Harder still to believe is the government's fumbling explanation of such a mind-numbingly huge loss of data.
For a start, we had the chancellor of the exchequer, Alistair Darling, stood at the despatch box in parliament today stressing that people are not at risk of ID fraud. He added that banks will reimburse any losses.
Darling failed to say what losses there could possibly be from people's bank accounts if there is actually no risk of fraud. He failed to state exactly which banks would reimburse people. And he failed to say how people could show the banks they had been the victims of fraud in a case where the risk of fraud was nil.
This is farce of the highest order.
The potential for ID fraud on a scale never before seen is clear. What is required for ID fraud? Details such as names, addresses, dates of birth and national insurance numbers are a good start. Bank details are the icing on the cake. And what was lost? All of the above.
Alistair Darling's comment that people are not at risk from ID fraud is at best naive and at worst negligent.
Furthermore, as we delve into the issue, it simply gets worse and the questions more numerous.
We're told that the data was password-protected — but what does that mean? Was the data actually encrypted and, if so, how?
Who thought transporting such information physically was the best way to do it? We're told that a junior official was responsible — but why do junior officials have, or indeed need, access to the entire, downloaded database?
And why did the junior official think that a courier was the best way to transport such a vast database of such valuable, personal information? Is data security at HMRC really so bad that sending physical CDs was considered more secure than electronic transmission? What risk assessment did they use to come to that conclusion? Is there even a risk-assessment procedure in place?
We can be sure that, as the answers unravel, even more questions will emerge. One thing we do know: this fiasco makes the claim of the Home Office that it is a safe pair of hands for the national ID cards scheme look as empty as an HMRC CD pouch.
Talkback
Lets face it how can you expect a proffessional attitude by people in charge of our personal data when you probably pay them basic wages - hence the "junior" tag to the description of the person who was tasked to copy the data to disc and post it out.
As I understand it the request was from London based auditors (bet they are not paid minimum wage) to ...... well to who?
A "junior" ?? - Idoubt it. Most likely to a "Senior" person who, being much better paid, probably felt the task was too belittling for them and delegated it to the oik.
Find out who the person was that asked for the data, who they asked, the rights each had to access it and establish their responsibilities for the security ofthe process.
If they failed these responsibilities - sack them. Don't get caught up in the bash the politician craze - they are not responsible, the persons who failed their duties are.
349110 may be right when it comes to government: you get what you pay for. Government is, by definition, not-for-profit (at least on paper, if not in practice).
But, with businesses, you don't get what you pay for -- you get less. In stark economic terms, businesses cannot give you what you pay for without shrinking their margin. The Revenue's recent buffoonery acts to legitimise poor data protection practices used by businesses far and wide. For some examples, see my own experiences with accountants and regulated firms at http://news.zdnet.co.uk/security/0,1000000189,39291064,00.htm