ID theft alert

There should be only one of each of us

home > security > id theft

Credit checking

Serious data loss by HMRC

The loss of two CDs containing the confidential identity details of 25 million people including every child in the nation is a very serious incident demonstrating the complete incompetence of the management of Revenue & Customs where data security is concerned.

So what are the chances of this data being misused?

Well that depends on where the CDs have gone. The probability is that they are stuck in an in tray or filing cabinet somewhere without having been recognised for what they are. If this is the case then we have nothing to be to worried about.

However, if they have been stolen from the mail and recognised for what they are, then they may well have been passed into the hands of criminals who will have the knowledge and resources to be able to misuse the data they contain.

How easy will it be to misuse the data?

The data is password protected but not encrypted. The password is not likely to pose much of a problem. An expert in file protection could either crack the password or re-write the data in a way that eliminates the password.

Probably a greater problem will be deconstructing the data. It will first be necessary to identify the file or database system used to write it and then to analyse the data byte by byte in order to work out what the bytes represent. For instance, if a string of bytes can be read as ordinary words - such as a name or address - then that presents little problem. But if, say, four or six bytes contain random bits with most of the ones towards the right of the block of bytes and most zeros to the left then it is probably a binary number. It will be easy to know what the absolute number is but what does the number represent? It could be anything from a date and time in floating point format to the number of children in the family, or a thousand other bits of information that HMRC may be keeping on the record. It will be very hard to tell. For example, 3940886733 is a number I have just taken from a string of eight bytes. It could be anything. It is actually the date and time I am writing this.

How will we know if our information is being misused?

First of all, it may be a long time before the data is misused, months or even years. So don't expect to see money being taken out of your bank account in the near future. If fact, loss of money from accounts is fairly unlikely at all.

By far the greatest risk is the possibility of identity theft - someone setting themselves up to look as though they are you, taking over your bank or other account, and obtaining credit, then leaving you with the bill. The first you are likely to know about what is happening will be when the bailiffs turn up to demand repayment.

What should I do to protect myself?

There are a number of basic things to do to reduce the risk of identity theft. The following list considers protection from all methods of ID theft, not just the loss of the HMRC data:

  • Use high quality passwords on your computer, particularly for online account access - minimum of eight characters, mixed upper and lower case letters, numbers and special characters where permitted. Don't use names, especially those of your family. Avoid obvious substitutions such as 1 or / instead of l, 0 instead of O.
  • Don't share passwords. This should be a dismissible offence in a contract of employment. It is not safe to do this even in a domestic environment.
  • Protect your computer with the usual firewall, virus checker and spyware remover.
  • Change the PIN numbers for your bank and credit cards if your present number has any relevance to any numbers in your basic identity information such as house number, dates of birth, etc. Ideally don't use the same PIN for all your cards.
  • Rigorously check all bank and credit card statements as soon as they arrive. Ensure that you still have all your cards in your possession. If your spouse/partner also has a card on the account check what they have been transacting. Call your bank and question anything that cannot be accounted for.
  • Check your credit record (see below).

Credit record checking

There are three credit checking companies in the UK (links below). In theory they should have the same information about us all but in practice they are often different, mainly because some finance houses use one or two and not another. The companies are often referred to as 'agencies', subtly implying that they are a branch of government - they are not; they are private or public companies independent of government other than for the regulations under which they operate, such as the Data Protection Act.

The companies record all major credit related arrangements that you have with banks and other financial organisations together with any court judgements against you. This will include information about mortgages, other bank loans, credit cards including store cards and financial judgements against you made in a county court (known as CCJs). You may find that the fact that you have a particular credit card is not noted. That's because you pay off your account regularly and on time! They also record all your attempts to obtain credit. Unsuccessful attempts (or even those where you decide not to proceed) are recorded. These records can seriously damage your future chances of obtaining credit so never apply for credit unless you really intend to take it.

By law you have to pay a fee of £2 to obtain your information from each company. Note that there are several other companies who will obtain your information for you but for a much greater fee. As it is so simple to get it direct I can't see why you would want to use these companies.

The credit checking companies are ...

Experian
Equifax
Callcredit

I suggest going on their web sites and looking at what you need to do to obtain your information. To be on the safe side you should probably inspect your files once a year and additionally if you ever suspect that any of your accounts has been compromised. In the latter case always call the bank first to look for evidence of compromise and to advise them of your concerns. If the bank doesn't take you seriously then move your account.

The author ...

... is a retired Information Security Manager. I give no warranty that the advice given will prevent your system from suffering from viruses, worms, spam, spyware, usage trackers, keyloggers, abuse or any unauthorised programs or macros of any kind introduced by any means. It must be accepted that the subject is not fully explored in this document and descriptions of problems and solutions are necessarily brief and incomplete. New security problems are regularly being discovered in PC operating systems and other software and users need to be constantly alert to the latest threats. Nor do I give any warranty regarding personal identification protection, use of social networking web sites, or calls to or from banks and finance houses. Neither do I take any responsibility for any third party web site nor for any products offered or supplied by those sites or any retail outlet or the companies promoting them. If in doubt ask for advice for your specific system or problem from a company offering such advice or service. Always follow the specific advice of hardware and software suppliers, banks and finance houses as appropriate.

© Copyright 2007 Tim Boddington