On Tuesday Nov. 20 the British government disclosed a staggering breach of data privacy as the result of the loss of two CDs that a junior tax official attempted to send to the National Audit Office by courier. The NAO never received the disks, and they remain lost. The Guardian reports that the disks contained the unencrypted personal information of 25 million citizens, “including their dates of birth, addresses, bank accounts and national insurance numbers…opening up the threat of mass identity fraud and theft from personal bank accounts."

Whether this was the worst data breach in history is a matter of the criteria one applies. As this New York Times article explains, last year’s leak of veterans’ Social Security numbers affected 26.5 million and a former America Online engineer stole information belonging to 92 million people. However, the British breach was shocking not merely for the sheer numbers involved, but the proportion of the population and the nature of the information and its potential for harm.

The incident has created significant political turbulence in the U.K., including calling into question the efforts of the Labor government to institute mandatory national ID cards, which require individuals to disclose sensitive personal information. Responding to Labor Prime Minister Gordon Brown’s apology yesterday, Tory shadow chancellor George said that "Public confidence in the government and its ability to protect information has been destroyed." The otherwise well-regarded head of the tax agency, Sir Paul Gray, resigned Tuesday.

Whatever this means for the British government and governments in general, the incident once again sounds the general alarm about the vulnerability of private data that individuals choose to or are forced to disclose to supposedly responsible parties. And it shows once again that clever security measures focused on defense against malice may be inadequate in the face of official arrogance, laziness, stupidity and plain incompetence.

The effectiveness of security safeguards depends on the compliance of those with access to sensitive data, as emphasized by Dr. Mirielle Levy, head of identity management standards at the U.K.’s Identity and Passport Service (quoted in the ID card story linked above): “You can have all the virus checkers and pretty IT you want, but the real problem is people.”

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in the message center do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this forum becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: The Message Center is NOT intended for commercial messages or solicitations of business.