Oh dear. Child support records bunged on disc and stuck in the internal post from HM. Revenue & Customs to the National Audit Office. They didn’t arrive, and now the bank details, National Insurance numbers, names, addresses, and dates of birth of basically everyone in the UK with a child under 16 … are out in the open. Somewhere.
This in the same week that a Colossus has been working again. Ironic that we seem to know less about cryptographic data security now than we did sixty years ago.
We’ve just had a Treasury Secretary on the radio defending the forthcoming ID card concept as being a wholly different animal, since it’d be a new system, and not an old one like the Child Support set-up. While there’s some merit in that argument, what seems fishy is that this feels like a systems design issue, not an IT issue at all.
Records are (apparently) sent to the NAO unencrypted? Does the NAO really need all those bits of information, or would a partial set reduce the data exposure? How could ‘junior officials’ be in a position to ‘ignore security procedures’? Is plain-text data export just something that’s viewed as routine?
And no, I’m not a data security expert. On the other hand, I did once build an end-to-end encrypted data collection website, and I’m not a complete twit on this stuff. Witness my decision to build that system myself, because the web security ‘experts’ I consulted were uniformly clueless. Ah. Bingo.