HMRC under fire for “serious” personal data breaches affecting 20,000-plus individuals

An analysis conducted by litigation practice Griffin Law shows that the most widespread and serious personal data incident recorded in the report happened in May this year at the height of lockdown, when National Insurance number letters relating to 16-year-old children were sent out with incorrect details, impacting up to 18,864 members of the public.

However, the most severe incident occurred back in February, when a fraudulent attack resulted in 64 employees’ details being obtained from three PAYE schemes. Names, contact details and ID data (such as passwords and usernames) were leaked. An estimated 573 people are said to have been impacted as a direct result. According to the HMRC report, the incident is still under investigation.

Other data incidents documented by HMRC in its Annual Report include a cyber attack against an agent (and their client data) affecting 25 people, an incorrectly accessed tax payer record (and resulting refund to the taxpayer’s mother), the leak of addresses and property details due to the usage of an incorrect Excel spreadsheet and the leak of medical documents, private correspondence and company data due to paperwork being left on a train.

A further 3,616 ‘centrally managed’ security incidents were also recorded. However, specific details of these incidents are not revealed.

HMRC has stated: “We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information. We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn from and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third party service providers to ensure that agreed processes are being carried out.”

Cyber security expert Tim Sadler, CEO at Tessian, commented: “Human error is the leading cause of data breaches today. Given that people are in control of more data than ever before, it’s also not that surprising that security incidents caused by human error are rising. This isn’t to say, though, that people are the weakest link when it comes to data security. Mistakes happen. It’s human nature, but sometimes these mistakes can expose data and cause significant reputational and financial damage.”

Sadler added: “It’s an organisation’s responsibility to ensure that solutions are put in place to prevent mistakes that could potentially compromise cyber security from ever happening. Alerting people to their errors before they do something they’ll regret is vital.”

Donal Blaney, principle at Griffin Law, commented: “Taxpayers have a right to expect that their sensitive personal data will be kept secure by the taxman. The Information Commissioner should immediately investigate HMRC for these breaches and hold the Government department to account.”