HM Revenue & Customs  

Concerns raised over personal data breaches at HMRC

Concerns raised over personal data breaches at HMRC

Concerns have been raised over a number of serious personal data breaches recorded by HM Revenue & Customs last year. 

According to its most recent annual report, the taxman reported 11 data incidents to the Information Commissioner's Office in the 2019/20 financial year. 

In one instance almost 19,000 members of the public were potentially affected when HMRC national insurance number letters relating to 16-year old children were sent with incorrect details. 

Meanwhile in February a fraudulent attack resulted in the details of 64 employees being obtained from three PAYE schemes, including names, contact details and data such as user names and passwords.

HMRC said 573 were potentially impacted by the data breach. 

In a smaller instance over the summer, the data of a member of staff were put at risk when paperwork was left on a train which included their medical notes and HR letters. 

Cyber security expert Tim Sadler, chief executive at cyber security firm Tessian, said human error was often the leading cause of data breaches.

Mr Sadler said: "Given that people are in control of more data than ever before, it's also not that surprising that security incidents caused by human error are rising. 

"That's not to say, though, that people are the weakest link when it comes to data security.

"Mistakes happen - it's human nature - but sometimes these mistakes can expose data and cause significant reputational and financial damage.

"It's an organisation's responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cybersecurity from happening - alerting people to their errors before they do something they regret." 

In its latest annual report HMRC also reported 15 centrally-managed security incidents which included protected personal data in 2019/20, which potentially affected 3,616 customers.

Donal Blaney, principal at litigation firm Griffin Law, said: "Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman.

"The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breathtakingly incompetence."

Jim Harra, chief executive and permanent secretary at HMRC, said in the report that HMRC dealt with millions of customers every year and tens of millions of paper and electronic interactions.

Mr Harra said: "We take the issue of data security extremely seriously and continually look to improve the security of customer information.

"We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents."

rachel.mortimer@ft.com 

What do you think about the issues raised by this story? Email us on fa.letters@ft.com to let us know.