IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

HMRC suffered 17 data breaches over 15 months

According to a recent report, the breaches affected more than 3,000 individuals

Her Majesty's Revenue and Customs (HMRC) disclosed a total of 17 data breaches to the Information Commissioner's Office (ICO) over a 15-month period, according to a new report

Between January 2020 and March 2021, more than 3,000 individuals have potentially been affected by the 17 data breaches at HMRC, with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers. 

In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

Arguably the most serious violation affected four individuals in a case involving an HMRC staffer contravening departmental policy to access internal systems to locate their estranged wife and children - the affected individuals were informed in this case also and the staff member in question was dismissed, HMRC told IT Pro.

Other incidents involved sending one person's bank statements to the wrong person, in one case, and another involving HMRC breaking open a locked pedestal during an office move which led to the loss of "personal content" of one individual. 

"We take the protection of our customers’ information extremely seriously and continually monitor our systems and data to make sure that information is safe," HMRC told IT Pro in a statement.

Related Resource

Automating the modern data warehouse

Freedom from constraints on your data

Automating the modern data warehouseFree Download

"In some of these incidents, customer accounts were accessed using personal data that criminals could have obtained through a variety of methods, including breaches of other organisations’ security. We have established processes for when a customer record is affected by fraudulent activity by a criminal third party.

"We deal with millions of customers every year and tens of millions of paper and electronic interactions. Security and privacy are at the heart of our work. We investigate all security incidents, taking immediate action to reduce the possibility of recurrence," it added.

Elsewhere in the report, HMRC also said it has been engaging with the ICO not just in cases where it was legally required to do so. Regular collaboration between HMRC's data protection team and the ICO took place during this period, in addition to HMRC providing consultancy on new policies and legislation.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse

Why India wants to become a chipmaking powerhouse

28 Jun 2022