Editorial

Cyber fears as HMRC declares 17 serious data breaches to ICO

More than 3000 people potentially affected by the personal data-related incidents, which include employee abuse of internal systems

Posted 15 December 2021 by Christine Horton


Her Majesty’s Revenue and Customs (HMRC) has declared 17 serious data breaches to the ICO over the past 15 months

The breaches were revealed in HMRC’s recently published Annual Report and Accounts.

According to the report, a total of 3,017 people were potentially affected by personal data-related incidents.

In the largest incident, 1,023 people were potentially impacted when a HMRC staffer used personal information to make changes to customer records on HMRC systems without authorisation.

The most alarming infringement was a HMRC employee caught accessing an internal system to locate his estranged wife and children.

In another family-related data breach, a customer received details about his former partner when making a SAR (Suspicious Activity Report) request for information, potentially impacting the customer and his ex-partner.

During an office relocation, a customer’s locked pedestal desk was forced open, resulting in personal identifiers such as ethnic origin and religious beliefs being exposed.

The most frequent breach involved HMRC staffers using personal information to alter customer records on HMRC systems. This occurred on 11 separate occasions, potentially impacting a combined total of 2,999 people.

‘Above the law’

HMRC stated in the report that they have learnt lessons from the incidents and are using them to review and strengthen their customer identity and authentication process.

In spite of the breaches, HMRC stated in the report: “Protecting customer data is important to us and we monitor our processes continually to prevent recurrences. In addition, HMRC is delivering enhanced data security, governance and reporting across the department.”

A number of other personal data-related breaches were revealed but were not required to be reported to the Information Commissioner, instead being recorded centrally within the department.

“HMRC wields draconian powers, and is increasingly out of control. This is further evidence that HMRC needs to be reined in. They think they’re above the law. They’re not,” said Donal Blaney, founder of niche litigation practice Griffin Law.

“Such abuse of its powers, and such criminality, should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers are to retain any confidence in HMRC.”

In the previous financial year, HMRC reported 11 ‘serious’ personal data incidents to the ICO.