Law firm accuses HMRC of ‘incompetence’ following 11 serious data breaches

The catalogue of data breaches revealed in the newly published annual report from HMRC, which were analysed by Griffin Law, are estimated to have affected a total of 23,173 people.

The most widespread and serious of the 11 incidents occurred in May this year, at the height of the lockdown, with National Insurance number letters relating to 16-year-old children being released with incorrect details, impacting up to 18,864 people.

However, the incident that was found to be the most severe was a fraudulent attack that happened in February in 2020, which resulted in 64 employees’ names, contact details and login credentials being obtained from three PAYE schemes and leaked. 573 people are estimated to have been impacted.

Released on the 5th November, the HMRC report said that the affected customers had not yet been contacted, but the incident is still under investigation.

Other documented incidents include a cyber attack against an agent and their client data, affecting 25 people; an incorrectly accessed tax payer record, and resulting refund to the taxpayer’s mother; and leaking of medical documents, private correspondence and company data due to paperwork being left on a train.

While a further 3,616 ‘centrally managed’ security incidents were also recorded, specific details were not revealed.

Phishing email scam exploits HMRC job retention scheme

A phishing email scam has been discovered that exploits the HMRC job retention scheme, just a day after it was introduced. Read here

In the report, HMRC stated: “We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information.

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents.

“For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third party service providers to ensure that agreed processes are being carried out.”

Following analysis of the incidents, Donal Blaney, founder and principal of Griffin Law, said: “Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman.

“The Information Commissioner should immediately investigate HMRC for these breaches, and hold the taxman to account for this breathtaking incompetence.”

ICO sets out regulatory approach during the coronavirus pandemic

The Information Commissioner’s Office (ICO) has announced its regulatory approach to data protection during the coronavirus crisis. Read here

Tim Sadler, CEO of cyber security company Tessian, commented: “Human error is the leading cause of data breaches today, and given that people are in control of more data than ever before, it’s also not that surprising that security incidents caused by human error are rising.

“That’s not to say, though, that people are the weakest link when it comes to data security. Mistakes happen – it’s human nature – but sometimes these mistakes can expose data and cause significant reputational and financial damage.

“It’s an organisation’s responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening – alerting people to their errors before they do something they regret.”

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

Data Breaches