Britain's HMRC Tax Agency Admits Numerous Data Breaches

Uploaded on 2021-12-22 in GOVERNMENT-National, FREE TO VIEW

The British tax collection agency, Her Majesty's Revenue and Customs (HMRC) has disclosed a total of 17 data breaches to the Information Commissioner’s Office Information (ICO) over a 15-month period.

Over the period between January 2020 and March 2021, more than 3,000 individuals have potentially been affected , with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

During 2020 to 2021, there was a significant increase in criminal attacks on the Self Assessment repayment system, according to HMRC's annual report. “As criminals make more sophisticated attacks upon our systems, we have worked to further improve and strengthen our controls to sustainably reduce the level of attempted fraud and its impact on legitimate customers. In 2020 to 2021 over £1.5 billion of Revenue Loss was protected through the SA Repayment System,” says their report

“Cyber security has proved more challenging, as we continue to implement protections against the evolving threat from cyber criminals, ensuring a high order of IT resilience and system security, whilst delivering new essential services for customers throughout the COVID-19 pandemic. Our programmes are delivering mitigating solutions that reduce the exposure of our cyber security risk to within acceptable levels, but we continue to closely monitor this risk.”

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers. In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

According to the ICO, the tax agency failed to obtain consent for the use of recorded voice messages and other personal biometric data of tax payers. 

The HMRC says it blames some of the security incidents on human error and intends to improve staff training  education to reinforce good security and data-handling processes. “We do this through mandatory security training covering the Data Protection Act and UK GDPR and through targeted and department-wide education and communications campaigns,“ says the Report.   

Gov.UK:    Information Commissioner's Office:     DIGIT:       ITPro:     Verdict:  

You Might Also Read: 

Boris Johnson's Cabinet Office Fined £500k For Leaking Data:

 

« Most British Workers Are Unaware Of Cyber Threats
Belgium’s Military Suffer From Log4j Attack »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Paraben

Paraben

Paraben provides digital forensics solutions for mobile devices, smartphones, email, hard drives, and gaming system.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

IMS Networks

IMS Networks

IMS Networks specializes in the design and management of high criticality networks and telecoms services including network security and Managed Security Services.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

Zecurion

Zecurion

Zecurion data loss prevention (DLP) solution is an easy-to-use solution for securing confidential data at rest and in motion.

BEAM Teknoloji

BEAM Teknoloji

BEAM Technology is an independent Software Quality and Security Testing Center in Turkey.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

Cyber Risk Institute (CRI)

Cyber Risk Institute (CRI)

CRI is a not-for-profit coalition of financial institutions and trade associations working to protect the global economy by enhancing cybersecurity and resiliency through standardization.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Managed IT Services

Managed IT Services

Managed IT Services is a managed IT Services Company offering a diverse range of Cyber Security services and IT solutions.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

Vernetzen

Vernetzen

Vernetzen is an industrial network and cybersecurity innovator focused on delivering practical solutions to connect and secure industry across the globe.

Crytica Security

Crytica Security

Crytica Security is revolutionizing cybersecurity with its patented Rapid Detection & Alert (RDA) system providing real-time malware detection in seconds.