Shostack + Friends Blog Archive


A quick comment on the UK lapse

Thanks to all the readers who have written to tell me about the HM Revenue and Customs breach in the UK. I’m on vacation at the moment, and haven’t had a chance to read in depth. However, example stories include the BBC’s “Pressure on Darling over records:”

Alistair Darling has apologised for the “extremely serious failure”, which has exposed all Child Benefit recipients to the threat of identity fraud.

and the Times Online’s “Moment’s blunder puts half the country at risk.”

In June, 2007, I wrote “It’s not all about ‘identity theft’,” and if you’ll indulge me, I’d like to repeat myself:

Data breaches are not meaningful because of identity theft.

They are about honesty about a commitment that an organization has made while collecting data, and a failure to meet that commitment. They’re about people’s privacy, as the Astroglide and Victoria’s Secret cases make clear.

The issue here is not ID theft risk. The data in the CDs don’t lead to that. The issue is a massive breach of public trust by Her Majesty’s government, and over that, people are rightly outraged.

[Update: I may have spoken too soon on the question of “can this data lead to ID theft in the UK.” See the comments.]

5 comments on "A quick comment on the UK lapse"

  • Chris says:

    When you say that losing name, address, date of birth, National Insurance number and, where relevant, bank details is not the issue, do you mean to say that ID theft will not happen to substantial numbers of people as a direct result of this, or do you mean that the privacy loss is, ipso facto, a big deal?
    I am with you on the latter, but I think the former is also true.
    As a side note, I am curious whether the names of the children (who, I presume, are a necessary precondition for a Child Benefit) were also released.

  • Adam says:

    I meant the latter.
    I don’t see how having those details leads to ID theft. How can I either take over an account or open a new one with only that information?

  • Chris says:

    The Times Online’s link says:
    “Experts in identity theft have warned that sophisticated fraudsters might never touch existing accounts, but use the data to obtain credit cards and loans.”
    Certainly the US equivalent of this information would be useful for ID theft, and I suspect the risk about which the British media are primarily concerned is fraud rather than loss of privacy. Therefore, I conclude that ID theft is a real concern. This does not (let me repeat — NOT) mean that the privacy issue isn’t there. It is.
    Face it. We’re both right :^)

  • Lyger says:

    I agree with Adam’s comment about public trust, but we also might need to consider current identity verification processes in both the US and UK. Depending on which financial institutions you deal with, you may be asked various “verification” questions (either online or on the phone) to “verify” your identity. Social Security number, date of birth, and/or account number may be used. In more lame cases, just the *month* of birth or *city* of birth may be used (don’t ask me how I know this *cough*). If Joe Public can find it in a phone book, is it really “private”? If you have a one in twelve chance of answering a “verification” question correctly, is that an acceptable security measure? I’d say that the HMRC breach could be exploited, but chances are more likely that the CDs are under someone’s desk or being munched on by mice and roaches in some deep dark corner…
    Just food for thought. ID theft versus simple trust. I’d go with trust as being more important.

  • Adam says:

    I’ve updated the main article, but my assumption was that national ID != SSN for purposes of identifying & authenticating you.

Comments are closed.