HMRC data loss 'completely predictable'

HMRC data loss 'completely predictable'

'Old, outdated and broken processes,' says Symantec

Security firm Symantec has said that it was "not at all surprised" by the recent catastrophic data loss at HM Revenue and Customs.

"At least this time it was spotted, even if it was some weeks later," said Guy Bunker, chief scientist at Symantec. "How many times has something similar happened that went completely unnoticed or unreported?"

Bunker reckons that the junior employee who was responsible for the data breach was probably just doing his job and had no idea of the implications of his actions.

"I am sure he does the exactly the same every time there is a similar request. He probably just presses 'option five' on the screen with no idea about what happens at the back end," he said.

Bunker maintained that the loss of two disks containing the details of 25 million Britons was simply down to "processes that are old, outdated and broken ".

He added that this must act as a wake up call to all government departments and private organisations to address all instances where potentially sensitive information is dealt with by staff.

Sadly Bunker is sceptical about whether anyone will learn from the incident. He cited the lack of impact caused by previous high profile data leaks, such as those at Nationwide and TK Maxx.

An all too prevalent 'this won't happen to us' mentality means that most organisations will not learn from the HMRC case and tackle potential pitfalls in their own policies.

Bunker suggested that a fine similar to the one handed to Nationwide might encourage some companies to sit up and take notice as they will not want to incur a similar penalty.

"But, ultimately, fining the government is not of much use to the people who have had their details lost," he said.

Companies and governments must understand and question the procedures and policies they implement, and these systems to be investigated to make sure they conform to the required security standards.

Bunker concluded that legislation forcing companies to disclose data breaches, as happens in some US states, may be necessary to ensure that customers are as protected and well informed as possible. "Forewarned is forearmed," he said.