HM Revenue and Customs (HMRC) has finally officially admitted to six (as of now) significant data breaches in the last two years on top of the most recent one that saw the personal details of 25 million citizens go missing, the London Guardian reports.
The acting chairman of HMRC David Hartnett acknowledged that the numerous breaches "may well" indicate a systemic operational failure.
I wonder how many data breaches it would take over a two year period to indicate that it truly does mean a systemic failure exists? Especially after Hartnett explained that after a major data breach in 2006 - that no one in HMRC bothered to tell the public about - more stringent rules were introduced that obviously failed. The HMRC seems to me to have set a pretty high risk threshold.
Another interesting snippet is that the London Telegraph is reporting that the lost HMRC data discs contain the real and new names of hundreds of people in police witness protection programs. A senior police source told the Telegraph that, "This is disastrous. People's lives could be in danger. It makes a mockery of the witness protection programme."
One more bit of information to ponder is that ComputerWeekly says that insurance broker Jardine Lloyd Thompson estimates that the cost of a similar data breach (as the latest one by the HMRC) to a public company would be around £4 billion. No wonder the UK government is trying to pawn off the costs to the banks.
Comments (2)
Ade McCormack has an interesting angle on this in his most recent Financial Times column, which discusses the entwinement of IT and business processes. You can get a link to the article and have a chance to have a discussion with Ade in his blog post "It's time for the IT industry to grow up" http://ademccormack.typepad.com/itvalue/2007/11/welcome.html
It would be interesting to hear if you agree!
Posted by Andrea | December 6, 2007 10:22 AM
Posted on December 6, 2007 10:22
Thanks for the comment. I did read Ade McCromack's column and I don't have any major disagreements with the arguments made, conclusions drawn, or recommendations suggested. More fundamentally, though, I think the problem at HMRC is one of what the late Peter Drucker would call poor "information responsibility" across the board. No one at HMRC seems to have felt that it was their fundamental duty to protect sensitive information - it was just "computer data" divorced from the reality of what that data represented. No matter how well in the future HMRC aligns its business and IT processes, without a sense of information responsibility to go with it, mistakes like the one that happened (and the 1,211 that have occurred in the past year http://blogs.spectrum.ieee.org/riskfactor/2007/11/the_sounds_of_shoes_dropping_e.html) will just continue to happen.
Bob Charette
Posted by RiskManager | December 7, 2007 9:43 AM
Posted on December 7, 2007 09:43