Britain's HMRC Tax Agency Admits Numerous Data Breaches

Uploaded on 2021-12-22 in GOVERNMENT-National, FREE TO VIEW

The British tax collection agency, Her Majesty's Revenue and Customs (HMRC) has disclosed a total of 17 data breaches to the Information Commissioner’s Office Information (ICO) over a 15-month period.

Over the period between January 2020 and March 2021, more than 3,000 individuals have potentially been affected , with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

During 2020 to 2021, there was a significant increase in criminal attacks on the Self Assessment repayment system, according to HMRC's annual report. “As criminals make more sophisticated attacks upon our systems, we have worked to further improve and strengthen our controls to sustainably reduce the level of attempted fraud and its impact on legitimate customers. In 2020 to 2021 over £1.5 billion of Revenue Loss was protected through the SA Repayment System,” says their report

“Cyber security has proved more challenging, as we continue to implement protections against the evolving threat from cyber criminals, ensuring a high order of IT resilience and system security, whilst delivering new essential services for customers throughout the COVID-19 pandemic. Our programmes are delivering mitigating solutions that reduce the exposure of our cyber security risk to within acceptable levels, but we continue to closely monitor this risk.”

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers. In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

According to the ICO, the tax agency failed to obtain consent for the use of recorded voice messages and other personal biometric data of tax payers. 

The HMRC says it blames some of the security incidents on human error and intends to improve staff training  education to reinforce good security and data-handling processes. “We do this through mandatory security training covering the Data Protection Act and UK GDPR and through targeted and department-wide education and communications campaigns,“ says the Report.   

Gov.UK:    Information Commissioner's Office:     DIGIT:       ITPro:     Verdict:  

You Might Also Read: 

Boris Johnson's Cabinet Office Fined £500k For Leaking Data:

 

« Most British Workers Are Unaware Of Cyber Threats
Belgium’s Military Suffer From Log4j Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Mobile Mentor

Mobile Mentor

Mobile Mentor is an independent provider of enterprise mobility solutions in New Zealand and Australia.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

Clusit

Clusit

Clusit is the Italian Association for Information Security, a nonprofit organization devoted to promoting every aspect of information security.

Cydome

Cydome

Cydome offers full-spectrum cybersecurity solutions tailored for the maritime industry.

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

Variti

Variti

Variti Intelligent Active Bot Protection technology — traffic analysis, detection and stopping of malicious bots in real-time and effective response to DDoS attacks.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

EasyDMARC

EasyDMARC

EasyDMARC deliver the most comprehensive product for anyone who strives to build the most secure possible defence system for their email ecosystem.

Casepoint

Casepoint

Casepoint is the legal technology platform of choice for corporations, government agencies, and law firms to meet their complex eDiscovery, investigations, and compliance needs.

Royal United Services Institute (RUSI)

Royal United Services Institute (RUSI)

The Royal United Services Institute is an independent think tank engaged in cutting edge defence and security research. Areas of research include cyber security and resilience.

eMudhra

eMudhra

eMudhra is a leader in Identity and Transaction Management Solutions.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ClearFocus Technologies

ClearFocus Technologies

ClearFocus Technologies provides advanced cybersecurity services that secure our nation’s most sensitive assets.

MIND

MIND

MIND is the first-ever data security platform that puts data loss prevention and insider risk management programs on autopilot, so you can automatically identify, detect and prevent data leaks.