HMRC has reported a total of 17 serious data breaches to the Information Commissioner's Office (ICO) over a 15 month period, from January 2020 to March 2021.
The data, analysed by niche litigation practice Griffin Law, was revealed in HMRC’s recently published Annual Report and Accounts. According to the report, a total of 3,017 people were potentially affected by personal data-related incidents.
In the largest incident, 1,023 people were potentially impacted when an HMRC staffer used personal information to make changes to customer records on HMRC systems without authorisation. The most alarming infringement saw an HMRC employee caught accessing an internal system to locate his estranged wife and children, potentially affecting a total of four people.
In another family related data breach, a customer received details about his former partner when making a Suspicious Activity Report (SAR) request for information, potentially impacting the customer and his ex-partner.
During an office relocation, a customer’s locked pedestal desk was forced open, resulting in personal identifiers such as ethnic origin and religious beliefs being exposed. The most frequent breach involved HMRC staffers using personal information to alter customer records on HMRC systems. This occurred on 11 separate occasions, potentially impacting a combined total of 2,999 people.
HMRC stated in the report that it has learnt lessons from the incidents and is using them to review and strengthen its customer identity and authentication process. In spite of the breaches, HMRC stated in the report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences. In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”
A number of other personal data-related breaches were revealed but were not required to be reported to the Information Commissioner, instead being recorded centrally within the department.
Donal Blaney, Founder of Griffin Law commented on the breaches, stating: “HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in. They think they’re above the law. They're not.
"Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC” he continued.
Security specialist Edward Blake, Area Vice President EMEA for Absolute Software added: “HMRC stores and manages countless quantities of sensitive data on a daily basis. This marks HMRC and similar public sector organisations and large institutions as prime targets on the radar of opportunistic cyber attackers. Large organisations and governmental departments must be privy to this fact, and employ the right protection and security tools to protect customers’ data which is at risk.
“Today there are more access points than ever before for the cyber criminal, and organisations must defend against all possible angles. This includes protecting everything from firmware and devices, to apps and network connections. Adopting ‘Zero Trust’ protocols is one of the most effective ways of stopping bad actors in their tracks, and ensuring that a breach in the system does not necessarily equate to a breach of data. Also, leveraging self-healing technologies to detect and repair unhealthy applications and connections for optimal security and experience is key to boosting network and application security, and negating risk.”
Tim Sadler, CEO and co-founder of Tessian, concluded: “The majority of today’s data breaches are caused by people. Why? Because people make mistakes, break the rules and can be hacked. As employees handle and control more data than ever before, organisations must take steps to protect data from incidents caused by people if they’re ever going to stop breaches.”