HMRC branded ‘incompetent’ following 11 serious data breaches

The incidents, which were reported to the ICO, affected nearly 24,000 people

HM Revenue and Customs (HMRC) reported almost a dozen serious personal data breaches to the UK's data regulator during the most recent financial year, affecting the personal information of thousands of people. 

The 11 incidents, which took place over the course of the 2019/20 financial year, affected 23,173 people, with one incident alone impacting up to 18,864 members of the public, according to an analysis by legal firm Griffin Law.

The law firm has accused HMRC of “breath-taking incompetence” as a result of the newly-disclosed catalogue of incidents, with customers affected by at least one security breach yet to be contacted.

“Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman,” said Griffin Law principle, Donal Blaney. “The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtaking incompetence”.

The most serious incident, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-old children being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children. 

Among the incidents was also a fraudulent attack in February 2020 which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

Incidents reported to the Information Commissioner's Office (ICO) during the previous financial year also included a cyber attack against an agent and their client data, affecting 25, as well as a wrongly-accessed taxpayer record that led to a refund to that individual’s mother. 

 “We deal with millions of customers every year and tens of millions of paper and electronic interactions,” HMRC said in its latest annual report. “We take the issue of data security extremely seriously and continually look to improve the security of customer information. 

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Cyber security expert and Tessian CEO Tim Sadler commented that human error tends to be the leading cause of data breaches today, and it’s not surprising that accidental incidents caused by people are rising. 

"That's not to say, though, that people are the weakest link when it comes to data security,” he continued. “Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening - alerting people to their errors before they do something they regret."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021
Fujitsu taps Trend Micro to secure private 5G networks in smart factories
5G

Fujitsu taps Trend Micro to secure private 5G networks in smart factories

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021