HMRC admits to 26 data breaches during 2019-20

Nearly 20,000 individuals may have affected by personal data breaches in 11 separate incidents indentified in HMRC’s annual summary (table on page 153). The incidents that were reported to the Information Commissioner’s Office (ICO) included:

• 18,864 16-year-olds who were sent National Insurance number letters that included incorrect names and other personal details.
• 64 employees’ contact details and passwords obtained from three PAYE schemes. Potentially 573 people could have been affected in this incident.
• Someone at the department sent out an Excel spreadsheet containing addresses and property details affecting 88 individuals rather than a blank copy.
• A cyber attack in November 2019 accessed the self assessment payment records of 25 clients.

In addition to these incidents, HMRC logged another 15 that did not have to be reported to the ICO. These breaches included half a dozen “unauthorised” disclosures, and the loss or insecure disposal of inadequately-protected electronic equipment or paper documents.

Departmental incompetence

After taking a closer look at the figures Donal Blaney, principle at specialst practice Griffin Law called for an immediate investigation from the ICO to “hold the taxman to account for this breathtaking incompetence”.

There is no question that HMRC is the government’s most frequent source of data breaches – but then it is responsible for controlling personal data on more than 11m individual taxpayers. And the department’s transparency in reporting in a consistent manner the breaches it has referred to the ICO is to be encouraged.

In its commentary on the information breaches, HMRC wrote: “We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information.

“All HMRC employees are required to complete mandatory security training, which includes the requirements of the Data Protection Act and GDPR.”

Agent redirected tax repayment

One of the less publicised data breaches occurred in February 2020 when a tax adviser “incorrectly accessed” a taxpayer’s record and issued a refund to the individual’s mother. The “customers” were already aware of the incident, HMRC reported.

The breach bore an uncanny resemblance to an episode reported in the Client account hacked Any Answers thread in September 2020.

“Last year, I had a client whose previous accountant changed the client’s address and then submitted multiple amended tax returns for the same year to create false refunds and had the money paid into someone else’s account,” wrote AccountingWEB member Teeside.

“This only came to light after a year later the client switched to me and the online authorisation process didn’t work.”

While HMRC is open about the breaches for which it is directly responsible, there is a much bigger pool of breaches being committed by third parties who are gaining unauthorised access to HMRC’s individual tax accounts. Like Teesside's experience, many incidents are reported by AccountingWEB members.

Given the multi-billion pound estimates for furlough fraud we have heard about during 2020, perhaps it is time HMRC made more of an effort to report on the efforts it is making to prevent misbehaviour taking place within its systems. In this year’s accounts the National Audit Office estimated fraud and errors exceeded £1.5bn for tax credit and R&D tax relief frauds alone, the two main areas for which the department’s accounts were qualified for the 20th year running.