HM Revenue & Customs (HMRC) contacted the Information Commissioner’s Office (ICO) on eleven different occasions between April 2019 and April 2020 about data security incidents.
These included a fraudulent attack that resulted in the theft of personal data (PII) from approximately 64 employees from three different PAYE systems, which could potentially affect up to 573 people, as well as a cyber attack on an HMRC agent and its data who compromised the self-assessment of 25 people’s payment records.
Other incidents reported during the period included the false disclosure of 18,864 children in national insurance letters, a delivery failure that resulted in an SAR response to the wrong address, documents left on a train A flawed Excel spreadsheet instead of a blank one, and an HMRC advisor mistakenly accesses a taxpayer’s records and gives his mother a refund.
HMRC also recorded a small number of non-reportable incidents, including the loss or unsafe disposal of electronic equipment, devices or paper documents, and 3,316 security incidents that were centrally managed.
“We deal with millions of customers and tens of millions of paper and electronic interactions every year. We take data security very seriously and are continuously striving to improve the security of customer information, ”said HMRC in its latest annual report.
“We investigate and analyze all security incidents in order to understand and reduce the security and information risk. We actively learn from our incidents and respond to them. For example, by changing business processes related to postal moves across HMRC and performing assurance work with third party providers to ensure agreed processes are being carried out.
“We also train our employees to improve good security and data processing processes through award-winning, targeted and department-wide campaigns. These focus on reducing security and information risk, as well as reducing the likelihood of the same problem occurring again. All HMRC employees must complete mandatory security training that includes the requirements of the Data Protection Act and the GDPR [General Data Protection Regulation]. By continuing to educate and train our employees, we can ensure that HMRC is seen as a trustworthy and professional organization. “
Donal Blaney, Principal at Griffin Law, said, “Taxpayers have the right to expect their sensitive personal information to be kept safe by the tax officer. The Commissioner for Information should immediately investigate HMRC for these violations and hold the tax inspector accountable for this staggering incompetence. “
Tim Sadler, CEO of Tessian, added, “Human error is the number one cause of data breach today. With people in control of more data than ever before, it’s no surprise that security incidents caused by human error are on the rise.
“But that doesn’t mean that people are the weakest link when it comes to data security. Mistakes happen – it is human nature – but sometimes these mistakes can expose data and cause significant reputational and financial damage. It is therefore a company’s responsibility to ensure that solutions are put in place to prevent mistakes that put cybersecurity at risk and to make people aware of their mistakes before they do something they regret. “
HMRC stated that in a highly complex threat landscape, they are continuing to step up the activities of their Cyber Security Command Center to avoid the risk of cyberattacks, insider threats and other risks in an ongoing learning process.
Probably the government agency most embodied by cyber criminals, the tax authority recently rolled out new vulnerability management and threat detection features, as well as an automated anti-phishing email management tool that it claims could automatically initiate over 80% requests to remove malicious websites without human intervention.
In addition, the company conducted a cyber performance review, with a focus on mission-critical services, and as a result developed a paid and prioritized plan for moving to a more appropriate security posture “in line with established cybersecurity frameworks for HMRC standards” . . A “rapid remediation” program is currently being started in order to reduce the cyber risk to what is known as the “tolerable level”, which is expected to last between 12 and 18 months.