Poynter report uncovers culture of insecurity at HMRC

By Ron Condon, UK Bureau Chief 25 Jun 2008 | SearchSecurity.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The inquiry ... concluded that "information security simply wasn't a management priority as it should have been."

The Poynter Review takes 103 pages to describe in detail how the HMRC operated before the data breach, and how the loss of two CDs holding personal and financial information about recipients of Child Benefit happened.

The inquiry, led by Kieran Poynter of management consultants PricewaterhouseCoopers (PwC), concluded that "information security simply wasn't a management priority as it should have been, and HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability."

Poynter's team found that although HMRC had plenty of policies governing security, they were poorly implemented. "If these policies had been adhered to, it is likely that the data loss could have been prevented," he said. "In the event, very few of the HMRC staff involved in this case was actually aware of the existence of such policies and guidance. Clearly, therefore they were not adequately communicated across the organisation. Furthermore, staff found the policy difficult to access via HMRC's intranet."

The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.

The emails show that the UK National Audit Office (NAO) wanted sample data for auditing purposes, and requested that the financial data be stripped out (mainly to cut down the size of the file). But some HMRC staff thought the cost of extracting the records could have been as much as £15,000 using EDS, and that it was therefore not worth doing. Poynter queries that figure, and suggests there were in-house expertise capable of doing the file conversion.

For more information Following HRMC, data breach laws are coming. How important are patches to keeping data safe?

He identifies that a bad precedent had been set in March when files had been sent by HMRC to NAO in this way, although they had arrived safely.

In October, however, although HMRC had a contract with its courier company TNT for a secure transfer of packages, the CDs were sent using TNT's untraceable Tax Post system. When the disks failed to arrive after a few days, an angry phone call from the NAO forced officials to create a second set of CDs, which arrived safely.

It was only two weeks later that the alarm was raised when the first set of CDs could not be found.

Poynter thinks the incident was symptomatic of wider problems. He says security was not a management priority. "Even had it been a priority, HMRC's organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such," he said.

Poynter points out that the 2005 merger of Inland Revenue and Customs & Excise put HMRC staff under strain, and created a demoralized workforce. "HMRC's information security policies were inadequate, and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them," he concludes.

The report says that 13 of its 45 recommendations have already been implemented at HMRC, and a further 26 have started to be implemented. For instance, HMRC has issued a simple guide to security which gives examples of what information can be sent, by what mechanism it should be sent, and in what circumstances. It has already distributed 111,000 copies to staff.

HMRC also developed and piloted a half-day mandatory information security workshop, which everyone from the chairman down must attend by the end of July. It is also redesigning and re-launching its induction training to include mandatory data security elements, and developing mandatory online information security refresher tests for all staff. Once rolled out, this will need to be completed annually.

Poynter says the changes could represent "a great opportunity. Modernising work practices and the systems which support them should lead to significant efficiency gains as well as the restoration of the reputation of HMRC." But he also warns that the behaviour uncovered in this incident is not confined just to the HMRC.

Tags: Data Protection Solutions,  Business Continuity and Disaster Recovery,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management Simple information security mistakes can cause data loss, says expert Microsoft warns of IIS zero-day vulnerability Business Continuity and Disaster Recovery Information security recruitment freezes as security staffs sit tight EMC adds configuration management with Configuresoft acquisition CISSP Essentials training: Domain 10, Operations Security CISSP Essentials training: Domain 7, Business Continuity Firms muddle security breach response, expert says The opportunities and risks of cloud computing services Data breach costs: £60 per record, says Ponemon Recovery plans essential for preventing data loss disasters Do data security breach notification laws work? Data breach notification: A legal requirement?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary