HMRC branded ‘incompetent’ following 11 serious data breaches

The incidents, which were reported to the ICO, affected nearly 24,000 people

HM Revenue and Customs (HMRC) reported almost a dozen serious personal data breaches to the UK's data regulator during the most recent financial year, affecting the personal information of thousands of people. 

The 11 incidents, which took place over the course of the 2019/20 financial year, affected 23,173 people, with one incident alone impacting up to 18,864 members of the public, according to an analysis by legal firm Griffin Law.

The law firm has accused HMRC of “breath-taking incompetence” as a result of the newly-disclosed catalogue of incidents, with customers affected by at least one security breach yet to be contacted.

“Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman,” said Griffin Law principle, Donal Blaney. “The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtaking incompetence”.

The most serious incident, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-old children being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children. 

Among the incidents was also a fraudulent attack in February 2020 which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

Incidents reported to the Information Commissioner's Office (ICO) during the previous financial year also included a cyber attack against an agent and their client data, affecting 25, as well as a wrongly-accessed taxpayer record that led to a refund to that individual’s mother. 

 “We deal with millions of customers every year and tens of millions of paper and electronic interactions,” HMRC said in its latest annual report. “We take the issue of data security extremely seriously and continually look to improve the security of customer information. 

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Cyber security expert and Tessian CEO Tim Sadler commented that human error tends to be the leading cause of data breaches today, and it’s not surprising that accidental incidents caused by people are rising. 

"That's not to say, though, that people are the weakest link when it comes to data security,” he continued. “Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening - alerting people to their errors before they do something they regret."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021