Also of concern is that this was not the first serious data breach
in 2007 involving HMRC. In September a CD containing personal
details of 16,000 customers of insurer Standard Life was lost while
in transit from HMRC to Standard Life. The same month, a laptop
containing information on 400 individuals was stolen from an HMRC
staff member’s car.
Not surprisingly, the latest incident involving HMRC has sparked a
heated debate on the issue of data security. Championing the public
cause is the Information Commissioner’s Office (ICO), an
independent public body set up to protect personal information and
promote access to official information.
Commenting on the HMRC incident, Information Commissioner Richard
Thomas said it was “an extremely serious and disturbing” security
breach. “The alarm bells must now ring in every organisation about
the risks of not protecting people’s personal information
properly,” he said.
Not only the HMRC has come in for criticism from Thomas. In his
annual review, he wrote: “The roll call of banks, retailers,
government departments, public bodies and other organisations which
have admitted serious security lapses is frankly horrifying.”
Thomas has called for serious data breaches to be made a criminal