Data Leak in Britain Affects 25 Million (Published 2007) (2024)

LONDON, Nov. 21 — The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era.

It has defended its decision not to disclose the loss until Tuesday, 10 days after it had been informed, saying banks had asked for time to put heightened security measures in place first.

The data went astray in October, after two computer disks that contained information on families that receive government financial benefits for children were sent out from a government tax agency unregistered, via a private delivery service. The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the Exchequer — including the sending of a second set of disks when the first set did not arrive.

In sheer numbers, the breach was smaller than several in the United States over the last few years. Last year, a computer and detachable hard drive with the names, birth dates and Social Security numbers of 26.5 million veterans and military personnel was stolen from the home of an analyst, but recovered apparently without any harm. In 2003, a former software engineer at America Online pleaded guilty to stealing and selling 92 million user names and e-mail addresses, setting off an avalanche of up to seven billion unsolicited e-mail messages.

But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16.

“This particular breach would dwarf anything we’ve seen in the United States in terms of percentage of the population impacted,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group based in California.

The head of the tax agency, Paul Gray, resigned Tuesday, and Prime Minister Gordon Brown apologized to the nation on Wednesday and said he had ordered a review of the government’s handling of all private data. In an address to the House of Commons, he said, “I profoundly regret and apologize for the inconvenience and worries that have been caused to millions of families that receive child benefits.”

The data breach offered the opposition new ammunition. David Cameron, the leader of the opposition Conservative Party, said in Parliament that the government had “failed in its first duty — to protect the public.”

Bank officials said they had scrutinized their records back to Oct. 18, when the disks were mailed, but had discerned no unusual account activity, and the government pledged that no individuals would be responsible for any losses related to the security breach. British families are eligible for a weekly payment of $36.30 for their first child, and $25 per additional child. Those who choose to have the money deposited directly into bank accounts must provide this information to the government.

The disks were protected by a password, the government said, but were not encrypted. They were sent by Her Majesty’s Revenue and Customs, the country’s tax collection agency, to the National Audit Office, which monitors government spending, via a parcel delivery company, TNT.

According to the chancellor of the Exchequer, Alistair Darling, who delivered a lengthy explanation to the House of Commons on Tuesday, a “junior” staff member sent the disks. Three weeks later, the tax agency’s managers were informed that the disks had not arrived. Mr. Darling said he was told of the problem two days later, but first had law enforcement officials hunt for the disks and then alerted banks.

“In making this statement today,” he said, “I have had to balance the imperative of informing the House and the public at the earliest opportunity, whilst at the same time ensuring that when I did so the appropriate safeguards were in place to protect the public, including in relation to bank accounts. Indeed the banks were adamant that they wanted as much time as possible to prepare for this announcement.”

But on Wednesday, a spokeswoman for the British Bankers Association, Lesley McLeod, said the group had been informed only on Friday, and that its security measures had been completed by Monday.

Mr. Darling noted two other instances in which the tax agency had sent delicate information to the National Audit Office that were not in keeping with security rules: first in March this year, and then a second time in October, when the audit office first told the tax agency that the two disks had not arrived. Those, he said, were sent by registered mail, and did arrive. Experts on security data said there were signs of systemic security problems.

“It sort of beggars belief how anyone could have access to that data,” Simon Zimmo, the commercial director for Europe, the Middle East and Africa at SecuriData, a data security specialist based in Scotland.

Experts said the information could allow crimes beyond identity theft. Some people use the name of a child or part of an address as a password on a bank account, so the combination of these details could allow someone to break their code.

“You can bet your bottom dollar that there will be people out there looking for those disks, and it’s not just MI5 trying to get them back,” said Mike Davis, an analyst with the Ovum technology consulting firm in London, referring to the British domestic security services.