IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

HMRC branded ‘incompetent’ following 11 serious data breaches

The incidents, which were reported to the ICO, affected nearly 24,000 people

HM Revenue and Customs (HMRC) reported almost a dozen serious personal data breaches to the UK's data regulator during the most recent financial year, affecting the personal information of thousands of people. 

The 11 incidents, which took place over the course of the 2019/20 financial year, affected 23,173 people, with one incident alone impacting up to 18,864 members of the public, according to an analysis by legal firm Griffin Law.

The law firm has accused HMRC of “breath-taking incompetence” as a result of the newly-disclosed catalogue of incidents, with customers affected by at least one security breach yet to be contacted.

“Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman,” said Griffin Law principle, Donal Blaney. “The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtaking incompetence”.

The most serious incident, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-old children being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children. 

Among the incidents was also a fraudulent attack in February 2020 which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

Incidents reported to the Information Commissioner's Office (ICO) during the previous financial year also included a cyber attack against an agent and their client data, affecting 25, as well as a wrongly-accessed taxpayer record that led to a refund to that individual’s mother. 

 “We deal with millions of customers every year and tens of millions of paper and electronic interactions,” HMRC said in its latest annual report. “We take the issue of data security extremely seriously and continually look to improve the security of customer information. 

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Cyber security expert and Tessian CEO Tim Sadler commented that human error tends to be the leading cause of data breaches today, and it’s not surprising that accidental incidents caused by people are rising. 

"That's not to say, though, that people are the weakest link when it comes to data security,” he continued. “Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening - alerting people to their errors before they do something they regret."

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022