The latest Annual Report & Accounts from Her Majesty’s Revenue & Customs (HMRC) has revealed that over 10,000 customers were potentially affected by data breaches involving the organisation in the last year.
The report also revealed that HMRC reported 22 data breaches involving personal data to the Information Commissioner’s Office (ICO), an increase on last year’s figure.
Of these 22 incidents:
- 16 were attributed to unauthorised disclosure of data
- Three involved the use of personal information to make unauthorised changes to customer records
- HMRC blamed two on the loss of inadequately protected electronic equipment, devices, or documents from secured government premises
- Two were attributed to “other” issues
While the number of incidents grew, the number of people affected reduced from over 18,000 in the previous year.
HMRC reported that another five data breaches that weren’t reported to the ICO had occurred, affecting 911 individuals.
The body said it had made several changes to improve the identification and reporting of breaches involving personal data, including:
- Delivering a Cyber Tactical Remediation Programme
- Migrating some services out of legacy data centres
- Implementing a new Security Incident Response Tool
Regarding data breach incidents, HMRC said it aims to “reach a tolerable position by March 2025.” The body added it was currently implementing a three-year Enterprise Security Programme alongside its existing Securing our Technical Future Programme.
As well as spending £12 million on recruiting data specialists and growing its data analysis team since 2017, HMRC has also switched key platforms to the cloud.
According to DIGIT, HMRC wrote in its report: “We are still in the process of delivering our planned mitigations, focussing on moving away from legacy technologies and embracing newer and more secure systems.
“Cybersecurity remains a challenging area due to the rapidly evolving cyber-threat landscape, and until improvements are fully implemented, this risk will remain significant.”
DIGIT also carried reaction to the report from Achi Lewis, Area VP EMEA for Absolute Software. Lewis told DIGIT: “Due to the volume of staff that large organisations like HMRC employ, it is inevitable that data incidents are going to occur. What’s crucial is that these organisations mitigate the volume of breaches as protecting customer data is vital.
“Staff training programmes are one aspect of the solution, and HMRC should be commended for taking this seriously. Arming staff with the knowledge of potential threats and the consequences of breaches can help them stay vigilant, and prevent potential losses before they occur, as well as being able to improve their reporting of these incidents.
“Solutions such as Zero-Trust Network Access can help to evaluate all users and their devices each time they connect to a network or application, only granting access if they are trusted. Should a malicious actor breach an application, they will be shut off from the rest of the network. Secure access controls, on top of this, can give IT teams the power to freeze or shut off compromised devices to prevent further breaches from occurring across a network.”