HMRC branded ‘incompetent’ following 11 serious data breaches

The incidents, which were reported to the ICO, affected nearly 24,000 people

HM Revenue and Customs (HMRC) reported almost a dozen serious personal data breaches to the UK's data regulator during the most recent financial year, affecting the personal information of thousands of people. 

The 11 incidents, which took place over the course of the 2019/20 financial year, affected 23,173 people, with one incident alone impacting up to 18,864 members of the public, according to an analysis by legal firm Griffin Law.

The law firm has accused HMRC of “breath-taking incompetence” as a result of the newly-disclosed catalogue of incidents, with customers affected by at least one security breach yet to be contacted.

“Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman,” said Griffin Law principle, Donal Blaney. “The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtaking incompetence”.

The most serious incident, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-old children being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children. 

Among the incidents was also a fraudulent attack in February 2020 which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

Incidents reported to the Information Commissioner's Office (ICO) during the previous financial year also included a cyber attack against an agent and their client data, affecting 25, as well as a wrongly-accessed taxpayer record that led to a refund to that individual’s mother. 

 “We deal with millions of customers every year and tens of millions of paper and electronic interactions,” HMRC said in its latest annual report. “We take the issue of data security extremely seriously and continually look to improve the security of customer information. 

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Cyber security expert and Tessian CEO Tim Sadler commented that human error tends to be the leading cause of data breaches today, and it’s not surprising that accidental incidents caused by people are rising. 

"That's not to say, though, that people are the weakest link when it comes to data security,” he continued. “Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening - alerting people to their errors before they do something they regret."

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

UK's first government cyber strategy aims to bolster public sector defences
cyber security

UK's first government cyber strategy aims to bolster public sector defences

25 Jan 2022
IT Pro Podcast: Learning to live with risk
Sponsored

IT Pro Podcast: Learning to live with risk

25 Jan 2022
Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022