Lost: the personal details of 25 million people

Who decided to post two discs with personal and financial details of 25 million people by unregistered delivery?
What has become of the missing discs and could they have fallen into the hands of fraudsters?
Why did the Government wait 10 days before telling the public what had happened?
Where will the buck stop after the revenue chief’s resignation?
When can the British people be sure once again that their money is safe in their bank accounts?


Seven million families are having to make urgent checks on their bank accounts today after the biggest security blunder in history led to the personal details of 25 million fathers, mothers and children being lost by the Whitehall department responsible for all tax and benefits.

The head of HM Revenue and Customs, Paul Gray — one of the country’s most highly paid civil servants — resigned his £198,000-a-year post as the scale of the fiasco became clear.

But the Prime Minister and his embattled Chancellor, Alistair Darling, were counting the cost to their own reputations last night as the disaster left them looking accident-prone and open to opposition charges of incompetence.

The news that a package containing the personal details of every family in Britain with a child under 16 had gone missing in the post was greeted with astonishment and anger when it was revealed to MPs by the Chancellor.

It could not have come at a worse time for Mr Darling, who just 24 hours earlier had come under sustained attack from the opposition after admitting that taxpayers’ money could be at risk in the £24bn rescue of Northern Rock.

Damaging as that crisis has been for the Government, the political fallout from the loss of millions of families’ personal data could prove even more far-reaching. Gleeful Tories, urging the Chancellor in the starkest of language to “get a grip”, were comparing it to John Major’s hapless last days in power.

There was an audible intake of breath in the Commons as Mr Darling told MPs that two discs containing the details of all child benefit recipients, records for 25 million individuals and 7.25 million families, had been lost.

The records included the recipient’s name and those of their children, their addresses and dates of birth, child benefit numbers, national insurance numbers and, where relevant, bank or building society account details — all the facts that fraudsters need to illegally remove money from banks.

They are the details that families are regularly being warned by the Government not to reveal to potential fraudsters. And they would be worth a fortune on the black market.

A junior official from HM Revenue and Customs had sent the discs to the National Audit Office at the NAO’s request on 18 October by the HMRC’s internal post, run by the courier firm TNT, even though it was in clear breach of the department’s rules governing the release of such sensitive information and may have been in breach of data protection regulations.

The NAO, realising it had not received the data, ordered a further copy to be sent by HMRC. This time it was sent by registered post and did arrive.

It was only on 8 November, almost three weeks after the first discs were posted, that senior HMRC officials were told they were missing. They informed the Chancellor on 10 November, a Saturday. Hardly believing his ears, the Chancellor ordered “comprehensive searches to be carried out of all premises where the missing data might be found”. He decided that the breach of security was so grave that he had to tell the Prime Minister immediately.

On 12 November, Mr Gray told Mr Darling that evidence might have been found of the route taken by the data and that the discs were likely to be recovered. However, two days later, those hopes were dashed when the HMRC chairman admitted that the internal searches had failed to trace the discs. The Chancellor ordered Mr Gray immediately to call in the Metropolitan Police to conduct a full investigation to find the missing package.

That inquiry was still under way yesterday. The police say they are confident no crime was involved.

Mr Darling told the Commons: “Our priority is to find this data. Searches continue to be carried out, including of the HMRC and NAO premises. Staff are being interviewed but so far the missing data has not been found.”

It is not the first time that data has gone missing from the HMRC. The Information Commissioner was already investigating two earlier breaches by the department. In September, an HMRC employee reported that his laptop had been stolen from his car. The laptop contained customer details from about 15 financial institutions. The information was encrypted but the computer bag contained print-outs of some individuals’ data.

And in October, the HMRC sent a CD via courier to Standard Life but the disc was lost en route. The CD was not encrypted and contained details of 15,000 Standard Life customers, including names and national insurance numbers.

For 10 days, the Government has been sitting on the news, knowing that when it came out there would be outrage mixed with deep anxiety. Last week, major clearing banks were secretly warned by the Government that there was a potential security breach. They were asked to make sure there had been no sudden surge in raids on personal bank accounts, evidence that the nightmare scenario — the discs falling into the hands of organised crime syndicates — had happened. On Monday, the Chancellor was told by the banks that they had found no trace of accounts being raided. That was the assurance he needed before a public announcement could be made.

George Osborne, the shadow Chancellor, urged Mr Darling to take control of the crisis. “Never mind the lack of vision; just get a grip,” he said. “Let us be clear about the scale of this catastrophic mistake — half the country will be very anxious about the safety of their family and the security, and the whole country will be wondering how on earth the Government allowed this to happen.”

Fall from grace of a dependable civil servant

Bearded and bespectacled, sober and sensible, Paul Gray was known throughout the Civil Service as trustworthy and dependable. But that reputation was dealt a huge blow when he was held responsible for the biggest blunder in British data protection history. Although many MPs believe he has been made the “fall guy” for the incompetence of others, there was little doubt that the head of the chairman of HM Revenue and Customs would have to be the first to roll. Mr Gray, 59, who is married with two sons, was one of the 300 highest-paid civil servants, earning £198,000 a year. It is likely he will keep his pension but the Cabinet Office said yesterday he would not receive a special resignation package. Mr Gray joined the Treasury in 1969 and rose steadily through the ranks to become the economic affairs private secretary to the Conservative prime minister, Margaret Thatcher. When she quit in 1990, he returned to the Treasury to work on monetary policy. He then became head of personnel and central services. In 1998, Mr Gray joined the Department of Social Security as head of policy, before becoming second permanent secretary for pensions and disability in the Department for Work and Pensions. He oversaw the merger of the former DSS, the Employment Service and parts of the Department for Education and Employment, which made him the ideal choice to head the merged Inland Revenue and Customs and Excise departments when the HMRC was established by Gordon Brown in 2004.

Mr Gray, a Leicester City football fan, keeps a small flock of Wensleydale sheep. He will now have a lot more time to tend them.

Colin Brown