IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

HMRC suffered 17 data breaches over 15 months

According to a recent report, the breaches affected more than 3,000 individuals

Her Majesty's Revenue and Customs (HMRC) disclosed a total of 17 data breaches to the Information Commissioner's Office (ICO) over a 15-month period, according to a new report

Between January 2020 and March 2021, more than 3,000 individuals have potentially been affected by the 17 data breaches at HMRC, with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers. 

In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

Arguably the most serious violation affected four individuals in a case involving an HMRC staffer contravening departmental policy to access internal systems to locate their estranged wife and children - the affected individuals were informed in this case also and the staff member in question was dismissed, HMRC told IT Pro.

Other incidents involved sending one person's bank statements to the wrong person, in one case, and another involving HMRC breaking open a locked pedestal during an office move which led to the loss of "personal content" of one individual. 

"We take the protection of our customers’ information extremely seriously and continually monitor our systems and data to make sure that information is safe," HMRC told IT Pro in a statement.

Related Resource

Automating the modern data warehouse

Freedom from constraints on your data

Automating the modern data warehouseFree Download

"In some of these incidents, customer accounts were accessed using personal data that criminals could have obtained through a variety of methods, including breaches of other organisations’ security. We have established processes for when a customer record is affected by fraudulent activity by a criminal third party.

"We deal with millions of customers every year and tens of millions of paper and electronic interactions. Security and privacy are at the heart of our work. We investigate all security incidents, taking immediate action to reduce the possibility of recurrence," it added.

Elsewhere in the report, HMRC also said it has been engaging with the ICO not just in cases where it was legally required to do so. Regular collaboration between HMRC's data protection team and the ICO took place during this period, in addition to HMRC providing consultancy on new policies and legislation.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022