Her Majesty’s Revenue and Customs (HMRC) reported 17 data breaches to the Information Commissioner’s Office (ICO) over a 15-month period. That’s an average of more than one data protection failure a month. In total, more than 3,000 people could have had their data compromised by HMRC between January 2020 and March 2021.
Data breaches at HMRC
- Most breaches happened when unauthorised third parties used personal information to make changes to customer records. In the largest recorded incident, 1,023 people were affected.
- In one particularly worrying incident, an employee was caught using HMRC’s system to locate his estranged wife and children.
- In another breach, a person’s bank statement was sent to someone else.
- In one case, a desk was forced open, exposing personal information such as the ethnic origin and religious beliefs of an individual.
HMRC has stated that “Protecting customer data is important to us, and we monitor our processes continually to prevent recurrences.”
It also said:
“In some of these incidents, customer accounts were accessed using personal data that criminals could have obtained through a variety of methods, including breaches of other organisations’ security. We have established processes for when a customer record is affected by fraudulent activity by a criminal third party.
“We deal with millions of customers every year and tens of millions of paper and electronic interactions. Security and privacy are at the heart of our work. We investigate all security incidents, taking immediate action to reduce the possibility of recurrence”.
Is HMRC learning from its mistakes?
In December last year, we reported how, according to the ICO, HMRC had reported 11 ‘serious’ personal data incidents affecting over 20,000 people. With the rise in cases and affected individuals, questions must now be asked about how seriously HMRC is taking the matter.
Commenting on this issue, Head of Data Breach, Kingsley Hayes said:
“Modern governance and the delivery of public services requires the sharing of a wide range of our sensitive information. As such, more data is being processed than ever before. But a reliance on unsecured legacy software, an untrained workforce, and out-of-date processes has made the sector vulnerable. So, when it comes to local and national government services, people across the country are left paying the price. In light of the many privacy violations by the taxman, it is essential that HMRC takes the threat of a data breach seriously and ensures proper processes and training are in place to stop such violations from happening. Incompetence is no excuse.”
IF YOU HAVE BEEN A VICTIM OF AN HMRC DATA BREACH, WE CAN HELP YOU MAKE A NO-WIN, NO-FEE CLAIM FOR COMPENSATION.
