HMRC declares 17 serious data breaches to ICO

Share
Her Majesty's Revenue and Customs (HMRC) has reported a total of 17 serious data breaches to the Information Commissioner's Office (ICO) over 15 months.

HMRC has reported a total of 17 serious data breaches to the Information Commissioner's Office (ICO) over a 15 month period, from January 2020 to March 2021.

The data, analysed by niche litigation practice Griffin Law, was revealed in HMRC’s recently published Annual Report and Accounts. According to the report, a total of 3,017 people were potentially affected by personal data-related incidents.

In the largest incident, 1,023 people were potentially impacted when an HMRC staffer used personal information to make changes to customer records on HMRC systems without authorisation. The most alarming infringement saw an HMRC employee caught accessing an internal system to locate his estranged wife and children, potentially affecting a total of four people.

In another family related data breach, a customer received details about his former partner when making a Suspicious Activity Report (SAR) request for information, potentially impacting the customer and his ex-partner.

During an office relocation, a customer’s locked pedestal desk was forced open, resulting in personal identifiers such as ethnic origin and religious beliefs being exposed. The most frequent breach involved HMRC staffers using personal information to alter customer records on HMRC systems. This occurred on 11 separate occasions, potentially impacting a combined total of 2,999 people.

HMRC stated in the report that it has learnt lessons from the incidents and is using them to review and strengthen its customer identity and authentication process. In spite of the breaches, HMRC stated in the report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences. In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”

A number of other personal data-related breaches were revealed but were not required to be reported to the Information Commissioner, instead being recorded centrally within the department.

Donal Blaney, Founder of Griffin Law commented on the breaches, stating: “HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in. They think they’re above the law. They're not.

"Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC” he continued.

Security specialist Edward Blake, Area Vice President EMEA for Absolute Software added: “HMRC stores and manages countless quantities of sensitive data on a daily basis. This marks HMRC and similar public sector organisations and large institutions as prime targets on the radar of opportunistic cyber attackers. Large organisations and governmental departments must be privy to this fact, and employ the right protection and security tools to protect customers’ data which is at risk.

“Today there are more access points than ever before for the cyber criminal, and organisations must defend against all possible angles. This includes protecting everything from firmware and devices, to apps and network connections. Adopting ‘Zero Trust’ protocols is one of the most effective ways of stopping bad actors in their tracks, and ensuring that a breach in the system does not necessarily equate to a breach of data. Also, leveraging self-healing technologies to detect and repair unhealthy applications and connections for optimal security and experience is key to boosting network and application security, and negating risk.”

Tim Sadler, CEO and co-founder of Tessian, concluded: “The majority of today’s data breaches are caused by people. Why? Because people make mistakes, break the rules and can be hacked. As employees handle and control more data than ever before, organisations must take steps to protect data from incidents caused by people if they’re ever going to stop breaches.”

Share

Featured Articles

BT's Security Chief: Why AI Poses Such a Risk to Security

BT’s security chief Tris Morgan says the telecommunications group logs 200 million potential cyber attacks daily as AI drives new security challenges

How Supply Chain Cyber Threats Cost The Global Economy

Interos.ai reports physical infrastructure attacks and AI system vulnerabilities emerging as primary concerns for security leaders

How Kroll and DORA Tackle Supply Chain Cybersecurity Risks

Kroll experts highlight critical measures IT providers must adopt to protect supply chains from cyber attacks and mitigate risks from AI-enabled threats

VCARB & Dynatrace Accelerate AI For F1 Racing Performance

Technology & AI

Apple's Siri: How The Most Private AI Assistant Works

Operational Security

How The UK’s AI Plan Will Impact The Cybersecurity Sector

Technology & AI