Thursday, November 22, 2007

How did they tell the banks?

I've just read a copy of the letter than anyone who's data has been lost will be receiving on the HMRC website. These paragraphs stuck out for me.
This data includes your and your children’s names and dates of birth, your address, your National Insurance number and, where relevant, the details of the bank or building society account into which your Child Benefit is or was paid.

If you are paid through a bank or building society, they are aware of this matter. They are acting on this information, and assure us that they have appropriate safeguards in place to protect you.
How did HMRC do this? Well, I guess if they have sort codes they can query to sort by them and then extract that data to a file. Then they could manipulate the file to sort and separate into further files containing the data for each individual bank.

To be honest, getting the data sorted would be easy. The really big question is how did they get the data to the banks. It wasn't on a CD by courier was it?

Update: Unless of course they simple told every bank. Watch any account that receives any payment from us, which would cover lots of other things too presumably.


Anonymous said...

I find it amazing that the government can pretend to everyone that just because there hasn't been any fraud yet, that all the data hasn't been stolen or copied. Surely any ID thief would have the common sense to wait a while, sell the data, and replace the CD. It is in a few months or years time that this data becomes so useful, when safeguards are dropped, or the HMRC claim they have found the CDs. Just imagine how traceable any fraud would have been in the past 2 weeks.

Anonymous said...

Back when I was working for a certain ISP, a part of my job was to pull data out of databases, and supply the results to our parent company, Time Computers.

I was rather good at it, too; I could pull data out of the main database according to the most arcane requests of Marketing, and I could do it quickly, too. I used Perl on a Linux system, querying an Oracle database on a Sun system.

Now, if the data the Government was working with would fit onto a couple of CDs, then we're really not talking about all that much data; no more than twenty GB uncompressed or thereabouts.

Sorting through data of that size with Perl is really very easy (especially if you offload the donkeywork to the database with a cunning SQL statement); this isn't rocket science and it doesn't need an IT Consultant to do it; anyone reasonably au fait with SQL and Perl can do it, and do it well.

dizzy said...

Yep, not difficult at all. but you will recall that they apparently said ti was too expesnive to extract the data for NAO.

Anonymous said...

I feel I may have been too harsh in the NAO in an earlier comment when asking why they wanted a file with ALL the data. Clearly they did not want the bank and NI info, it was just the useless HMRC management that could not be bothered to remove it before sending it.

However that still leaves several critical lines of enquiry.

1) It now appears that the NAO knew in April that the HMRC data extract contained too much data. One key function of an auditor (at least in the real world) is to tell a client's senior management when they identify actions by the client's staff that create security risks or are potentially illegal. Why did NAO not go over the HMRC in April, assemble the culprits and their bosses, and read the riot act?

2) It is still unclear what legitimate audit function could be served by a complete copy of names and addresses. (particularly when the compromised chain of custody would render it useless as audit evidence). Was it to be used to check against other government databases so that the level of consistency could be assessed for further integration between systems (e.g. the Children's register, NHS spine)

The Bank's seem to be trying hard to save the government's ass on this one, but I suspect it's only a matter of time before they, quite rightly, want to know where to send the bill to.

Old BE said...

Surely giving the banks individual data would breach the Data Protection Act?

Praguetory said...

There are always frauds. Given the number of details missing how could Labour ever say with confidence that frauds have resulted from the secuity breach?

That's a good question for PMQs by the way. ;-)

Anonymous said...

After reading the documents now released it is clear that the situation with the NAO is far worse than I thought.

The reason that they did not want bank account and other details was not that it was insecure and potentially illegal, just that it might make the file to big to transmit.

It then becomes clear that for 2006-7 they had to change their procedure to meet auditing standards by verifying that a selection of benefit recipients existed and were entitled to receive the benefit. Amazingly until then they had been satisfied by reviewing the files of sample checks done by HMRC. The independent testing of the validity of recipients of £10bn of our money has until very recently been non-existent.

So how did the NAO blatedly go about their work. Standard audit procedures for the last 20+ years would be that the auditor uses their own verified software to select from the production database the required random sample of records and downloads just the records for the sample to be tested, with the download done under their supervision so that they are sure that they are getting data from the right source. Instead the NAO accept a download over which they have no control and which they can't prove comes from the actual data that they want to test. The value of such audit evidence is severely compromised.

Time for the audit standards guys to summon the C&AG for an explanation.

Anonymous said...

It's Ok, Money isn't real anyway.

Think about it, credit is simply a few button presses, they dont actually dig up and new gold.

Its just thin air (never used to be, Money used to be Gold and Silver)

Thin air that they charge us Interest on. Thin air that if we don't pay up in time, they get to reposess our Belongings.

Cash ? £50.00 Notes cost about 1p to print en masses.

So having defaulted on repaying back this thin air, the Bank gets to reposess my car or house...sell it off, convert it into Gold and stash this into the Vaults if the Bankers...(Not the Banks I should add)

But whatdid they actually lose....or risk....Nothing, Thin air, all the car showroom is holing is more thin air, credited to their account...If they with draw the £10,000 I paid for my car, It just represents about £5.00 worth of Pretty Paper.....So the Banking elite get Interest and a Reposession out of thin air...

sure the Car Saleroom can with draw the 'cash' and buy gold if they want, but now the Goldsmith is holding the £5.00 bundle of pretty paper.

The Biggest com in the history of Mankind, a banking system designed to syphon the REAL wealth of the world into the habs of the Gllobal Elite.

All the banks need do is arrange a deal with the Govt Bank of England to lower interest rates, ensnare lots of customers then raise interest rates, then haul in the assets of thos individuals and families who became over exposed.
Repeat ad infinitum.

Wait did I say the Govts Bank of England.....fraid not....the Bank of England is in fact, Just like every other bank a Private Company...owned by Rothschild...
The same in America, Fort Knox now stands empty....Our own bank of England has about £3 billion in reserves...

Our wealth is being trawled,, syphoned upwards...Boom Bust, Boom Bust.

This man is Congressman Ron Paul