British government officials said today that the personal information for some 25 million people – about half of the country's population – was lost after two computer disks being transported between government departments went missing.
In a statement to the House of Commons, Chancellor Alistair Darling explained that the data had been held on two disks that had been sent to the National Audit Office (NAO) from a Revenue and Customs tax authority (HMRC) office. Paul Gray, chairman of the HMRC, announced his resignation Tuesday after the breach was made public.
The disks - which contained names, addresses, birth dates, national insurance numbers and banking details - were said to be password protected but not encrypted.
Darling said the disks had been sent by a junior HMRC employee through a courier, but the package was not registered or recorded, a violation of HMRC policy.
When the disks failed to arrive, a second disk was sent by registered post which did arrive at the NAO.
A police investigation was launched to find the missing disks, but officials tried to reassure residents that they are in no immediate danger for identity theft or other fraud.
"I regard this as an extremely serious failure by HMRC and appropriate steps are in place," Darling said. "There is no evidence of unusual activity and police have no reason to believe the data has fallen into the wrong hands."
He added that HMRC has now introduced changes in its security procedures and that "the government took the protection of personal data extremely seriously".
Calling the incident a "catastrophic mistake," Shadow Chancellor George Osborne asked: "What is the point of this House passing laws to protect people's private data if those laws are not followed by government?"
Industry figures were quick to condemn HMRC and the government.
Tom de Jongh, product manager at encryption specialist SafeBoot, said: "The responsibility must lie with the people in charge, and it is only right that Mr. Gray resigned. Under his leadership, mandatory security measures should have been in place to make sure these mistakes do not occur."
Greg Day, security analyst at McAfee, said that the loss of the data by HMRC served as "yet another example of the danger of putting sensitive information on an easy-to-lose format, such as disks, and the result of internal policies not being backed up by good security practice."
Jamie Cowper, director of European marketing at PGP said: "These disks should never have been transported in the first place. Information of this type should only be transmitted using the strongest security protocols available, such as encrypted batch transfer. But more to the point, these details should not have been stored in this medium."