Businessman holds an open padlock icon on his palm.unlocking a virtual lock. Business concept and technology metaphor for cyber attack, computer crime, information security and data encryption

HMRC declares 17 serious data breaches to ICO

The latest Annual Report and Accounts from Her Majesty’s Revenue and Customs (HMRC) has revealed that the organisation referred itself to the Information Commissioner’s Office (ICO) for 17 serious data breaches between January 2020 and March 2021.

Over 3,000 individuals potentially at risk

HMRC’s report says that up to 3,017 were potentially affected and had their privacy compromised due to the breaches, all of which involved personal data being put at risk.

1,023 individuals were potentially affected in the most significant data breach incident when an HMRC team member used personal information to update customer records without authorisation. This type of breach occurred a shocking 11 times – almost monthly – during the reporting period and was responsible for nearly the full volume of individuals potentially affected, at 2,999.

However, the most worrying data breach incident saw another HMRC team member caught using internal systems to try and locate his estranged wife and children. This wasn’t the only family-related data breach incident, either. In another case, a customer who had made a Suspicious Activity Report (SAR) request for information from HMRC received details about their former partner and not themselves.

HMRC and others comment on incidents

As is often the case when reporting such matters, HMRC followed the line that it has “learnt lessons” from these data breach incidents and is reviewing its customer identity and authentication processes.

HMRC wrote in its report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences. In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”

These weren’t the only data breaches to occur throughout the 15-months covered in the report but were the only ones that required reporting to the ICO. As such, many more people could have had their privacy compromised by HMRC and be unaware of this being the case.

Donal Blaney, the founder of Griffin Law, who analysed the data in HMRC’s report, told IFA Magazine: “HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in. They think they’re above the law. They’re not.

Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC.”

Edward Blake of Absolute Software, also speaking to IFA Magazine, said: “HMRC stores and manages countless quantities of sensitive data on a daily basis. This marks HMRC and similar public sector organisations and large institutions as prime targets on the radar of opportunistic cyber attackers. Large organisations and governmental departments must be privy to this fact, and employ the right protection and security tools to protect customers’ data which is at risk.

“Today there are more access points than ever before for the cyber criminal, and organisations must defend against all possible angles. This includes protecting everything from firmware and devices, to apps and network connections. Adopting ‘Zero Trust’ protocols is one of the most effective ways of stopping bad actors in their tracks, and ensuring that a breach in the system does not necessarily equate to a breach of data. Also, leveraging self-healing technologies to detect and repair unhealthy applications and connections for optimal security and experience is key to boosting network and application security, and negating risk.”

Finally, Tim Sadler of Tessian told IFA Magazine: “The majority of today’s data breaches are caused by people. Why? Because people make mistakes, break the rules and can be hacked. As employees handle and control more data than ever before, organisations must take steps to protect data from incidents caused by people if they’re ever going to stop breaches.”

Tessian’s comments also echo warnings from Experian’s data breach projections for 2022.

If your data was exposed by HMRC, you could be entitled to compensation

Have you been notified by HMRC that your data was exposed?

If so, you could be entitled to data breach compensation.

Contact LawPlus today for a free, no-obligation review of your potential HMRC data breach case.


Get in Touch

Fill in the form below to tell us your details, and we’ll get started.