A catalogue of errors by HM Revenue and Customs left more than 25 million Britons potentially at risk from identity fraud.
The latest revelation that the entire Child Benefit database containing details of 25 million people has gone missing, comes just days after it emerged the Revenue had also lost a CD containing information on thousands of Standard Life customers.
The Child Benefit data was sent to the National Audit Office but never arrived, and the loss was not reported for three weeks. Chancellor Alistair Darling admitted the details should never have been sent. He said police were investigating, but stressed that so far there was no evidence the data had fallen into criminal hands, adding that banks were closely monitoring the situation to minimise the risk of any fraud.
The loss is strikingly similar to an earlier incident in which a CD containing details on around 15,000 Standard Life pensions customers, including their names, National Insurance numbers, dates of birth and other personal details, was lost by the Revenue.
It was sent by courier from HMRC’s offices in Newcastle to Standard Life’s Edinburgh headquarters but it failed to arrive. The CD contained enough information for a fraudster to be able to commit identity fraud and apply for credit and even benefits in the customers’ names if it fell into the wrong hands.
Standard Life realised the disc was missing on September 22, but it was more than four weeks later that it sent out letters to all of its customers warning them to be vigilant to the threat of identity theft.
However the insurer stressed today that the CD was encrypted, so would have been difficult for a fraudster to read.
It added that it had tracked all of the policies that had details contained on the CD and none of them had any suspicious activity carried out on them.
It is believed that the Standard Life CD was not the first one sent by the Revenue to go missing, and a second CD containing personal data from another firm is also thought to have gone astray.
In August, a laptop was stolen after being left overnight in the car of an HMRC official, it contained data on around 400 people who had ISA investments.
The Conservatives today said HM Revenue and Customs had admitted that 41 laptops had been stolen during the 12 months to the end of September.
The information, which came in response to a Parliamentary question, also revealed that 16 of the laptops were stolen when HMRC offices were broken into.
In May around 42,000 families receiving tax credits were also sent incorrect notices about the benefit due to a faulty printer, and it is thought around 8,000 of these had their bank account details revealed to other people. All of these incidents could have led to people being victims of identity theft.
Responding last night to a report on the loss of the Standard Life CD, Paul Gray - who quit today as chairman of HMRC - told BBC One’s Watchdog: "We take the security of customer information very seriously, and our priority is to protect the data of all our customers.
"If problems do occur, we make every effort to put the situation right as soon as we can. In the cases mentioned, we have written to all customers concerned and where appropriate have put in place measures to check customers’ records for any fraudulent activity."
Banking industry body APACS said banks were informed about the missing child benefit data on Friday, and they immediately took steps to help prevent customers’ bank accounts being affected.
Paul Smee, APACS chief executive, said: "Whilst this incident is extremely serious, at this stage customers should not be unduly concerned, as there’s no evidence that the data has fallen into criminal hands.
"As part of its usual procedures the banking industry has done all it can to protect its customers accounts and will continue to do so.
"In the event that anyone is the innocent victim of fraud as a result of this incident customers can have peace of mind that they enjoy protection under the Banking Code which means that you should not suffer any financial loss as a result."
He added that a sort code and bank account number, national insurance number, date of birth, and name and address details were not enough on their own for a fraudster to access someone’s bank account as additional security information and passwords were always required.
But he urged consumers to remain vigilant and check their bank accounts for any unusual activity.