According to the Information Commissioner’s Office (ICO), HM Revenue and Customs (HMRC) reported 11 ‘serious’ personal data incidents last year. The incidents (which have also been disclosed in HMRC’s annual report) have affected over 20,000 people.
- In one instance, HMRC sent out National Insurance number letters relating to 16-year-old children with incorrect details. This breach impacted almost 19,000 people.
- In another HMRC data breach, a fraudulent attack saw cybercriminals access the details of over 60 employees. This data included names, contact details and other information such as usernames and passwords. 573 people are said to have been impacted as a result. In this case, the affected customers may not yet have been notified.
- In a smaller but still serious breach, the data of an employee was put at risk when paperwork was left on a train. The sensitive information breached included medical notes and HR letters.
Other data breaches at HMRC occurred due to cyber-attacks and a catalogue of human errors.
Commenting on the findings, HMRC said:
“We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information. We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third party service providers to ensure that agreed processes are being carried out.”
The threat of human error
Speaking about the HMRC breaches, our Head of Data Breach, Kingsley Hayes said:
“Modern governance and the delivery of public services requires the sharing of a wide range of our sensitive information. But despite fears about cybercrime, human error is still the biggest cause of data protection breaches.
“Today, more data is being processed than ever before, but a reliance on unsecured legacy software, an untrained workforce, and out-of-date processes has made the sector vulnerable. So, when it comes to local and national government services, people across the country left paying the price.
“In light of the recent privacy violations by the taxman, it is essential that HMRC takes the threat of a data breach seriously and ensures proper processes and training are in place to stop such violations from happening. Incompetence is no excuse.”
Are you affected?
It does not look as if everyone impacted by the HMRC data breaches has been informed. If you are worried about the safety of your data, you can contact HMRC to ask whether your personal information has been put at risk. This is called making a subject access request (SAR).
The ICO provides a handy template to help you to raise any concerns about your data.
IF YOU HAVE BEEN A VICTIM OF A PUBLIC SECTOR DATA BREACH, WE CAN HELP YOU MAKE A NO-WIN, NO-FEE CLAIM FOR COMPENSATION.
