HMRC suffered 17 data breaches over 15 months

Her Majesty's Revenue and Customs (HMRC) disclosed a total of 17 data breaches to the Information Commissioner's Office (ICO) over a 15-month period, according to a new report.

Between January 2020 and March 2021, more than 3,000 individuals have potentially been affected by the 17 data breaches at HMRC, with the most impactful occurring in June 2020 when the department used personal information to make unauthorised changes to customer records.

Basic personal identifiers such as name and contact details were used during the incident in which potentially affected 1,023 individuals. The report indicates the impacted customers were informed of the incident.

Cases in which cyber criminals used personal information to make changes to customer records without proper authorisation formed the bulk of the 17 breaches. A total of 11 cases were of this nature each affecting different numbers of individuals, ranging between three and more than 1,000.

In almost all cases, the potentially affected individuals were informed following the breach with the exception of two incidents, affecting 48 and 160 individuals respectively, not meeting the threshold for communicating the matter with the customers.

In both cases, basic personal information was thought to be involved however, after further investigation in each, either no evidence of customer impact was found or the customer data involved was so minimal it didn't meet the ICO's standards for disclosure.

Arguably the most serious violation affected four individuals in a case involving an HMRC staffer contravening departmental policy to access internal systems to locate their estranged wife and children - the affected individuals were informed in this case also and the staff member in question was dismissed, HMRC told IT Pro.

Other incidents involved sending one person's bank statements to the wrong person, in one case, and another involving HMRC breaking open a locked pedestal during an office move which led to the loss of "personal content" of one individual.

"We take the protection of our customers’ information extremely seriously and continually monitor our systems and data to make sure that information is safe," HMRC told IT Pro in a statement.

"In some of these incidents, customer accounts were accessed using personal data that criminals could have obtained through a variety of methods, including breaches of other organisations’ security. We have established processes for when a customer record is affected by fraudulent activity by a criminal third party.

"We deal with millions of customers every year and tens of millions of paper and electronic interactions. Security and privacy are at the heart of our work. We investigate all security incidents, taking immediate action to reduce the possibility of recurrence," it added.

Elsewhere in the report, HMRC also said it has been engaging with the ICO not just in cases where it was legally required to do so. Regular collaboration between HMRC's data protection team and the ICO took place during this period, in addition to HMRC providing consultancy on new policies and legislation.