This website is now archived. While it is fully functioning, I no longer maintain it and comments are turned off on most posts. Please visit the updated

The 25 Million ‘Lost’ Records and Other UK Data Losses

So, Her Majesty’s Revenue and Customs (HMRC) decide to send the National Audit Office (NAO) the details of 25 million people on a couple of “password-protected” discs which then go missing during transit via a third-party courier. Fair enough, no bad feelings. [Story]

Alistair Darling - Don't Trust These EyebrowsThese details include the names, addresses, bank details and national insurance numbers for all members of the 7.25 million households that have a child under the age of 16. That’s just under half of the population – pretty impressive really.

Moral of the story? Don’t trust a man with eyebrows like this (Alistair Darling, right). No, seriously – don’t.

So without further ado I present you with my latest compilation: ten more UK data loss incidents from recent history, courtesy of The Register:

  • 400 passport details and addresses lost by HMRC (2007)
  • All 11 Million customers of the Nationwide Building Society had their “confidential customer data” lost (2007)
  • 15,000 names, addresses, DoBs, national insurance numbers and pension details of policy holders from Standard Life lost by HMRC (2007)
  • 26,000 Marks and Spencer staff members’ salary details, addresses, dates of birth, national insurance and phone numbers lost (2007)
  • 500 Eden Project staff had their (undisclosed) data lost by Moorepay (2007)
  • An undisclosed number of confidential medical records were discovered on hard drives sold on eBay (patients from Dudley NHS Trust) (2007)
  • 11,000 children treated or born in a Nottingham Hospital had their records lost (2007)
  • 15,000 Met Police Officers had their payroll and pension data lost by LogicaCMG (2006)
  • “70 Top Secret Files” from the Ministry of Defence were found on a laptop at a landfill site. These included terrorism contingency plans for MoD bases (2005)
  • 1,354 government computers (594 by MoD) “stolen or mislaid”. Unknown/undisclosed data (1997 – 2002)

Steve Martin - Alistair Darling's Love Child or Long Lost Brother?Many of the above have one thing in common: when many of them were first announced, the question of whether or not the data was appropriately encrypted was usually avoided – typically cited as being a security risk if the issue were even discussed.

I have two problems with this: one, whoever has the data already knows if it is encrypted or not; two, if it is encrypted, telling us that it’s encrypted doesn’t suddenly make it easy for the criminals to break into the data. If it’s encrypted, it’s encrypted. That’s all there is to it and therefore your data is safe. This leads me to one conclusion: it’s not encrypted. (See also: “UK’s Privacy Chernobyl” – Bruce Schneier’s recent post.)

As a side note, has anyone else noticed how the comic Steve Martin (above, left) looks strangely similar to Alistair Darling? Are they related? If so, all is forgiven: give us a joke.