HMRC Data Breach...can we claim damages?

ManAtHome

geordie_joe wrote: »

The staff have to access the server as that is where the database is stored.

How do you mean "downloaded"? The computers obviously had the ability to to burn files onto a CD as that is what happened.

Joe, given the rest of your response, I'm a bit surprised at these 2 quotes.

Yes, staff have to access the servers, but this should always be through an application which can (and should) control access to data. Any SQL (or whatever) "select *" certainly shouldn't be generally available.

Easy enough to limit (or physically remove) recording devices (I remember being MSE many years ago by removing floppy drives instead of buying drive-locks). Yes it did happen, but should it..?

PasturesNew

I don't think £90 is a silly amount to create a query.

Not when made as a sweeping statement.

To pay for the inhouse staff, with their management structure, their desks/chairs, their office space, the office space of their managers, training, pensions, annual holidays, sick leave, staff perks/benefits cost such as car parking/cafeteria etc .... that is probably about 3 hours' work.

So, say, 1.5 hours for the query/testing it/signing it off, half an hour to manage the request (receive it and hand it back), an hour over the lifetime of the query to amend it/talk about it/explain it, etc.... £30/hour - bit of a bargain!

ManAtHome

But £2.25 million for a query returning (say) 25 million rows might explain a few things...

siren13577

geordie_joe wrote: »

The staff have to access the server as that is where the database is stored. If they can't access the server they can't update any records when things change. The data would have been restricted, but that just means if you don't need to access it to do your job you don't get access to it. If you do need to access it to do your job then you get access to it, no matter how junior you are.



How do you mean "downloaded"? The computers obviously had the ability to to burn files onto a CD as that is what happened.



No, every government department I have worked for, and private company had a post book, later replaced by a database. This book/database would record all outgoing and incoming mail, what it was and who sent it etc.

Also they have the emails about the request, so they know who exactly posted the CDs. Unfortunately that poor person will bear the brunt for something they had no control over.

I worked for another gov dept, in the IT dept, when a private company took over our databases. it was the same one that is involved here and the scr*wed us rotten. They took over the administration of the databases, so we could do nothing with them except enter and edit records. Each time we needed to create a query to extract information they charged us £90. There was talk of them charging £90 for each 1000 records (or part of) the query returned before I left. This would have meant that if a query returned 1000 records or less we would be charged £90, if it returned between 1001 and 1999 records we would be charged 2 x £90 etc. If that was implemented then they would have been charged to run a query that returned 25 million records at a rate of £90 per thousand. It's no wonder that some higher up said "B*gger that, we can't afford it".

There's also a strong possibility that the tech people didn't have the skill to create the query in the first place, and so put a silly price on the job knowing it would not be accepted. I've had that happen many times.

Having said all that I do think the person sending the CDs should have sent them at least by recorded delivery. Although it is possible they didn't know what information the database contained.

If they only needed to know people's names and NI number to do the job it is possible they did not have access to other information the database held. Therefore they may not have realised that copying the entire database would mean they were also copying sensitive data.

When I was in the IT dept I created databases that only allowed users to see certain data depending on what user group they belonged to. As an example our personnel database held many details about our staff. Someone in the personnel group could see an employees sick record, but never see, or even know that the database also contained their salary details. Someone in the finance group would see the persons salary but never see, or know, that the database also contained their sick records.

If the person who sent the CDs ever says they did not realise that the database contained sensitive information I for one would think that they are probably telling the truth.

What I meant are the everyday computers staff use to process information and complete admin tasks, the main body of information is not available for staff to burn onto cd's. Having worked as an IT floorwalker I am well aware of the dire company the IR/HMRC brought in to oversee the computers, I did have to deal with them and they were hopeless. I also worked in the post room and there was no log of post coming in, there was simply too much, it was allocated to the staff to sort according to relevant departments.
I was also a team leader and we would get thousands of pieces of post for just one group to work through, and there were six of these groups on my wing, most weeks one group would get upwards of 10,000 pieces of post, so that on average is around 60,000 pieces of post for just one wing and four wings on each floor, in a 19 floor building. So you can appreciate the amount of work coming in.

Also the nature of how much staff are leant on in the HMRC these days is awful, my friends say it is more like big brother and there are huge stress levels with staff illness very high, it is no wonder in these conditions something like this would happen, I am not excusing it. I do believe something dodgy is going on.

vix2000

firstly, how are we covered by the banking code exactly?
secondly, would everyone be so blase and understanding if it was a bank, credit card or insurance company?

siren13577

Firstly banks will generally refund any fraudulent activity, this is a provision under the banking code, in this case if it does happen the banks will claim it from the government. This is how I understand it, hth.
Secondly, no I don't think so, I'm appalled tbh, but not surprised, data breaches like this probably occur more than we are aware and I think companies etc are not infallible and there will always be errors.

ManAtHome

I don't think we're being understanding, but what do you do with an incompetent government (answer - vote them back in as long as house prices are going up).

All this crap is nothing new, it's just that bad news being heaped on bad news is finally overcoming the spin (oh, and house prices aren't going up by several zillion percent any more).

inmypocketnottheirs

Back to the OP. You can only claim damages for an actual loss. And what have you actually lost?

It is not possible to claim damages for something that might happen.

lesley1960

Most people probably give out too much personal information everyday without batting an eyelid , when making purchases , signing up for freebies / deals / sites especially sites like face book the imformation needed to commit fraud is much easier to come by then finding the discs that are probably buried underneath a pile of crap on someones desk ( yes i am an ex civil servant lol )

vikingaero

The only claim that should be going on at present is off the assets and pension of Paul Gray. HMRC should be recovering any costs of the investigation from him instead of letting taxpayers foot the bill. Amazing that in this country we allow people at the top to resign with a fat pay off. What happens to responsibility? Ooh I screwed up..... I'm off with £2.5m.