Anatomy of a Breach

Anatomy of a Breach: HMRC and the 25 Million Records Lost in the Post

> series: anatomy_of_a_breach —— part: 001 —— target: hmrc —— records_lost: 25,000,000 —— method: royal_mail<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2009 13 min read
data-breach hmrc data-loss uk-government child-benefit encryption series
Breach #001

Two CDs. Twenty-five million people. Lost in the post.

In October 2007, a junior employee at HM Revenue and Customs in Washington, Tyne and Wear, copied the entire child benefit database onto two CDs, placed them in an envelope, and sent them through TNT's unregistered internal mail service to the National Audit Office in London. The CDs never arrived. They have never been found. The data on those discs — the names, addresses, dates of birth, National Insurance numbers, and bank account details of approximately 25 million people, covering 7.25 million families — represented nearly half the UK's population.

This is the breach that changed UK data protection. It led to the resignation of HMRC's chairman Paul Gray, a full Parliamentary inquiry, the Information Commissioner being granted the power to issue monetary penalties, and a fundamental reassessment of how the UK Government handles personal data. And it happened not because of a sophisticated cyberattack, but because of a failure in the most basic security controls imaginable.

What Happened
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The timeline of a catastrophic failure.

HMRC Data Loss — Timeline
── March 2007 ─────────────────────────────────────────────
NAO requests full child benefit database for audit
First transfer: CDs sent by registered post — arrived safely
Precedent established: bulk data transfer via physical media

── 2 October 2007 ─────────────────────────────────────────
NAO requests another copy of the database

── 18 October 2007 ────────────────────────────────────────
Junior HMRC employee copies entire database to two CDs
CDs 'password protected' using WinZip v8 (trivially breakable)
Data NOT encrypted — password protection is cosmetic only
CDs sent via TNT unregistered internal mail — NOT recorded post

── 24 October 2007 ────────────────────────────────────────
NAO reports CDs have not arrived
Junior employee simply makes another copy and resends
This time via registered post — second set arrives safely

── 8 November 2007 ────────────────────────────────────────
Loss formally raised as security incident
Senior HMRC management informed for the first time

── 10 November 2007 ───────────────────────────────────────
Chancellor Alistair Darling informed

── 20 November 2007 ───────────────────────────────────────
Chancellor makes statement to the House of Commons
HMRC Chairman Paul Gray resigns
Public disclosure — 33 days after CDs went missing
The Data

What was on those CDs.

The two discs contained the complete child benefit database — every family in the United Kingdom claiming child benefit. The data included the names and addresses of approximately 9.5 million adults and 15.5 million children, dates of birth for all children, National Insurance numbers for all adult claimants, and bank or building society account details for the parents. For 2.25 million 'alternative payees' (partners and carers) and 3,000 appointees claiming under court instructions, the data was equally comprehensive.

The 'password protection' applied to the CDs was WinZip version 8's built-in encryption — a proprietary scheme with well-known attacks that anyone with basic technical competence could break using freely available tools. WinZip version 9, released years earlier, had introduced AES encryption that would have provided genuine protection. The choice of WinZip 8 was not a deliberate security decision — it was simply what was installed on the machine.

Root Causes

How this was allowed to happen.

The Poynter review, commissioned by the Chancellor and conducted by PricewaterhouseCoopers, concluded that the breach could not be blamed on a single junior employee. The failures were systemic — a culture that treated data handling as an administrative inconvenience rather than a security responsibility.

No Data Minimisation
The NAO had asked HMRC to filter the data before sending it — to remove bank details and National Insurance numbers that were not needed for the audit. HMRC refused, citing the cost of extracting a subset as being £5,000. The entire unfiltered database was sent instead, because it was cheaper. A £5,000 cost avoidance decision exposed 25 million people's financial data.
No Encryption
The data was not encrypted. The CDs were 'password protected' using a trivially breakable compression tool. HMRC's own encryption policies existed but were not enforced for this type of transfer. The data protection manual was itself classified and restricted to senior staff — the junior employees actually handling the data had only a summary.
No Secure Transfer Process
There was no established, secure process for transferring bulk personal data between government departments. The CDs were sent through an unregistered internal mail service — the same mechanism used for routine correspondence. No tracking, no signature, no chain of custody.
No Access Controls on the Database
A junior employee was able to download the entire child benefit database — 25 million records — onto removable media without any oversight, approval, or technical control preventing it. There was no audit trail, no authorisation requirement, and no technical restriction on bulk data export.
What a Pen Test Would Have Found

The vulnerabilities that testing would have caught.

This breach did not involve a sophisticated cyberattack — but the underlying security failures are exactly the type of systemic weaknesses that a thorough infrastructure penetration test and security assessment would identify. Had HMRC commissioned a security review of their data handling processes before this incident, the following would have been flagged.

Vulnerability What Testing Would Have Found
Unrestricted bulk data export An internal penetration test would have demonstrated that any user with database access could export the entire dataset to removable media without technical controls or audit logging. This is a fundamental access control failure.
No encryption on removable media A build review would have identified that devices used for data handling lacked enforced full-disk encryption and that removable media policies were not technically enforced — only documented in a restricted-access policy manual.
Inadequate data classification A security assessment would have identified that 25 million records of personal financial data were not classified, labelled, or subject to handling controls proportionate to their sensitivity.
No data loss prevention The absence of any technical mechanism to detect or prevent bulk data being copied to removable media would have been identified as a critical gap. Modern data loss prevention solutions detect exactly this type of activity.
The Aftermath

What changed because of this breach.

The HMRC data loss was a watershed moment for UK data protection. The immediate consequences included the resignation of HMRC's chairman, a PricewaterhouseCoopers review of HMRC's data handling, and a Parliamentary inquiry that questioned the viability of every large government database programme — including the proposed national identity register and the NHS National Programme for IT.

The longer-term impact was more significant. The breach directly led to the Information Commissioner being granted the power to issue monetary penalties for data protection failures — a power that did not exist before this incident. It established the principle that losing personal data through negligence is not just embarrassing but punishable. It forced the UK Government to implement encryption on removable media, restrict bulk data transfers, and establish data handling procedures that had been absent. And it planted the seed that grew into the UK's current data protection enforcement regime.

Lessons for Today

What this breach still teaches us.

Seventeen years later, the HMRC breach remains relevant because the root causes — data minimisation failures, absent encryption, unrestricted data export, and a culture that treats data handling as someone else's problem — still appear in our penetration testing engagements with alarming regularity. The technology has changed, but the human and process failures have not.

If your organisation handles bulk personal data — customer records, employee information, financial details — ask yourself: could a single employee export your entire database to a USB drive right now? If the answer is yes, or 'I do not know', you have the same vulnerability that HMRC had in 2007. The difference is that today, the consequences of a breach are far more severe — GDPR fines, mandatory breach notification, and a public that has far less tolerance for negligence than it did in 2007. Continuous monitoring through a service like SOC in a Box detects bulk data export in real-time — the capability that would have caught this breach before the CDs ever reached the post room.

Protect Your Data

Do not wait for your own HMRC moment.

Our <a href="/penetration-testing/infrastructure">penetration testing</a> identifies the access control failures, missing encryption, and data handling gaps that lead to catastrophic data loss. Our <a href="/cyber-essentials">Cyber Essentials certification</a> establishes the baseline controls, and <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that catches data exfiltration before it becomes a headline.

Commission a Penetration Test Next: Heartland Payment Systems
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2009

Anatomy of a Breach: The UK Government Data Loss Epidemic — 2007 to 2009

The eleventh instalment of our Anatomy of a Breach series. Between 2007 and 2009, the UK Government suffered a relentless series of data losses — HMRC, MoD, NHS, DWP, Home Office, DVLA, and local councils — collectively exposing tens of millions of citizens' records through lost laptops, misposted discs, stolen USB drives, and decommissioned hard drives sold on eBay. A systemic failure that reshaped UK data protection.

data-breach uk-government
14 min read
Anatomy of a Breach 30 September 2012

Anatomy of a Breach: Greater Manchester Police — 1,075 People Linked to Serious Crime on a Lost USB Stick

Breach #045. In 2012, Greater Manchester Police was fined £150,000 by the ICO after an officer lost an unencrypted USB memory stick containing sensitive data on 1,075 people with links to serious crime — including information about victims, witnesses, and suspects. The stick was lost during a burglary at the officer's home. The data was never recovered. Another UK police force, another unencrypted portable device, another preventable data loss.

data-breach gmp
11 min read
Anatomy of a Breach 31 October 2009

Anatomy of a Breach: The Sidekick Cloud Disaster — When Microsoft Lost Everyone's Data

The tenth instalment of our Anatomy of a Breach series. In October 2009, a server failure at Microsoft's Danger subsidiary caused 800,000 T-Mobile Sidekick smartphone users to lose all their personal data — contacts, calendars, photos, and notes — in what was described as the biggest disaster in cloud computing history. The backups were destroyed too.

data-breach microsoft
13 min read
All Posts Get in Touch