HMRC data loss one year on: lessons still being learned

It has been a year since the HMRC lost the personal records of 25 million UK citizens

The HMRC data loss scandal, in which the personal records of 25 million citizens went missing, happened a year ago, but experts warn that sensitive data will continue to haemorrhage from organisations unless the correct policies, processes and technologies are put in place.

The government has lost an average of one PC a week over the past year, according to figures obtained by the Conservative Party, but a combination of human error and poor processes have continued to undermine attempts to address the failings, said security experts.

Gary Clark, European vice president at data encryption firm SafeNet, argued that the government needs to focus on ensuring that data cannot be accessed by anyone outside the department to which it belongs.

"We should be able to trust that stringent practices are in place to secure our personal data," he said. "These should include identifying process weaknesses, adopting robust security standards and encrypting all sensitive data."

Matthew Tyler, director of consultancy Evolution Security Systems, told vnunet.com that his company had recently been involved with a government project to look at encrypting data on memory sticks.

"Although a good step in today’s internet age, why is there still a requirement to take massive amounts of hugely sensitive data out in the first place?" he said.

"Most recent data breaches have been down to people not following current procedures, so surely the best way forward is to design systems where this sensitive information cannot be taken out en masse as there is no reason to be doing this in this day and age."

Philip Wicks, a security expert at IT services firm Morse, emphasised the importance of stringent policies and procedures that either stop people being able to download sensitive information onto these devices, or make sure that the data is encrypted.

"Organisations need to ensure they have controls in place to protect the data on laptops, phones, memory sticks and other removable storage devices so that, if they are lost and end up in the hands of criminals, the data cannot be used for unscrupulous purposes," he said.

Phil Bridge, UK managing director at data recovery firm Kroll Ontrack, pointed out that human error is a major contributing factor to the government's data loss incidents.

"It is clear that data protection technology is moving faster than human procedure," he said. "Employees must be trained to view methods like encryption as standard business processes, not practices reserved for special occasions."

However, Paula Barrett, a partner at international law firm Eversheds, believes that the government is slowly learning the lessons from the HMRC breach, and that new standards for data protection are being drawn up.

"Organisational and technical changes are needed, but so too is widespread raising of the awareness of what those standards are," she explained.

"This is not something that can be implemented by information assurance personnel alone. Buy-in has to come across the department. Accountability is therefore also a key element."

Barrett added that further legislation could be on the way to force organisations to take data protection more seriously. "Changes are afoot. Await with interest the content of the Queen's Speech in a few weeks' time," she said.