Atos is newest data loss IT contractor
A storage device containing the source code of an £18million e-government system, which grants users access to 50 central departments, has been found in a pub car park.
It was reportedly left there by Daniel Harrington, an IT analyst at Atos Origin, the IT consultancy which won a five-year contract, worth £46.7m, to run the system in 2006.
Under the deal, the state agreed the "transfer of responsibility for design, build and operation" of the system - called Gateway for offering one entrance to several departments.
Security expert Jacques Erasmus, of Prevx, believes security software and passwords on the device could therefore give hackers access to a series of databases and payment systems.
But he said the worst result of losing the device, which has been handed to the Mail on Sunday, was the potential for the harvesting of personal details or defrauding of state bodies.
"This is potentially the most serious data loss this country has seen in recent times," Mr Erasmus, who has worked on government-run ICT projects, told the paper.
"The extent of the information contained within the source code would allow a hacker to access the Gateway's payment systems and even direct tax money into private bank accounts."
Both the state and its contractor played down the risks to the public, by saying the security of Gateway had not been compromised, and no credit card details were inside the dataset.
Yet the device, a 2-inch USB memory stick, may contain the details of some of the 12m registrants to Gateway, who signed up for its services – from VAT returns and pensions to driving licenses and benefits.
Over the weekend, the DWP stressed that software and passwords on the device were protected by an "industry standard" technique, which hides passwords from unaided view. However some Gateway services were suspended as a precaution.
In a statement to CUK, Atos said a single employee had taken the storage device from its premises, in direct breach of its security procedures.
It added: "Atos Origin is working very closely with the government and the police. The company takes responsibility for the loss of the memory stick and will discipline the individual involved."
Newspaper leaders are saying the loss of 25m people's records last year by HMRC has proved a starting pistol for other departments to lose or misplace personal data.
However, the loss for Atos is more comparable to PA Consulting's loss, also of a memory stick, which the IT contractor firm put down to an employee's human failure.
Despite a full apology from PA Consulting at the time to the relevant department, the government's response was to terminate the firm's three-year contract, worth £1.5million.