21 November 2007
The Missing Package Red Herring
Alistair Darling is talking about the steps the government is taking to find the missing package. We should be less concerned about this actual known breach than the fact that junior civil servants can access and transmit HMR&C personal data.
Whilst known missing/lost data is important, a far greater risk of fraud relates to deliberate theft of data by HMR&C employees. It's apparent that access to this personal information is insufficiently restricted. The internal security measures to protect this data should resemble Fort Knox.
- Low level staff should not be able to gain access to more than individual records.
- It shouldn't be possible to put this data on to a CD.
- Auditors should visit the site to do their work.
Finding these two CDs isn't the end of the matter. It's a smelly red herring.