Bank details

The bank accounts of every farmer in England have been at risk after the Rural Payments Agency lost confidential data belonging to anyone who has ever claimed a single farm payment.

Computer tapes containing the bank details, addresses, passwords and security questions of more than 100,000 farmers were discovered missing in May.

DEFRA was alerted to the issue immediately, but it is Farmers Weekly’s understanding that the department did not inform and that the agency only discovered the problem in September.

At no time has the agency or DEFRA attempted to inform farmers about the breach.

Leaked information was given to Farmers Weekly this week by frustrated civil servants working on the single payments system within the RPA and an external consultant who has been advising the agency.

These whistle-blowers were concerned that the RPA and DEFRA would remain tight-lipped over the incident and about the risks the breach posed to farmers.

They claimed that 39 back-up tapes containing confidential details went missing after they were transferred from RPA offices in Reading to Newcastle.

Thirty-seven of the tapes have since been recovered, but two remain unaccounted for.

DEFRA has admitted that tapes went missing, but told Farmers Weekly that the data was not lost in transit and was instead misplaced within the data centre.

A DEFRA spokeswoman said a thorough search was conducted to find the missing material and concluded that some tapes were misfiled and placed ‘on the wrong shelf’.

She described this as “bad book-keeping” by RPA-contracted IT consultants IBM, who run the data centre.

DEFRA said it assumed that the two tapes that were never found must have been destroyed.

The breach of security is the latest disaster for the agency, which has faced a catalogue of errors since the single payment scheme was launched in 2005.

According to the whistleblowers, the error occurred after back-up tapes containing confidential details were sent between IBM and another IT consultant,
Accenture.

The tapes were last accounted for in June 2008, but it was not until May this year that IBM realised the data was missing and informed DEFRA.

The sources claim DEFRA tried to cover the error and it was only realised by the RPA in September when annual data checks were carried out.

One source said the tapes had not been encrypted as they should have been – a step which would secure the data so it could not be accessed if it fell into the wrong hands.

“DEFRA knew about this and did nothing,” the source said. “People should be made aware that their details have gone
missing.

“I know people at the middle management level tried to advise senior civil servants to do the right thing and tell farmers, but they’re not listening.”

In further security breaches, the sources claim members of the senior RPA management team have failed to report the loss of memory sticks and laptops which could contain farmers’ information.

“It’s symptomatic of the senior managers. There are a lot of good people working in the lower levels of the organisation, but we think the top-level board is rotten to the core.”

DEFRA admitted its data was not encrypted, but insisted information could not be accessed without specialised technical equipment and knowledge.

When Farmers Weekly put the whistleblowers’ accusations to DEFRA and the RPA, we received the following statement:

“Since these incidents, procedures have been further tightened to prevent a recurrance. IBM have instigated a thorough review of their procedures to manage removable storage media, such as these tapes, as well as tightening access control requirements.

“The tapes are held in a secure IBM data centre and only IBM and Accenture technicians have access to them. Both IBM and Accenture were asked to review their security arrangements as a result of this incident.”

DEFRA said the risk posed to farmers was very low.