UK’s Privacy Chernobyl

I didn’t write about this story at first because we’ve seen it so many times before: a disk with lots of personal information is lost. Encryption is the simple and obvious solution, and that’s the end of it.

But the UK’s loss of 25 million child benefit records — including dates of birth, addresses, bank account information, and national insurance numbers — is turning into a privacy disaster, threatening to derail plans for a national ID card.

Why is it such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There’s already a larger debate on the issue of a database on kids that this feeds into. And it’s a demonstration of government incompetence (think Hurricane Katrina).

In any case, this issue isn’t going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More is certainly coming.

And this is an easy security problem to solve! Disk and file encryption software is cheap, easy to use, and effective.

Nov 27, 2007
By Jaikumar Vijayan, Computerworld (US online)
Network World Asia

Banks in the U.K. could end up spending upwards of US$500 million to deal with the aftermath from the recent loss of computer disks containing bank account and other personal data belonging to about 25 million people, according to analyst firm Gartner Inc.

The amount is the total that banks might have to spend to close and reopen millions of bank accounts and reissue debit cards to affected customers, Gartner analyst Avivah Litan said in an alert released last week.

The figure is based on a conservative estimate of $20 per account, which is how much it would cost a U.S. bank to close down and reopen a bank account following a data breach, Litan said.

The U.K.’s HM Revenue & Customs tax agency last week disclosed that it had lost computer disks containing large amounts of confidential information, including names, addresses, dates of birth and bank account information belonging to nearly a quarter of the country’s population.

The huge media attention the breach has received makes its much more likely than normal that the stolen data could actually get misused, Litan said. As a result, U.K banks are also much more likely to take emergency measures to mitigate that risk.

Heightening the concern is the fact that fraud resulting from compromised bank account information is often harder to detect than payment card fraud, Litan said. Typically, bank account compromises can result in account hijacking or so-called automated clearinghouse fraud, where a data thief uses compromised bank account and routing numbers to initiate payments from a customer’s account to his own, she said.

Detecting such transactions can be hard, especially given the scale of the recently disclosed breach, Litan said. At the best of times, “probably the system with the weakest protections against fraud is the account transfer system” between banks, she added.