Farmers Weekly has discovered the RPA has misplaced computer tapes containing the bank details, names, addresses and security details of every English farmer who has ever claimed a single payment.

The full story's here: http://www.fwi.co.uk/Articles/2009/10/29/118497/EXCLUSIVE-RPA-loses-farmers39-bank-details.htm 

 Apparently questions are about to be asked in parliament over the debacle, so we'll update as soon as we get any more information.

It pleases no one to have to expose one more massive failure within the RPA.  The serious leak we received this week about missing tapes carrying confidential information about farmers is yet another nail in the RPA’s coffin.  We are told that farmers are not at risk because critical data has now been recovered but that will be small consolation for those flabbergasted by the RPA’s continued incompetence.  This latest revelation exposed by Farmers Weekly highlights sloppiness and a system breakdown of a scale never seen before.  Even more worrying, it is RPA’s own employees who are spilling the beans about the bad shape it is in.  

 

So many questions need answering:  Why was there a time lapse of several months between DEFRA and IBM knowing about the missing farmer details and the RPA?  DEFRA and the IT consultancy seemed to know about the incident in May but the RPA was not informed and does not appear to have been aware of the major security breach until September.  If this is the case, then why did DEFRA not disclose?  

 

Why is the RPA chief Tony Cooper unable to talk on or off the record to Farmers Weekly about these problems?  He should be working with us to reassure farmers.  

Other fundamental questions also need answering.  Why does it cost the RPA £350m to pay £1.6bn out to 100,000 farmers? Any multinational organisation facing admin costs like that would not be in business for long.

 

Why has the RPA had four chief operating officers in just three years and why have they all left with massive golden handshakes having achieved no turnaround in the RPAs performance?

 

How was it that those briefing Accenture to deliver the original IT system failed to  explain a fundamental that the technology had to cope with annual changes in key information?     Why is it still necessary for the RPA to employ 100 fulltime Accenture contractors on monopoly money with still no prospect of  improvements in service? 

 If we can some answers to these questions today, we will keep you posted.In the meantime, if you know the answers yourself, then let us know. 

    

In the House of Commons this morning, the Secretary of State Hilary Been has tried to reassure farmers and the public.  He said that at no time did the missing tapes get into the public domain and the data on the tapes was in code format and could not be read.

Nick Herbert MP for the Conservatives asked Mr Benn why the public and farmers have only just been told about this when the incident came to light in May 2009.  "It looks like a cover up", he said.

Mr Benn replied that he was only told about the situation yesterday (when FW started making enquiries to DEFRA) and that he took the first opportunity he could to tell the public today at the DEFRA question time in the House of Commons.        

Things are moving fast on this story. Speaking in Defra questions this morning, the Secretary of State, Hilary Benn, said:

 “I wish to inform the House that following routine inventory checks earlier this year, 38 RPA data backup tapes and one CD were unaccounted for.  35 have since been accounted for.  Of the remainder, one tape and the CD did not contain personal protected data, but the two remaining tapes potentially contained partial data in code.  Tapes of this sort can only be read with specialist equipment and detailed technical knowledge.  Furthermore, one of the two tapes was known to be faulty and had been reported as such since it could not be read.

I want to reassure farmers that there is no evidence that the tapes are in the public domain; that a forensic investigation was carried out, in accordance with Cabinet Office guidelines; and that officials concluded there was only a low risk of any usable personal data having been lost.  I will arrange for a copy of the investigation report to be placed in the Library of the House.”

In response, shadow DEFRA secretary Nick Herbert said:

“The reason the Secretary of State has suddenly announced another data loss by the Government is that Farmers Weekly obtained the information and will report it tomorrow. If the loss was discovered earlier this year, and an investigation done, as the Secretary of State told us, why have the public not been told until now?  This looks like another cover-up.  Will he accept responsibility for another foul up by the RPA which has already cost taxpayers £70million in EU fines through its bungling?

Hilary Benn subsequently confirmed that he was only informed of the data loss yesterday (28 October 2009).

What is great is that  Nick Herbert has tabled the following Parliamentary questions to seek further information on the data loss:

 To ask the Secretary of State for Environment, Food and Rural Affairs: on what date he was informed that confidential data had gone missing from the Rural Payments Agency  on what date were ministers informed that confidential data had gone missing from the Rural Payments Agency  on what date were officials in Defra informed that confidential data had gone missing from the Rural Payments Agency on what date was the recent loss of confidential data from the Rural Payments Agency detected how many (i) data tapes, (ii) cds, (iii) memory sticks, (iv) laptops, (v) other equipment containing data have been lost from Defra and its agencies in each of the last five years, broken down by (a) agency and (b) type of data  on what date did the investigation into the recent loss of confidential data from the Rural Payments Agency begin when did the investigation into the recent loss of confidential data from the Rural Payments Agency conclude when did the investigation into the recent loss of confidential data from the Rural Payments Agency publish its findings who ordered the investigation into the recent loss of confidential data from the Rural Payments Agency  when individuals whose data was contained on tapes lost by the Rural Payments Agency were informed  what data is contained on the tapes recently lost by the Rural Payments Agency

 

Jane King:

It pleases no one to have to expose one more massive failure within the RPA.

Nah, it pleases me. Another nail.

What remains to be answered is why exactly a single European subsidy scheme with everyone getting the same amount isnt in place, administered in Brussells and send in Euros direct to us? I just cant see the point in the RPA at all, when we should all be getting the same amount for the same thing accross the board. Then we could sack the whole lot of them.

But in terms of the actual data loss, bit of a storm in a tea-cup. But happy to see them in the news getting a bashing. Although I am sure that spin doctors will have the papers focused on us sad, rich farmers in out Range Rovers hoovering up free money, rather than Team Cock-up (RPA).

Why anyone should believe anything Ministers say about data security is beyond me.

Since the beginning of time there have been humans who have delighted in 'revealing' data and others who wanted to keep it hidden.

Since the beginning of time locksmiths have devised codes to lock boxes, only for others to devise keys to open those same boxes.

Since the beginning of time there have been those who, for a variety of reasons, have lost data and those who have found it.

The safest way to practically preserve data is to code it and break it up into small portions.(Motley would like this as small is beautiful)

The easiest way to lose data is to build it into giant modern data bases and then put it onto disc, tape, stick, on-line, etc.

Politicians are fools if they think that huge databases are 'secure', and this goes for the National Identity Card and RPA data bases or that of  Pension Payments.

I do not however offer a counsel of despair. Simply say that, if you must have a database, make them small and local. That way you minimise negative fallout and keep the problem of data loss small and localised.

With the questions in Parliament you're going to be as famous as Oz Magazine

I see that other sites are picking up on this story now; the comments here are particularly interesting, specifically the insights from someone who works on government systems.  The 'War on Rural Britain' quote is good too.

FWIW I've had the misfortune to work on private sector projects involving Accenture and this kind of 'mishap' is pretty much par for the course.  They are the kind of organisation who will send some very highly paid consultant to tell you what you already know and persuade your management to hire their 'expert team' then throw a bunch of raw graduates onto the project still at a chargeout rate to make the eyes water.  Sadly the incompetents who manage our public sector procurement are incapable of understanding the con and the politicians are too far mired in the backhanders to take any notice.

Peter Wells:

Simply say that, if you must have a database, make them small and local.

I think you've got the right idea, Peter, but not quite.  Small, local and the whole dataset would not be appropriate.  What they have actually done in this case is quite righlty to split the data down into sections and have these backup tapes of each section only.  The ones lost are just people's bank account details - nothing else.  This information is really no use to anyone, after all I've got recorded details of several government bank accounts so I can pay tax, paye, vat on-line.  Sadly this info doesn't allow me to get at all the dosh in those accounts!

 There was a time when I'd be shocked and angry that they could be that stupid but now a days it just doesn't.

Here's a follow-up to the latest RPA debacle:

The Rural Payments Agency has ignored basic government requirements for protecting farmers’ confidential information.

 

Following a Farmers Weekly investigation, the agency has admitted losing two computer tapes containing farmers’ bank details, addresses, passwords and security questions.

 

The data tapes had not been encrypted – a step which would secure the data so it could not be accessed if it fell into the wrong hands.

 

The admission revealed the agency had flouted basic data handling rules, set out after HM revenue and Customs lost the confidential details of 25m child benefit recipients.

 

The procedures, published in a report by the Cabinet Office in June 2008, said data put on computer discs, tapes or laptops should be encrypted as a “minimum requirement”.

While government departments could set higher levels of protection, encrypting information and monitoring its whereabouts was a core obligation.

IT security expert David Lacey said there was a “systematic ignorance” throughout government about the need to secure data properly.

“It’s difficult to encrypt data and lots of people have difficulty even sending an encrypted email,” he said.

“People are ignorant of the risks of not encrypting information.”

While DEFRA claimed farmers’ details contained on the tapes were at a very low risk, Mr Lacey said any loss of unencrypted data could lead to identity theft.

“You can’t say there’s no damage done - you can’t be relaxed about any personal data going missing. It’s an outrage for anyone affected.”

 

Ian Grant, senior reporter for Computer Weekly, said regardless of whether farmers’ details were encrypted, the whereabouts of the data tapes should have been recorded.

 

“They should also have a very explicit audit trail for who had the tapes and when,” he said.

“Even if you have a third party processing the information they should be looking after it – making a note of when they get the tapes, who got them, where they are. They should know that down to the second.

“When that data wasn’t accounted for, it should have triggered alarm bells.”

 

Jacobus:

What they have actually done in this case is quite righlty to split the data down into sections and have these backup tapes of each section only.  The ones lost are just people's bank account details - nothing else.  This information is really no use to anyone.

I'm afraid I have to differ with you there, Peter. My contacts from within the agency claim that the data isn't split into sections and that it actually runs sequentially, meaning full details are lost.

As I wrote in the story above, the IT experts I have spoken to say any missing data, regardless of how complete it is, can help fraudsters steal people's identities. The loss of any personal data is frankly outrageous.

It is interesting that they think it so hard to encrypt these data.  Many tape drives feature software with built-in encryption software, which takes deliberate action to disable.  In fact here is one from IBM, the vendor in question.  No doubt as usual our masters have chosen the lowest spec of kit at the highest price.

caroline stocks:

I'm afraid I have to differ with you there, Peter

Arghh!!!  Peter's stolen my ID already!!

Seriously, though, obviously any loss of data is extremely serious and on top of all the other instances in the recent past is just completely indicative of the utter lack of care taken in all government departments and agencies, and more to the point, that everyone in the know seems to consider that the most appropriate action to take is to do nothing and say nothing. 

On the other had, I appreciate that your information is better than that which has been admitted to so far, but it does seem that the data that has been mislaid (I suppose we have to accept the probability that it hasn't actually been left on a train or anything) is only part of the data held by RPA.  It is just details needed to make payments, ie name, address, bank sort code and account number, probably your SBI number etc. too.  It isn't the details held on the database for calculating SFP or anything else the RPA deals with.

In you previous post you say that it includes passwords and security questions.  My own dealings with RPA are only on SFP so maybe it's different for other schemes, but I certainly don't have a password or any security questions so I'm not quite sure what these relate to. 

As far as the bank information is concerned, I suppose the data may be of some limited use to a fraudster, but everyone I've ever paid by cheque, Direct Debit, standing order or BACS has the same information and anyone who has ever paid me by any of those methods also has or could get the same information.  It's hardly secret, is it?

Come on Jacobus - you know there's nowt in there anyway - just an IOU to the IMF!

Idiots! they can't be trusted to do anything!!

Fortunately, having been shut down with TB for a year, there is no money in my bank account to lose!

 The incompetence of this bunch of commies is breathtaking, the sooner they are out of office the better. Do you think the NFU will sue them over the loss of our data? Perhaps not, for there would be no possibility of a knighthood if they did. What a bunch of idiots we are ruled by. The sooner they are confined to the dustbin of history the better.

Dick. ( saddened and incredulous)