I resisted writing about the British Tax Authorities’ blunder disclosed last week when they lost two CDs full of sensitive information (bank accounts and social benefits information) of 25 million UK families. The story received enough mainstream press attention and I was afraid that many of our readers are starting to suffer from "breach fatigue" - hearing all too often about security breaches and missing personal information.
The fundamental reason why the breach occurred are all too common these days - e-mails released by the U.K.’s National Audit Office have confirmed that officials at the Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra (although some experts have said that the cost of "sanitizing" the data could have cost less than the equivalent of $10,000).
Anyway, I could not resist writing about the recent development from the UK for a different reason. As a response to the initial breach, the Revenue & Customs decided that it owed an apology to the families affected by the breach. So it decided to mail them a personalized apology letter. The letter, however, was too personalized - it included name, address, national insurance and child benefit numbers. The information contained in this letter is all that is needed by identity thieves to open bank accounts, claim benefits or even apply for passports on behalf of somebody else.
The UK authorities urge people who received the letters to destroy them after they receive them and read them. But there are a large number of families who will never receive their - either because they moved or because somebody ‘conveniently’ picked the letter out of their mailbox on their behalf.
So what follows next? A second apology letter to apologize for the loss of the CDs and the first apology letter? No, instead the Revenue & Customs authorities are shifting the blame to the concerned citizens who did not receive the letter by saying that they should have updated their mailing address.
No comments yet