HMRC branded ‘incompetent’ following 11 serious data breaches

A person on a laptop to depict hacking
(Image credit: Shutterstock)

HM Revenue and Customs (HMRC) reported almost a dozen serious personal data breaches to the UK's data regulator during the most recent financial year, affecting the personal information of thousands of people.

The 11 incidents, which took place over the course of the 2019/20 financial year, affected 23,173 people, with one incident alone impacting up to 18,864 members of the public, according to an analysis by legal firm Griffin Law.

The law firm has accused HMRC of “breath-taking incompetence” as a result of the newly-disclosed catalogue of incidents, with customers affected by at least one security breach yet to be contacted.

“Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman,” said Griffin Law principle, Donal Blaney. “The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtaking incompetence”.

The most serious incident, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-old children being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children.

Among the incidents was also a fraudulent attack in February 2020 which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

Incidents reported to the Information Commissioner's Office (ICO) during the previous financial year also included a cyber attack against an agent and their client data, affecting 25, as well as a wrongly-accessed taxpayer record that led to a refund to that individual’s mother.

“We deal with millions of customers every year and tens of millions of paper and electronic interactions,” HMRC said in its latest annual report. “We take the issue of data security extremely seriously and continually look to improve the security of customer information.

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Cyber security expert and Tessian CEO Tim Sadler commented that human error tends to be the leading cause of data breaches today, and it’s not surprising that accidental incidents caused by people are rising.

"That's not to say, though, that people are the weakest link when it comes to data security,” he continued. “Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening - alerting people to their errors before they do something they regret."

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.