HMRC declares 17 serious data breaches to ICO

Her Majesty's Revenue and Customs (HMRC) has reported a total of 17 serious data breaches to the Information Commissioner's Office (ICO) over 15 months.

HMRC has reported a total of 17 serious data breaches to the Information Commissioner's Office (ICO) over a 15 month period, from January 2020 to March 2021.

The data, analysed by niche litigation practice Griffin Law, was revealed in HMRC’s recently published Annual Report and Accounts. According to the report, a total of 3,017 people were potentially affected by personal data-related incidents.

In the largest incident, 1,023 people were potentially impacted when an HMRC staffer used personal information to make changes to customer records on HMRC systems without authorisation. The most alarming infringement saw an HMRC employee caught accessing an internal system to locate his estranged wife and children, potentially affecting a total of four people.

In another family related data breach, a customer received details about his former partner when making a Suspicious Activity Report (SAR) request for information, potentially impacting the customer and his ex-partner.

During an office relocation, a customer’s locked pedestal desk was forced open, resulting in personal identifiers such as ethnic origin and religious beliefs being exposed. The most frequent breach involved HMRC staffers using personal information to alter customer records on HMRC systems. This occurred on 11 separate occasions, potentially impacting a combined total of 2,999 people.

HMRC stated in the report that it has learnt lessons from the incidents and is using them to review and strengthen its customer identity and authentication process. In spite of the breaches, HMRC stated in the report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences. In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”

A number of other personal data-related breaches were revealed but were not required to be reported to the Information Commissioner, instead being recorded centrally within the department.

Donal Blaney, Founder of Griffin Law commented on the breaches, stating: “HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in. They think they’re above the law. They're not.

"Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC” he continued.

Security specialist Edward Blake, Area Vice President EMEA for Absolute Software added: “HMRC stores and manages countless quantities of sensitive data on a daily basis. This marks HMRC and similar public sector organisations and large institutions as prime targets on the radar of opportunistic cyber attackers. Large organisations and governmental departments must be privy to this fact, and employ the right protection and security tools to protect customers’ data which is at risk.

“Today there are more access points than ever before for the cyber criminal, and organisations must defend against all possible angles. This includes protecting everything from firmware and devices, to apps and network connections. Adopting ‘Zero Trust’ protocols is one of the most effective ways of stopping bad actors in their tracks, and ensuring that a breach in the system does not necessarily equate to a breach of data. Also, leveraging self-healing technologies to detect and repair unhealthy applications and connections for optimal security and experience is key to boosting network and application security, and negating risk.”

Tim Sadler, CEO and co-founder of Tessian, concluded: “The majority of today’s data breaches are caused by people. Why? Because people make mistakes, break the rules and can be hacked. As employees handle and control more data than ever before, organisations must take steps to protect data from incidents caused by people if they’re ever going to stop breaches.”


Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security