I don’t very much like Jeremy Clarkson, so it was with much fun and finger pointing I read this. In short, Clarkson, believing himself to be a data-security expert, put his bank account details, and clues to his address, into a newspaper column in the Sun to “prove” that the recent loss of data by the HMRC was nothing to worry about. Clarkson, not actually being a data-security expert, was then suprised to find that he had then become an unwitting £500/month donor to Diabetes UK.
To my warped sense of humour, this is very funny. A lot of people (highly scientific source: this discussion at the Register) thought it great that at least Clarkson had admitted he was wrong, and that made it all okay. Well, no it didn’t.
First things first, Clarkson eroneously told a great deal of people that having huge swathes of sensitive data go missing was okay. He attempted to demonstrate his expertise by posting only two peices of information from amongst all the information that was lost: he did not post his national insurance number, his date of birth (although this is easy to find out – 11th April 1960), or any of the other information that was, or might have been, on the missing disks. He erroneously gave the impression that because he posted a limited sub-set of the information available, it was safe for all the information to be freely available. And he was wrong in his reasons why he was wrong.
Look at what happened: shortly after posting his bank details in his newspaper column, someone used that information to set up a Direct Debit between Clarkson’s bank account and the charity Diabetes UK – most likely using the on-line Direct Debit application provided by the charity. When he discovered this happened, he reports that:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.
The second part of this is true: once your data is out of the bag, it stays out. The first part isn’t — or, more accurately, if the first part is true, whoever he spoke to him is incompetent. It is certainly true that the bank most certainly can’t find out who did it, but it has nothing whatsoever to do with the Data Protection Act and I have to wonder why this suggestion was made. The bank can’t tell him who did it for the simple reason that they don’t know, and – more precisely – they can’t know. The banks simply don’t hold that information.
In order to see why, it’s worth considering how a direct debit is setup. In the UK, a DD allows an approved (“sponsored”) originator to collect money automatically from an account. Originally, this involved getting a piece of paper from the originator, filling in all your details, signing it and sending it back to the bank. In those ancient times the bank held the mandate and could point to your signature if you ever disputed a collection. Later, you instead sent the mandate to the originator and they could point to your signature if you ever disputed a collection. But paper is a pain in the bum to deal with, and mandates are costly to archive; so recently (well, not that recently, but it’s only recently that it’s become popular) BACS (now BACS/Voca) introduced a system called Paperless Direct Debit. As its name suggests, with a paperless direct-debit there is no paper mandate and there’s no signature. All that happens is the originator sends your bank an computer record effectively saying “this person has set up a direct debit” (the automated management of DD’s is done with a system given the acronym “AUDDIS” – AUtomated Direct Debit Instruction Service). The whilly person who set up the direct debit on Clarkson’s account knew something that Clarkson didn’t: to set up a direct debit on an account on-line, you only need to know that persons: name, sort code and bank account number. The identity of the person making the direct debit request isn’t known, because it both isn’t needed, and because it is assumed that the person making the request is the person who holds the account.
The point here is that the person who set the direct debit up didn’t have to be particularly clever or cunning, he simply had to know something that Clarkson didn’t. Clarkson apparently either didn’t know about paperless direct debit or he couldn’t connect the dots, but felt qualified to comment on whether the data that went missing was worth worrying about or not.
What’s bizarre about this is that Clarkson shouldn’t be reporting that he’s losing any money. The paperless Direct Debit system is highly insecure (read: it’s set up to prefer ease-of-use to security), so it is set up in such a way that it has the ultimate money-back guarantee: if a mandate is set up on your account that was not authorised by you, your money will be immedeatly refunded, and the mandate cancelled, no questions asked. For that matter, if a mandate is set up on your account that was authorised by you, but you’d prefer to pretend that it wasn’t, you will get your money back, no questions asked. (This is what the “Direct Debit Guarantee” stuff at the bottom of paper mandates is all about, and why you are supposed to keep it.)
Clarkson got let off lightly. I don’t know what makes him think that a motoring colomnist is qualified to write about data security, but he was wrong. If he gets punished for it to the tune of £500, then he was both wrong in his first article and either (once again) woefully misinformed, or stupid, in the second. The fact is, however, that a single direct debit being set up in his name as a result of him publishing two pieces of sensitive – but not secret – information, is not the type of fraud people are concerned about; and the concerns raised around the handling of data in at the HMRC is not simply because Jeremy Clarkson may be the target of aprank which should not leave him out of pocket. That he seems to think that it is makes me wonder what kind of reactionary nonsense he’ll write when the next major data breach occurs. Thankfully I don’t read the Sun, so I’ll probably never know.