HMRC reported 11 breaches of personal data in the 2019/2020 financial year to the ICO, according to its recent annual report.
In total, around 23,000 people may have been affected across the breaches. The most serious incident saw national insurance letters with incorrect details for 16-year olds sent out.
The error could have revealed previous birth names, the identity of adopted children, as well as the identity of transgender children. This incident alone may have affected up to 18,864 people.
A fraudulent attack was able to snare employee details on 64 people through three PAYE schemes – potentially affecting up to 573 people – while two smaller incidents were able to potentially compromise less than 100 people.
These saw a breach where a completed Excel spreadsheet was issued by mistake instead of a blank one – the addresses and property details of up to 88 people were potentially compromised.
Finally, a cyberattack could have revealed self-assessment repayment records of up to 25 people. The remaining seven events were largely limited to revealing the details of a single person.
Of the 11 incidents, nine of them were caused by human error, including one where paperwork was left on a train. The other two incidents were caused by direct attacks.
The ICO warned at the start of this year that around 90% of all 2019’s data breaches were caused by human error.
As such, it is vital that companies have robust security practices in place to minimise accidental data breaches.
“Breaches impact lives. There is no avoiding that reality. But placing the blame solely, and blindly, on the closest person to the breach only encourages people to hide breaches, not to resolve and prevent them,” Deputy Managing Director & Managing CISO at HEFESTIS Jordan Schroeder told DIGIT.
“Having a way to understand the human element of a breach and to stop blaming people but to take collective responsibility for breaches is how an organisation, like HMRC, can reduce breaches in the future.”
HMRC also saw a total of 15 other minor personal data-related incidents that it did not need to report to the ICO. These included the loss or insecure disposal of electronic devices or paper documents.
“We investigate and analyse all security incidents to understand and reduce security and information risk,” HMRC said in the report. “We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third party service providers to ensure that agreed processes are being carried out.
“We also educate our people to reinforce good security and data-handling processes through award-winning targeted and departmental-wide campaigns.”
- Data Protection Summit 2020 | The biggest ICO fines ever issued
- Leader Insights | The great privacy debate with Sorcha Lorimer, founder of Trace
- NCSC issues cyber fraud warning to Christmas shoppers
Data breaches have become a major concern for companies since the implementation of GDPR in 2018. This year has seen the ICO issue two of its largest ever fines, against British Airways and Marriot Hotels. These totalled £20 million and £18.4 million, respectively.
These breaches, potentially compromising the details of hundreds of millions, are far larger than the HMRC breaches. However, the nature of the data held by HMRC makes even a small breach serious.
Furthermore, one of the most serious consequences of a data breach is the damage it does to a group’s reputation. A serious data breach would undermine trust in the HMRC, a vital part of the both the government and the economy.
“We have to supply HMRC and various other government bodies with our personal data,” Schroeder added. “We don’t have a choice. We do have a choice of whom we do business with.
“So, a breach at BA is fundamentally different from a breach at a government department; we can’t avoid giving them our data and we cannot remove our data from their systems. So, the responsibility, and the public’s feelings of helplessness, is greater with a governmental breach.”