HMRC referred 11 data security incidents to ICO in 2019-20

HM Revenue & Customs (HMRC) referred itself to the Information Commissioner’s Office (ICO) on 11 separate occasions between April 2019 and April 2020 over data security incidents.

These included a fraudulent attack that resulted in the theft of personally identifiable information (PII) about 64 employees from three different PAYE schemes – potentially affecting up to 573 people – and a cyber attack on an HMRC agent and their data that saw the self-assessment payment records of 25 people compromised.

Other incidents notified during the period included the disclosure of the incorrect details of 18,864 children in National Insurance letters, a delivery error resulting in a response to a subject access request (SAR) going to the wrong address, paperwork left on a train, a completed Excel spreadsheet issued in error instead of a blank one, and an HMRC adviser incorrectly accessing a taxpayer’s record and issuing a refund to their mother.

HMRC also recorded a small number of non-notifiable incidents, including the loss or insecure disposal of electronic equipment, devices or paper documents, and 3,316 security incidents that were centrally managed.

“We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information,” said HMRC in its latest annual report.

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn from and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.

“We also educate our people to reinforce good security and data-handling processes through award-winning targeted and departmental-wide campaigns. These focus on reducing security and information risk, and the likelihood of the same issue happening again. All HMRC employees are required to complete mandatory security training, which includes the requirements of the Data Protection Act and GDPR [General Data Protection Regulation]. By continuing to inform and train our people, we can make sure HMRC is seen as a trusted and professional organisation.”

Donal Blaney, principal at legal practice Griffin Law, said: “Taxpayers have a right to expect their sensitive personal data to be kept secure by the taxman. The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breath-taking incompetence.”

Tim Sadler, CEO of Tessian, added: “Human error is the leading cause of data breaches today. And given that people are in control of more data than ever before, it’s also not that surprising that security incidents caused by human error are rising.

“That’s not to say, though, that people are the weakest link when it comes to data security. Mistakes happen – it’s human nature – but sometimes these mistakes can expose data and cause significant reputational and financial damage. It’s an organisation’s responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening – alerting people to their errors before they do something they regret.”

HMRC said that, against the backdrop of a highly complex threat landscape, it was continuing to enhance the activities undertaken by its Cyber Security Command Centre to guard against the risk of cyber attacks, insider threats and other risks in an ongoing learning process.

The tax agency, which is probably the government body most frequently impersonated by cyber criminals, has recently introduced new vulnerability management and threat hunting capabilities, as well as an automated anti-phishing email management tool, which it said was capable of automatically initiating over 80% of malicious website takedown requests without human intervention.

It has also conducted a review of its cyber performance, focusing on business-critical services, and as a result has developed a costed and prioritised plan for moving to a more appropriate security posture “in line with specified frameworks of cyber security for HMRC standards”. It is now embarking on a “rapid remediation” programme to reduce cyber risk exposure to what it terms “tolerable levels”, which is expected to take between 12 and 18 months.