PI Comments on UK Tax Agency Data Breach
20/11/2007
MEDIA RELEASE
Revenue & Customs Data Breach
Privacy watchdog warns of “imminent and unprecedented” criminal attacks following major data leak
- Data “triangulation” by criminals may exacerbate the scale of identity theft
- Data Breach legislation urgently needed
- Passwords are now at risk
For immediate release
The privacy watchdog organisation Privacy International (PI) today warned of the potential for identity theft and criminality on an ‘unprecedented scale”, following a major data leak from Revenue & Customs.
The Director of Privacy International, Simon Davies, who is also Senior Visiting Fellow in Information Systems at the London School of Economics, warned that the extent of the breach indicated the potential for widespread criminal misuse of data.
Mr Davies said the Chancellor’s statement to Parliament was “entirely unconvincing” and that it did not address the key threats arising from the breach. “The Chancellor’s words were carefully chosen, but they told us noting about the extent of the security threat. He was either ill-informed or was intentionally understating the threat level.”
“It is clear that the data was held on bulk standard disks and was unencrypted. This leak is equivalent to dumping 25 million paper records on a street corner”
“The Chancellor appeared to play down the risk associated with the leaked data, but criminals need to have only a basic level of information about an individual. They can then use resources such as public records or the Internet to fill in gaps. Social engineering tactics such as impersonation will then ensure that they can take over a person’s identity.”
“NI numbers, address data, date of birth and bank details are more than enough to nourish even the most incompetent criminal.”
There is also a significant risk that the amount of data may be sufficient for criminals to guess passwords and pass phrases. “Most people use simple and memorable passwords that can often be guessed if the criminal knows details such as children’s names, date of birth and address location”.
Mr Davies said the scale of the data breach was astonishing and that along with previous incidents it signalled an endemic security problem within Revenue & Customs.
“The government acquired this data under legal compulsion. It is now the responsibility of government to fully indemnify against criminal use of the information.”
“The government should also immediately take action to introduce Data Breach legislation that will require all organisations, private and public, to notify at-risk customers without delay.”
ends
Related:
PI warns that breaches are leading to collapse of public trust in IT systems
PI Launches 'And Who are You?' campaign to protect individuals against fraud
Privacy International to pursue data breach legal action against UK government
|
