Millions of British families at risk of identity theft after HMRC data loss, Sophos offers advice

November 21, 2007 Sophos Press Release

The HMRC has apologized for the security breach
The HMRC has apologized for the security breach.

Families up and down Britain are on the alert against identity fraud this morning, following the announcement that Her Majesty's Revenue and Customs (HMRC) has lost personal information on 25 million people. The data, which records information on all British families with children under the age of 16, has gone missing after it was sent by internal mail between the HMRC and the National Audit Office.

Data contained on the two lost CDs includes parents' and children's names, dates of birth, addresses, National Insurance numbers and, where relevant, the details of the bank or building society account into which Child Benefit is or was paid.

"For the companies and organisations concerned, it's a public relations disaster, but for the individuals affected ID theft can be potentially financially crippling," said Graham Cluley, senior technology consultant at Sophos. "Once criminals have your personal information they can take out bank accounts, loans, and credit cards in your name, attempt to break into your bank account and ruin your credit rating, and generally look to inflict as much financial damage as they can, in as short a time as possible."

Sadly this latest incident is not the only time that HM Revenue and Customs has allowed data on British citizens to potentially fall into the wrong hands. In September, a laptop containing personal information on thousands of investors was stolen from the car boot of an HMRC official. Last month, in a separate incident, a courier being used by HMRC lost a CD containing details of 15,000 Standard Life customers.

Sophos experts note that a database containing personal information about a large number of people is highly attractive to identity thieves.

"If this data fell into the wrong hands it could be sold off piecemeal to organized identity theft gangs over the internet for a handsome profit. Within minutes information can be duplicated and passed around the world for criminals to exploit," continued Cluley. "Hackers have set up auction sites on the shadier areas of the internet for hawking their stolen wares to interested parties. Everyone will be desperately hoping that if a criminal has intercepted the CDs that they do not realise the value of what they have stolen, and the data will not be exploited."

The scale of the HMRC's data loss, and the fact that it happened at the heart of government, means many individuals may worry about what data they share with such legitimate institutions in future. Indeed, a Sophos survey published today found that 33% of people believe that the public sector does a worse job of securing their confidential information than private firms.

How can you tell if you are a victim of identity theft?

Symptoms include:

"Having your identity stolen isn't always as obvious as when something else gets stolen. It's not like when the Mona Lisa is pinched and there's a gap on the wall," explained Cluley. "Unauthorized people can have personal information about you without you realizing - and it's only when evidence emerges that they have been stealing money or goods in your name that you may know that something illegal has occurred."

For more information visit the British Home Office's Identity Theft website at www.identity-theft.org.uk. The HMRC has set up a telephone hotline on 0845 302 1444 for people who want further information.