On 20 November 2007, HM Revenue & Customs (HMRC), the U.K.'s tax and excise agency, acknowledged that it has lost computer disks containing large amounts of confidential information, including names, addresses, dates of birth and bank account information. The missing disks — which apparently were lost while being transported — may include information on as many as 25 million individuals, including recipients of child benefits.

The news of this huge government data breach — which is highly reminiscent of the 2006 loss of a U.S. Veterans Administration (VA) notebook computer containing confidential information on more than 25 million individuals — will not be taken lightly by the privacy-sensitive British public. The new loss may be even more damaging than the U.S. case, because it may affect more than one-quarter of the U.K.'s population, including virtually every household with children.

The type of data lost could be enormously valuable to identity thieves and other criminals, who could, for example, use stolen account numbers to take over bank accounts. This is why bank account numbers typically sell on the U.S. black market for as much as $400 (£195), compared with $5 (£2.4) or less for credit card numbers. Even the possibility of such a move would likely force U.K. banks to take emergency measures, including closely monitoring all fund transfers out of potentially affected accounts. This would be especially problematic due to the U.K.'s implementation of the Faster Payments initiative, which calls for almost immediate fund transfers. Perhaps fortunately under the circumstances, that initiative has been delayed until 2008.

If evidence emerges that the lost data has fallen into criminals' hands, U.K. banks could, in a worst-case scenario, be forced to close down millions of accounts and reopen new ones at enormous cost. The banks' customers would also face considerable inconvenience, because automatic payments and transfers would have to be set up again, and debit cards might have to be reissued. The potential costs to the U.K. banking system, and to the country's economy as a whole, are huge — possibly as high as $500 million (£244 million), based on a conservative cost estimate of $20 (£9.7) per account.

The chances of a true data loss resulting in identity theft are usually extremely low — typically less than 1% for any given individual. However, the media attention this data loss is receiving means that criminals are likely to pursue the lost data as vigorously as the authorities, so this case has certainly not been resolved yet.

Government agencies and other enterprises:

• Encrypt sensitive data at rest — especially data that is or may be transferred to portable media that could be lost or stolen.
• When data transfer is necessary for operational purposes, use electronic transfer of encrypted data. Do not transfer unencrypted data to portable media.

Banks:

• Implement fraud detection and stronger user authentication systems to ensure that money is not illegally transferred out of accounts, even if bank account numbers and other sensitive data are stolen.

• "VA Case Shows Social Security Numbers Cannot Be Trusted” — A huge theft of personal data shows that the Social Security number cannot be relied on as proof of identity. By Avivah Litan
• "Missing Bank of America Tapes Underscore Encryption Need” — The loss of backup tapes by a major U.S. bank highlights the need for encryption as part of any data protection strategy. By Rich Mogull

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)