By Mark Ward
Technology correspondent, BBC News website
Organisations should have policies that govern who does what with data
The information lost by the HMRC could prove very valuable to fraudsters, computer security experts say.
"In the fraud underworld the quality of data directly impacts the flexibility with which they can use it," said Andrew Moloney, financial services market director for RSA Security.
The more data you have around a subject the more different ways you can use that to commit fraud."
There was no evidence yet that the data was being talked about or sold on the fraud boards and net markets that his company monitors, he said.
However, most vendors of stolen data rarely mention where they got it from. Instead, they typically only mention its quality.
Mr Moloney said there was a well-established chain of buyers and sellers who can handle large amounts of data and pass them on to those that wish to use them to commit fraud.
"That's partly grown up to protect the anonymous individuals involved," he said, "and partly because we have seen specialisms develop with individuals finding their own niche in that underground economy."
What also made the data attractive to fraudsters, said Mr Moloney, was that much of the data in it, such as names of children and birth dates, cannot be changed and will be valuable if it reaches criminals in the next week or the next year.
"Once it's compromised it is compromised for the long term," he said.
MISSING DATA INCLUDES...
National insurance number
Name, address and birth date
Names, sex and age of children
Bank/savings account details
With computerised databases long established in large organisations, a series of policies and practices has grown up to safeguard the sensitive data they contain - in theory.
In the front line of these safeguards are the strictures laid down by the Data Protection Act which is policed by the Information Commissioner.
The Act details what workers can and cannot do with sensitive data and how it must be treated as well as what staff should do to ensure it is not compromised.
In a statement issued after the HMRC data loss was made public Richard Thomas, the information commissioner, said his organisation was already investigating two other breaches at the government department.
"Searching questions need to be answered about systems, procedures and human error inside both HMRC and the National Audit Office," said Mr Thomas.
Much of the lost data, such as birth dates, cannot be changed
Beyond data protection laws most organisations develop their own policies which govern how staff should treat such sensitive information, said Paul Simmonds, a board member of the Jericho Forum - a trade association for IT security bosses at the world's largest organisations.
He said the Jericho Forum had developed a series of "commandments" which organisations should strive to live up to. They detail what organisations should do to ensure data is used appropriately.
They cover such things as levels of security for different types of data; authentication to ensure data use is appropriate and how to share responsibilities for safeguarding information.
"The Jericho Forum has long stated that data must be properly protected, both in transit and at rest," said Mr Simmonds. "Effectively this means sensitive data must always be encrypted.
"This data loss is just another in a long list of organisations who ignore basic security principles," he added.
Shore up defences
Paul Davie, head of database security firm Secerno, said many companies were turning to technology to help shore up their defences.
Security systems that oversaw interaction between a database and its users helped to do more than just stop bad guys from the outside stealing data, he said.
There are many places online where data is bought and sold
"They want to understand the way the database is being queried by authorised users and what counts as normal use," said Mr Davie.
"The technology is there to detect unusual behaviour such as a junior downloading huge amounts of data," he added.
Evidence suggests that technology has a significant role to play. A University of Washington study released in March 2007 showed that 60% of data breaches were the result of bad practices inside organisations rather than hackers.
Although there is no evidence that the lost data has got in to the hands of criminals, anyone who did get hold of it, said Mr Davie, would be able to make great use of it.
"This is really high quality data," he said.
Hackers have increasingly targeted databases, he said, because the information inside them was so valuable and well organised.
By contrast data gathered by other hacker tools such as key logging software installed surreptitiously on PCs that watches what people type can produce reams of information that must be cleaned up before it is useable or saleable.