HMRC data loss leaves 25 million exposed

The lost bank account numbers are a 'gold mine' for ID thieves

The head of HM Revenue and Customs (HMRC) has resigned after it was revealed in parliament that the personal details of 25 million Britons had been "lost in the post".

Chancellor of the Exchequer Alistair Darling said in a statement that two CDs with the details of 25 million families had been sent to the National Audit Office by courier firm TNT but failed to arrive.

The material was apparently put in the post by a junior employee at the HMRC office in Washington, Tyne & Wear.

The disks, which were password protected but not encrypted, contained names, addresses, dates of birth, child benefit numbers, National Insurance numbers and bank or building society account details.

Paul Gray, chairman of HMRC, has already resigned and opposition MPs are calling on Darling to do likewise.

"The lost bank account numbers, names and addresses represents a gold mine for thieves and is much more valuable than credit card numbers or taxpayer ID numbers," said Avivah Litan, vice president at Gartner Research.

"Bank account numbers sell for the highest price on the black market, between $30 and $400, which is significantly more than the 50 cents to $5 that criminals pay for credit cards.

"If evidence emerges that the data fell into criminal hands, the UK banks may be forced to close the 15 million accounts and issue new ones at an enormous cost to them and a major inconvenience for their customers."

This is the third in a series of data breaches at HMRC. The organisation lost the details of a number of high net worth individuals in October, and banking details for 15,000 savers went missing earlier this month when a laptop was stolen.

"Another week and another high profile data breach for the government," said Joseph Hoban, vice president at data protection firm GuardianEdge.

"This is not the first time that public data has been compromised and, if lacklustre security continues to rule, it certainly will not be the last.

"It is time that tougher security measures were taken to protect our most confidential files. Securing two disks with only a password is not sufficient."

Darling has described the incident as "extremely regrettable" but has resisted calls for his resignation.

The loss has also sparked renewed calls for a data breach law that would force the government and companies to inform people if their data had been put at risk.

"California introduced data breach notification legislation some time ago, which compels businesses to inform customers if their personal data may have been compromised," said Richard Turner, vice president of sales at security firm RSA.

"The introduction of similar legislation would not only be a significant step in combating fraud, but constitutes a basic human entitlement.

"Public awareness of security breaches would serve to focus organisations on ensuring that confidential information is adequately protected, and enable the public to take appropriate safeguards in the event of a compromise."