The bank accounts of every farmer in England have been at risk
after the Rural Payments Agency lost confidential data
belonging to anyone who has ever claimed a single farm
payment.
Computer tapes containing the bank
details, addresses, passwords and security questions of more than
100,000 farmers were discovered missing in May.
DEFRA was
alerted to the issue immediately, but it is Farmers Weekly's
understanding that the department did not inform and that the
agency only discovered the problem in September.
At no time has the agency or DEFRA attempted to inform farmers
about the breach.
Leaked information was given to
Farmers Weekly this week by frustrated civil servants
working on the single payments system within the RPA and an
external consultant who has been advising the agency.
These whistle-blowers were concerned that
the RPA and DEFRA would remain tight-lipped over the incident and
about the risks the breach posed to farmers.
They claimed that 39 back-up tapes
containing confidential details went missing after they were
transferred from RPA offices in Reading to Newcastle.
Thirty-seven of the tapes have since been
recovered, but two remain unaccounted for.
DEFRA has admitted that tapes went
missing, but told Farmers Weekly that the data was not lost in
transit and was instead misplaced within the data centre.
A DEFRA spokeswoman said a thorough
search was conducted to find the missing material and concluded
that some tapes were misfiled and placed 'on the wrong shelf'.
She described this as "bad book-keeping"
by RPA-contracted IT consultants IBM, who run the data centre.
DEFRA said it assumed that the two tapes
that were never found must have been destroyed.
The breach of security is the latest
disaster for the agency, which has faced a catalogue of errors
since the single payment scheme was launched in 2005.
According to the whistleblowers, the
error occurred after back-up tapes containing confidential details
were sent between IBM and another IT consultant,
Accenture.
The tapes were last accounted for in June
2008, but it was not until May this year that IBM realised the data
was missing and informed DEFRA.
The sources claim DEFRA tried to cover
the error and it was only realised by the RPA in September when
annual data checks were carried out.
One source said the tapes had not been
encrypted as they should have been - a step which would secure the
data so it could not be accessed if it fell into the wrong
hands.
"DEFRA knew about this and did nothing,"
the source said. "People should be made aware that their details
have gone
missing.
"I know people at the middle management
level tried to advise senior civil servants to do the right thing
and tell farmers, but they're not listening."
In further security breaches, the sources
claim members of the senior RPA management team have failed to
report the loss of memory sticks and laptops which could contain
farmers' information.
"It's symptomatic of the senior managers.
There are a lot of good people working in the lower levels of the
organisation, but we think the top-level board is rotten to the
core."
DEFRA admitted its data was not
encrypted, but insisted information could not be accessed without
specialised technical equipment and knowledge.
When Farmers Weekly put the
whistleblowers' accusations to DEFRA and the RPA, we received the
following statement:
"Since these incidents, procedures have
been further tightened to prevent a recurrance. IBM have instigated
a thorough review of their procedures to manage removable storage
media, such as these tapes, as well as tightening access control
requirements.
"The tapes are held in a secure IBM data
centre and only IBM and Accenture technicians have access to them.
Both IBM and Accenture were asked to review their security
arrangements as a result of this incident."
DEFRA said the risk posed to farmers was
very low.