UK Government Breach Exceeds Original Estimates

Officials may have lost eight more storage disks containing personal information on British citizens

After losing two computer disks containing personal information on some 25 million British citizens, sources in the U.K. government now say there are another eight disks unaccounted for.

According to a report in the London Times, there are actually 10 missing discs: the two originally reported lost in the mail from offices in Washington, Tyne and Wear, to the National Audit Office in London; and now six reported lost in transit from tax offices in Preston. The disks were not registered properly or encrypted, leaving them open to fraudsters.

Staff from the Washington, Tyne and Wear, office are searching for another disc that contains "limited but sensitive" information related to child benefit claimants. Yet another, with the tax details of several hundred people appealing against previous Revenue & Customs decisions, is also being sought.

The government was forced to begin a separate investigation last night after a businessman claimed that he had received in the mail two discs containing highly sensitive information about judges, barristers, and solicitors.

Authorities already had been forced to begin a second investigation when a U.K. government contractor said he was in receipt of two disks containing personal information on officials and attorneys in the British judicial branch, the Times reports.

Frank Milford, whose company was hired in 2006 by the Department of Constitutional Affairs to overhaul its administration, said he had asked for a list of its suppliers. He received a package from a firm called Liberata, which handled the department’s finances, containing two discs listing personal details of every person, business or company paid by the department over the past five years. He told The Sun newspaper that the discs were neither encrypted nor password-protected.

While government officials wrestle to determine the extent of the data loss, they also are backtracking on statements that were made by the prime minister and others when the breach came to light last week. In those initial statements, the officials blamed the breach on a junior official who broke the rules by sending sensitive data via the U.K. postal service. (See UK Government in Uproar Following Data Loss.)

But in a separate report, the Times reported that British government agencies routinely send data through the mail, and that the junior official was following what he believed to be standard procedure.

The breach has launched a virtual feeding frenzy in the U.K., as journalists, investigators, and government officials continue to turn up other questionable events and practices that may have jeopardized citizens' privacy. A leaked document from the U.K. Department of Health suggests that the British government is considering allowing patient health records to be used by approved organizations overseas, and a planned database of personal information about U.K. children is now in jeopardy, according to a report.

U.K. citizens' private details are on as many as 600 private and public databases, often without their knowledge, a study will reveal next month. The study, compiled by thinktank Demos, will say that new laws and procedures are needed to protect people's privacy.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.