Tax website shut down as memory stick with secret personal data of 12million is found in a pub car park

Ministers have been forced to order an emergency shutdown of a key Government computer system to protect millions of people's private details.

The action was taken after a memory stick was found in a pub car park containing confidential passcodes to the online Government Gateway system, which covers everything from tax returns to parking tickets.

An urgent investigation is now under way into how the stick, belonging to the company which runs the flagship system, came to be lost.

Security breach: The lost USB memory stick holding sensitive details

The Department for Work and Pensions insisted that the system's security has not been breached, but a computer expert told The Mail on Sunday that in the wrong hands the data on the memory stick could enable hackers to access personal details of the 12million people who have registered on the system, including their passwords.

Users trying to log on to the site yesterday were met by the message: 'The Government Gateway is temporarily offline. We apologise for any inconvenience. Normal service will be resumed as soon as possible.'

The Government also closed down access to self-assessment tax applications via the Revenue and Customs website.

For the past six years, the £18million Gateway system has enabled members of the public and businesses to gain access to hundreds of services from 50 Whitehall departments, including self-assessment tax returns, VAT returns, pension entitlements and child benefit.

This year alone, 1.8million people have submitted their tax returns on the system.

Members of the public registering for the service have to provide their personal details, which can include names, addresses, wages, National Insurance numbers and credit card details.

The lost memory stick was found two weeks ago outside a Brewers Fayre chain pub in Cannock, Staffordshire, but the Department of Work and Pensions, which owns the Government Gateway, was made aware of its loss only last week when the 2in device was passed to this newspaper.

An expert who examined it for The Mail on Sunday said it contained confidential passwords, security software and the technical blueprint to the system known as the 'source code'. The memory stick is now in the hands of the police.

Concerns have been raised before about the concentration of personal information on the system, but Ministers have repeatedly assured taxpayers that the system was secure.

When The Mail on Sunday told the Department of Work and Pensions that the memory stick had been left outside The Orbital pub in Cannock, a spokesman said they were taking the matter 'very seriously'.

He added: 'We have launched an immediate and urgent investigation into this. We are going to assess what needs to be done and senior people are involved. The implications are obvious.'

Yesterday, after the service had been shut down, the department added: 'We have moved immediately to make sure there is no conceivable risk to users of the Government Gateway.

'We are convinced the integrity of the Government Gateway has not been compromised and there is no risk to users.'

The department said no credit card details were contained on the USB memory stick, also known as a flash drive.

Shut down: The Government Gateway website

The breach is just the latest in a long line of scandals involving lost Government data.

This week the Information Commissioner revealed that the number of data breaches - including lost laptops and memory sticks containing sensitive personal records - had risen to 277 since the loss of 25million child benefit records was disclosed nearly a year ago.

The memory stick was lost by Daniel Harrington, 29, an IT analyst at computer management firm Atos Origin.

The multinational company, which boasts an annual turnover of £4billion, won the five-year £46.7million contract to manage the Government Gateway in 2006.

Worryingly, the same company has been selected to supply IT systems for the London 2012 Olympic Games.

Yesterday, Mr Harrington was in emergency meetings all day at Atos Origin's offices in Cannock.

His mother Sylvia said: 'It was lost. He is such a lovely lad. He went into work today, I don't know whether he was dragged in, but he went in. It is just so upsetting. I keep telling him, mistakes happen.'

Computer security expert Jacques Erasmus, from internet protection firm Prevx, said that the passwords and security software saved on the memory stick would provide access into a series of databases or payment systems. But he added that the greatest concern was the source code.

Mr Erasmus, who has previously worked with Government agencies, said that the blueprint to the Government Gateway was 'invaluable' for those who would want to harvest personal details or defraud the Government.

He said: 'We have to hope that there are not more of these out there. This is potentially the most serious data loss this country has seen in recent times.

'Not only would a fraudster be able to take personal details using the tools provided on the lost memory stick, but the extent of the information contained in the source code would allow a hacker to access the Government Gateway's payment systems and even divert tax money into private bank accounts.

'It is unbelievable, incredible. In previous data loss cases it was all clear-cut. The Government could see exactly what was lost and could combat it. They could cancel cards, make the people involved aware of the threat.'

As well as the system blueprint, other files on the stick included samples of personal information. One document held the names, addresses, wages, individual tax liabilities and National Insurance numbers of a group of taxpayers.

A spokesman for the Department for Work and Pensions insisted that the security software and passwords on the memory stick had been protected so that a stranger would not be able to access the Government Gateway easily.

She said: 'Passwords are hidden using an industry standard technique which is difficult to break. We believe the risk of someone accessing personal data in this way is extremely low.'

She added that the source code was old, that the step-by-step guide to the system provided in a text file was a 'low risk', and that other items on the memory stick provided only a 'rudimentary guide' to the system.

She also said that it would be 'impossible to intercept details of transactions' and divert money to another account.

However, Mr Erasmus said the source code was only a few months old and that the password encryption would be 'relatively easy' to crack, given the information on the device.

He said: 'I could decrypt those passwords to log in to the system and roam around the network. As we can see from the data on the USB stick, the systems contain highly sensitive personal information.

'If you can crack those encrypted passwords, and it would just be a matter of time, you could potentially access those 12million accounts and those details.

'There is even a map on the memory stick of how the whole thing works, to help an attacker.'

Shami Chakrabarti, director of Liberty, said the civil rights group had conducted an audit which showed that the Government had lost 30million pieces of data in the past year.

'That's one data bungle for every two people in the country,' she said. 'Still they plough on with their Big Brother ambitions; ID cards and the scary central communications database: disasters waiting to happen at our expense.'

Lib Dem MP Norman Baker said the Government were asking for data from taxpayers that they could not protect.

'The Government cannot be trusted with all this information but they collect more and more,' he said.

'I would have thought the basic security step would be to ensure that memory sticks with all this information on simply don't exist.'

Yesterday morning, the finder of the memory stick was asked to deposit the device at his local police station. And seven pages of printouts were handed over to a civil servant seconded to collect the documents.

An Atos Origin spokesman said: 'Atos Origin can confirm that a single memory stick has been misplaced by one of its employees.

'The company takes the loss of this device very seriously and we are currently carrying out a full investigation of both the circumstances surrounding its loss and the data content of the stick.

'It is clear that the employee removed the device from company premises in direct breach of our own operating procedure.

'Atos Origin is working very closely with the Government and the police. The company takes full responsibility for this loss and will discipline the individual involved.

'It is inappropriate for us to comment further at this stage.'