How exactly do you lose a database?
It was early November 2007, and I was at my desk at HM Treasury. I don’t remember exactly what I was working on at the time – probably fighting a losing battle to stop extremely wealthy people avoiding inheritance tax or some such. I do, however, remember thinking that something must be afoot when a couple of super senior people from HM Revenue & Customs unexpectedly dashed across our open plan office.
The second floor at 1 Horse Guards Road is home to the Treasury teams responsible for tax & welfare policy, the teams that run the annual Budget process, and the department’s press office. It has the highest ceilings and biggest windows of all the floors in the building, so it’s also where all the Ministerial offices are.
We were used to seeing folk from HMRC visiting Ministers when the Budget and Finance Bill were in full flight. But this wasn’t one of those times. And they looked stressed.
A little later on we found out why: they had come to tell the Chancellor of the Exchequer that someone in their department had accidentally lost the entire Child Benefit database.
This sounded bad. But how bad exactly? And how do you lose a database?
The answer to the first question turned out to be pretty staggering. HMRC administer Child Benefit for the whole of the UK, and so the database that had been lost contained the personal information of 25 million people: names, addresses, dates of birth, bank account details and National Insurance numbers.
As for the second question… it turns out you lose a database by burning it onto two CD-ROMs and sending them by unrecorded delivery, only for them never to arrive at their intended destination.
Before long I found myself in one of the Ministers’ offices, explaining the security options in WinZip to their team. It turned out later that the files on the CDs were zipped but not strongly encrypted (support for AES encryption was added by WinZip 9.0 in 2004, but HMRC were still using WinZip 8.1).
The Chancellor went on to order a search of all the premises where the discs might conceivably be found. In the end the police were called in, the Chairman of HMRC resigned, the government wrote to millions of families about the data loss, and the Prime Minister apologised to the House of Commons.
The following summer an independent review concluded that the loss had been “entirely avoidable”.
And as for the discs themselves? Thirteen years have passed, and their whereabouts remains a mystery.