Britain's HMRC Tax Agency Admits Numerous Data Breaches

Uploaded on 2021-12-22 in GOVERNMENT-National, FREE TO VIEW

The British tax collection agency, Her Majesty's Revenue and Customs (HMRC) has disclosed a total of 17 data breaches to the Information Commissioner’s Office Information (ICO) over a 15-month period.

Over the period between January 2020 and March 2021, more than 3,000 individuals have potentially been affected , with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

During 2020 to 2021, there was a significant increase in criminal attacks on the Self Assessment repayment system, according to HMRC's annual report. “As criminals make more sophisticated attacks upon our systems, we have worked to further improve and strengthen our controls to sustainably reduce the level of attempted fraud and its impact on legitimate customers. In 2020 to 2021 over £1.5 billion of Revenue Loss was protected through the SA Repayment System,” says their report

“Cyber security has proved more challenging, as we continue to implement protections against the evolving threat from cyber criminals, ensuring a high order of IT resilience and system security, whilst delivering new essential services for customers throughout the COVID-19 pandemic. Our programmes are delivering mitigating solutions that reduce the exposure of our cyber security risk to within acceptable levels, but we continue to closely monitor this risk.”

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers. In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

According to the ICO, the tax agency failed to obtain consent for the use of recorded voice messages and other personal biometric data of tax payers. 

The HMRC says it blames some of the security incidents on human error and intends to improve staff training  education to reinforce good security and data-handling processes. “We do this through mandatory security training covering the Data Protection Act and UK GDPR and through targeted and department-wide education and communications campaigns,“ says the Report.   

Gov.UK:    Information Commissioner's Office:     DIGIT:       ITPro:     Verdict:  

You Might Also Read: 

Boris Johnson's Cabinet Office Fined £500k For Leaking Data:

 

« Most British Workers Are Unaware Of Cyber Threats
Belgium’s Military Suffer From Log4j Attack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

UK Cyber Security Forum

UK Cyber Security Forum

UK Cyber Security Forum is a community interest group for cyber security companies in the UK.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

DataProtect

DataProtect

DataProtect is a specialized information security company providing consultancy, information management, integration and training services.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

Penacity

Penacity

Penacity, LLC provides strategic consulting technology services and Information Security Services to commercial and government organizations.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Liberty Mutual

Liberty Mutual

Liberty Specialty Markets offers specialty and commercial insurance and reinsurance products, including Cyber, across the USA, Europe, Middle East and other international locations.

TM One

TM One

TM One is the enterprise and public sector business solutions arm of Telekom Malaysia Berhad (TM) Group.

Agile Underwriting

Agile Underwriting

Agile, an underwriting agency, insurtech and Coverholder at Lloyd's, provides niche insurance products across Aviation, Marine & Cargo, Cyber and Financial Lines.

Axitea

Axitea

Axitea designs, implements and develops the solutions best suited to its customers’ needs and their physical and cyber security requirements.

Path Forward IT

Path Forward IT

Path Forward IT has been troubleshooting, architecting, migrating, protecting, and securing IT environments for businesses across the USA since 2002.

IDCARE

IDCARE

IDCARE is Australia and New Zealand’s national identity & cyber support service. Our service is the only one of its type in the world.

Kaine Mathrick Tech (KMT)

Kaine Mathrick Tech (KMT)

KMT deliver comprehensive cyber-first outsourced technology support and solutions that scale with your business.