25 million is about 40% of the British population of 60 million (according to the CIA World Fact Book).

hmm... well that makes sense.

case closed. let's go have some malts

"However, when there are so many islands of information and so many data transfers going on, and while simple guidance is not available to staff, further data loss nonetheless remains a distinct possibility and more needs to be done."

Hmm... does it sound to you like the solution is probably going to be "transfer everything onto one big cracktastic database"?

Rather than "get some security protocols NOW".

Nobody states on any of the lost disc (of which is suddenly so common - probably hundreds in the wild now!), if they were encrypted or not?

Not one artical (i've seen) in the press, web, etc, even questions this?

It's certainly not difficult to encrypt, rendering the disc useless to all but the recepitant.
Case in point - our daily backups need to be taken off-site on a physical medium (insurance purposes).
Anyone finding the unit will get a funky free drive and random data.
Cost to our business to create the scheme - a couple of drives and a few hours pay - less than a couple of hundred!
(Yes, I know nothing is ever 100% safe, but
in most cases, 99.99% of people are just not going to bother trying)

If these 'lost' disc's were effectively useless in the wild, I wonder if it would even be news-worthy?
If anything it would be dig at the mail system, rather than a panic apology.

I don't know why they don't just encrypt data. Apparently government workers are now going to be sent for training about how not to lose data.

Another excellent use of tax payers money. That money could have probably cleaned up a few hospitals.

#4: The discs' data was not encrypted.

If it was, this would be no big deal. Which is why we insist on encryption (though users sneaking stuff out are an alltime bear to put a cap on top of).

I'm amazed that there is still no accountability. How is it even possible for a junior to get all that data out the database and put it on a CD. Why do juniors have this level of access? And why is that an excuse? That should be a sacking offense in itself imho. You let juniors have the keys to the whole database? You ARE the weakest link, goodbye.

Why haven't the seniors in charge of the junior been sacked for woeful lack of oversight?

How come people in the UK get fired for all sorts of little things, eg, - being 5 mins late to work 3 times in a year, but not for losing all this data.

If I made a mistake that big, or someone under me did, I'd expect repercussions.

Where do I apply for a job where i can screw up so massively and endanger the whole country and the children in it (Won't someone Think of the Children as they're so fond of shouting) that the papers know about it and talk about it for weeks, and STILL get to keep my job.

#4 and #6: Encryption is great for more ephemeral data, but once somebody has the disc in hand, they have carte blanche to crack the encryption.

And even if they can't afford the resources now, what about in 3 year's time, when four times the processing power is available? If it's data like bank accounts and home addresses of people with families, it's not likely to change over that kind of time period.

I'm very pro-encryption, but for shipping data around on a physical medium, you need other security measures (such as sending the disk by armoured van, rather than TNT Couriers, or better yet, striping the data onto separate disks after encrypting and sending those all separately).

The main issue here was that junior employees could download the entire database, with 40% of the population's banking details on it, and were shipping it around on disks for routine queries which only needed a tiny part of it.

That's a management failure.

It strikes me as odd that so much stuff allegedly gets "lost in the post." Either the Royal Mail is filled with individuals as equally bumbling and incompetent as this junior official - or the discs never actually made it to the post at all and were in fact diverted intentionally.

I mean, seriously, ever forget to send a card to your grandmother for her birthday, and just claim that it must have been lost in the mail, because you totally did send it, honest?

Yeah, I've never done that, either.

@#8 Brassmule:
Just to clarify: the disc was sent by 'internal' mail (handled by TNT), not through Royal Mail. And yeah, the vast majority of stuff that goes astray in the post is actually down to poor addressing or packaging rather than problem posties.

Still, as said above, the issue is less the exact way the data was transported and more the management / cultural failures at HMRC that made the loss possible in the first place.

just watch. Their "solution" will be to establish a "security culture" to match the Waronphotography.

@ #7 I'll hold my hands up here - I work for the "woefully inadequate" HMRC and I have read the Independent Police Complaints Commission report following their investigation into HMRC's data loss. The 'junior official' did not simply download the whole Child Benefit database, only our IT contractors could actually do this. A 100% copy of the database was created every 6 months for a compliance audit and put onto discs, and it was this information that was copied and sent to the National Audit Office.

The information was only password protected, not encrypted.

I am not defending my employer, we did indeed have absolutely no focus on data security and whilst a lot of things have changed we still have a long way to go. But I do wish people would get their facts straight. From what I can gather a lot of the communications failures mentioned in the above article were between senior and middle managers, the only junior involved was an administrator who helpfully copied and posted the discs when asked to by his or her superiors. The initial statement from the Chancellor of the Exchequer blamed the loss on a junior and that story seems to have stuck despite later info to the contrary.