It does seem dumb, even with 20:20 hindsight. Let's expose 15,000 people to identity theft.
The Inland Revenue, more accurately, HM Revenue & Customs, has lost a CD holding confidential ID information on around 15,000 taxpayers who had contracted out of a state second pension scheme. It sent the CDs to Standard Life's pensions department via a courier service. The incompetent service, thought to be Parcel Force, lost it.
Here's the thing; the disk contents were not encrypted. Here's another; similar CDs are sent out every month by HMRC to insurance companies dealing with pensions. So every month, unencrypted confidential ID and financial data on hundreds of thousands of people is couriered around the country by an incompetent service on behalf of a reckless HMRC.
The CD was lost in September, two months ago. An HMRC statement said: "HMRC take the security of customer information very seriously. The data, which contained the records of around 15,000 people, was lost in transit by HMRC's external courier. ... We have also reviewed our arrangements and introduced safeguards to prevent this happening in future."
Standard Life has written to affected customers, five weeks after the CD went missing, and has enforced extra security measures on their accounts. There has been no sign of any untoward activity on those accounts and the CD has, presumably, merely been lost.
Let's just read the first HMRC statement again: "HMRC take the security of customer information very seriously." The lost CD event shows obviously, abundantly obviously, that it does not. It has been reckless with taxpayer's confidential information.
The disk was sent out with data in something like a mainframe EBCDIC format. This is not readable by Word but pretty easy to understand with the right, and commonly available software.
Why wasn't the data properly encrypted?
Calum Macleod, the MD of data moving company Cyber-Ark, sticks the boot into HMRC. He said: "This is more than enough information for fraudsters to steal someone's identity. Last month there was the theft of an HMRC employee's laptop containing the personal data of around 400 people from the boot of a car, and you would think that people would learn from their mistakes."
Cyber-Arc's HMRC selling prospects are clearly not much on his mind, as he goes on: "Sending unencrypted data via CD-ROM, even by courier, is a ridiculous risk for HMRC to have taken. It makes the IT security system that the government agency employs little more than a laughing stock. Not only that but it really is high-time that the government spent a bit of effort ensuring they set an example rather than simply pontificating to everyone else about what they should do."
The BBC reports: "A second CD containing data on some customers of an unnamed second firm has also gone missing."