marcyano79 – Fotolia
HM Revenue & Customs (HMRC) referred itself to the Information Commissioner’s Office (ICO) on 11 separate occasions between April 2019 and April 2020 over data security incidents.
These included a fraudulent attack that resulted in the theft of personally identifiable information (PII) about 64 employees from three different PAYE schemes – potentially affecting up to 573 people – and a cyber attack on an HMRC agent and their data that saw the self-assessment payment records of 25 people compromised.
Other incidents notified during the period included the disclosure of the incorrect details of 18,864 children in National Insurance letters, a delivery error resulting in a response to a subject access request (SAR) going to the wrong address, paperwork left on a train, a completed Excel spreadsheet issued in error instead of a blank one, and an HMRC adviser incorrectly accessing a taxpayer’s record and issuing a refund to their mother.
HMRC also recorded a small number of non-notifiable incidents, including the loss or insecure disposal of electronic equipment, devices or paper documents, and 3,316 security incidents that were centrally managed.
“We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information,” said HMRC in its latest annual report.
“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn from and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.
“We also educate our people to reinforce good security and data-handling processes through award-winning targeted and departmental-wide campaigns. These focus on reducing security and information risk, and the likelihood of the same issue happening again. All HMRC employees are required to complete mandatory security training, which includes the requirements of the Data Protection Act and GDPR [General Data Protection Regulation]. By continuing to inform and train our people, we can make sure HMRC is seen as a trusted and professional organisation.”
Donal Blaney, principal at legal practice Griffin Law, said: “Taxpayers have a right to expect their sensitive personal data to be kept secure by the taxman. The Information Commissioner should immediately investigate HMRC for these breaches and hold the taxman to account for this breath-taking incompetence.”
Tim Sadler, CEO of Tessian, added: “Human error is the leading cause of data breaches today. And given that people are in control of more data than ever before, it’s also not that surprising that security incidents caused by human error are rising.
“That’s not to say, though, that people are the weakest link when it comes to data security. Mistakes happen – it’s human nature – but sometimes these mistakes can expose data and cause significant reputational and financial damage. It’s an organisation’s responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cyber security from happening – alerting people to their errors before they do something they regret.”
HMRC said that, against the backdrop of a highly complex threat landscape, it was continuing to enhance the activities undertaken by its Cyber Security Command Centre to guard against the risk of cyber attacks, insider threats and other risks in an ongoing learning process.
The tax agency, which is probably the government body most frequently impersonated by cyber criminals, has recently introduced new vulnerability management and threat hunting capabilities, as well as an automated anti-phishing email management tool, which it said was capable of automatically initiating over 80% of malicious website takedown requests without human intervention.
It has also conducted a review of its cyber performance, focusing on business-critical services, and as a result has developed a costed and prioritised plan for moving to a more appropriate security posture “in line with specified frameworks of cyber security for HMRC standards”. It is now embarking on a “rapid remediation” programme to reduce cyber risk exposure to what it terms “tolerable levels”, which is expected to take between 12 and 18 months.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
You forgot to provide an Email Address.
This email address doesn’t appear to be valid.
This email address is already registered. Please login.
You have exceeded the maximum character limit.
Please provide a Corporate E-mail Address.
Please check the box if you want to proceed.
Please check the box if you want to proceed.
By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.
CIO dashboards can be a vital tool for assessing metrics in real time to gain insight on IT performance and support better …
The business response to COVID-19 has accelerated technology adoption, making emerging technologies a more accessible and …
The Open Group is teaming up with a United Nations agency on best practices, guides and standards to show resource-strapped …
The NSA issued a cybersecurity advisory warning government agencies to mitigate as soon as possible, as the vulnerability was …
Now hiring: As organizations increasingly favor proactive cyber threat hunting and detection over bare-bones prevention, SecOps …
SecOps tools offer many capabilities to address common threats enterprises face, including domain name services, network …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
In any multi-tenant IT environment, noisy neighbors can be an issue. Here’s a closer look at how the challenges differ in the …
Use this data center selection checklist to make fair and comprehensive comparisons between colocation data center providers …
One offers more control, while the other offers more flexible space. If you’re considering a colocation facility, how do you …
Collibra CEO discusses the importance of data governance for enterprises and how to tie data governance to business terminology …
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
