The internet has a new villain. Alongside notorious botnets, crime hubs and black-hat hackers can be added a name to strike fear into the hearts of anyone who holds security dear – the UK’s HM Revenue & Customs (HMRC).
This is the provocative opinion of the Internet Services Providers' Association (ISPA), which used a gala dinner on 14 March to hand the government service the 'Internet Villain' of the year award for 2007, "for failing to take the protection of peoples' personal data seriously and highlighting bad practice in protecting data by loosing (sic) computer disks containing confidential details of 25 million child benefit recipients" - a decision that stretches the definition of Internet to its limit.
ISPA is referring, of course, to the HMRC’s darkest moment of recent times, November’s mislaying of several CD discs containing UK child benefit records, including the names and addresses of every single child in the country.
Debacle it undoubtedly was, but the HMRC will be disappointed to have won the unwanted accolade against such tough opposition, including BT ("for changing the whole engineering plan for 21CN only six months before the launch date") and French President, Nicolas Sarkozy ("for his proposed new tax on internet access and mobile phone use to fund France's two public television channels, which would be free of advertising"). Beating them deserves to rank as a dark achievement of herculean proportions.
Although the ISPA’s members are made up of UK internet service providers, the judges were drawn from a narrower body of industry analysts and journalists, not professions noted for their tolerance of official cock-uppery – or of anything in fact.
Oddly, the ISPA’s finalists in the ‘Internet Hero’ category included social networking site Facebook, which has itself heavily divided opinion as to its security-worthiness. The full list of awards and winners can be found here.
The HMRC is near the bottom of most popularity lists at the best of times – it collects UK taxes - but is an award with the words 'Internet Villain' attached to it an entirely fair judgement? Clearly, the revenue's CD disc disaster was a matter of incompetence, not deliberate design, but the same could be said of the private-sector TK Maxx data loss. Neither organisation willed the data to be lost. But in the case of TK Maxx, it is known that the data did fall into the hands of criminals, whereas the HMRC’s lost discs remain only that – lost. There is no evidence that they have been exploited.
If the organisation had used the internet – or at least a secure VPN to transfer information – then maybe losing the information would have made it a worthy. But mislaying an old-fashioned medium such as a CD? Perhaps its biggest crime was relying on such a technology.