How two lost discs crippled the case for ID cards

SA Mathieson has published a book about the defeat of the ID card scheme, with a series of three extracts appearing on the IT Security Pro web site. He writes:

Suppliers of information security technology do a robust job of promoting their products, including by highlighting news stories that demonstrate an apparent need, with a suitable quote from a company executive arguing that this shows why the organisation affected needs to spend more on information security.

20 November 2007, when Mr Darling told the House of Commons that HM Revenue and Customs had lost two discs containing unencrypted data on 25m children and parents registered for child benefit, was therefore a day of high activity for the public relations firms who organise such releases.

Octopus Communications, acting for security software supplier McAfee, was a bit quick off the mark; it based its press release on early leaks and sent it 25 minutes before the chancellor stood up, with the result that it was inaccurately titled ’15m child benefit recipients bank details lost: McAfee comment’.

The data, which had been sent by an employee of HMRC from North-East England to the National Audit Office in London at the latter’s request, was password-protected – but this would not have presented a barrier to anyone with a reasonable level of technical knowledge.

The discs included the name, address and date of birth of every child in the country, along with parents’ bank account and national insurance details, making financial fraud a particular worry: Mr Darling delayed his announcement to allow banks and building societies to put markers on millions of bank accounts.

The discs were sent through the government’s standard, untraced mail service – and disappeared. Despite a thorough search of both the child benefit office and the National Audit Office buildings, and a false alarm a week before the chancellor’s statement, the discs were never found.

Mr Darling believes that the discs were probably destroyed after his announcement.

Mr Mathieson’s book is available in PDF, Kindle and print formats. IT Security Pro readers can save 20% on the PDF editions by using the code ITSECPRO at the checkout until the 1st of April.