The HMRC has apologized for the security breach.
Families up and down Britain are on the alert against identity
fraud this morning, following the announcement that Her
Majesty's Revenue and Customs (HMRC) has lost personal information
on 25 million people. The data, which records information on all
British families with children under the age of 16, has gone
missing after it was sent by internal mail between the HMRC and the
National Audit Office.
Data contained on the two lost CDs includes parents' and
children's names, dates of birth, addresses, National Insurance
numbers and, where relevant, the details of the bank or building
society account into which Child Benefit is or was paid.
"For the companies and organisations concerned, it's a public
relations disaster, but for the individuals affected ID theft can
be potentially financially crippling," said Graham Cluley, senior
technology consultant at Sophos. "Once criminals have your personal
information they can take out bank accounts, loans, and credit
cards in your name, attempt to break into your bank account and
ruin your credit rating, and generally look to inflict as much
financial damage as they can, in as short a time as possible."
Sadly this latest incident is not the only time that HM Revenue
and Customs has allowed data on British citizens to potentially
fall into the wrong hands. In September, a laptop containing
personal information on thousands of investors was stolen from the car boot of an
HMRC official. Last month, in a separate incident, a courier being
used by HMRC lost a CD
containing details of 15,000 Standard Life customers.
Sophos experts note that a database containing personal
information about a large number of people is highly attractive to
"If this data fell into the wrong hands it could be sold off
piecemeal to organized identity theft gangs over the internet for a
handsome profit. Within minutes information can be duplicated and
passed around the world for criminals to exploit," continued
Cluley. "Hackers have set up auction sites on the shadier areas of
the internet for hawking their stolen wares to interested parties.
Everyone will be desperately hoping that if a criminal has
intercepted the CDs that they do not realise the value of what they
have stolen, and the data will not be exploited."
The scale of the HMRC's data loss, and the fact that it happened
at the heart of government, means many individuals may worry about
what data they share with such legitimate institutions in future.
Indeed, a Sophos
survey published today found that 33% of people believe that
the public sector does a worse job of securing their confidential
information than private firms.
How can you tell if you are a victim of identity theft?
- You stop receiving bills or other mail; this could suggest that
an identity thief has given a different address in place of your
- You start receiving credit cards for which you did not
- You are denied credit for no obvious reason
- You receive calls from debt collectors about items you did not
- When checking your credit history you see items you do not
- Your bank statements include withdrawals, payments and money
transfers for which you cannot account
"Having your identity stolen isn't always as obvious as when
something else gets stolen. It's not like when the Mona Lisa is
pinched and there's a gap on the wall," explained Cluley.
"Unauthorized people can have personal information about you
without you realizing - and it's only when evidence emerges that
they have been stealing money or goods in your name that you may
know that something illegal has occurred."
For more information visit the British Home Office's Identity
Theft website at www.identity-theft.org.uk.
The HMRC has set up a telephone hotline on 0845 302 1444 for people
who want further information.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.