Two computer discs containing the personal details of every family in Britain receiving child benefit have gone missing after being posted by a junior official from HM Revenue and Customs to the National Audit Office. About 25 million people may be affected.
What kind of personal data is contained on the discs?
A frightening amount of information: names, addresses, dates of birth, child benefit numbers, national insurance numbers and bank or building society account details.
Was the information protected?
The discs are believed to be password protected but – to the amazement of security experts – the information was not encrypted.
Could someone use it to steal money from my bank account? Could I become the victim of identity fraud?
Both the Chancellor, Alistair Darling, and the police say there is no evidence that the discs are in the "wrong hands". Banks and building societies are monitoring suspicious transactions or banking irregularities. But the discs went missing four weeks ago and there is still no understanding of where they might be – or who might have them.
How will I know if I am affected?
The Inland Revenue says it will write to anyone it believes might be affected.
Should I close my account and change my security details?
No. So far there is no evidence of any suspicious activity. The details lost are also not sufficient to enable someone to access your bank account, as additional security information and passwords are always required. However, HMRC is advising people who use any personal data such as a child's name or date of birth in their password to change it.
Do I need to contact my bank or building society?
No, there is no need to contact them unless you see a transaction in your account that you did not authorise.
So what is the actual risk?
While the details in themselves will not enable anyone to access bank accounts, the information could help them to commit account takeover fraud, although more information would be needed. There is also a risk that the details could be used to set up credit agreements such as a credit card or loan or a mobile phone account in another name.
What should I do if I notice something unusual?
If you notice an unauthorised transaction from your account, contact your bank. If you discover an account has been opened in your name with a bank or other company that you have not had any dealings with, contact them and inform the police.
What happens if I am a victim of identity fraud?
If you are an innocent victim of identity or banking fraud as a result of this incident you will be protected by the Banking Code, which means you will not suffer any financial loss.
Did anyone experience any loss the last time something like this happened?
The loss is strikingly similar to an earlier incident in which a CD containing details on about 15,000 Standard Life pension customers was lost by the Revenue. It was sent by courier from the HMRC in Newcastle to Standard Life's Edinburgh headquarters but never arrived. Standard Life realised the disc was missing on 22 September, but it was more than four weeks before customers were told. However, the insurer's CD was encrypted, so would have been difficult for a fraudster to read. There have been no such assurances this time.
Can I bring a claim for compensation against the Revenue?
Yes, but only if your personal data has been put at risk and you have suffered damage or distress. You can ask the Information Commissioner to investigate your complaint but he cannot award any damages. If you want compensation, you will have to take your claim to court.
If I am in charge of personal information how can I ensure that I don't make the same mistakes as the Revenue?
The Information Commissioner advises companies to set up data-protection training for staff to ensure they are aware of their responsibilities under the Data Protection Act. Businesses must ensure all sensitive information is password protected and staff should have access to sensitive information only when it is relevant to their role. The IC also advises companies and public bodies to encrypt sensitive information stored on laptops before allowing them to leave business premises and make sure that databases can be downloaded only in tightly controlled circumstances.
Where can I get more advice?
HM Revenue and Customs has set up a child benefit helpline on 0845 302 1444.
What happens when you call?
You are placed in a queue. When you get through you, are asked to give your national insurance number.