The UK taxation body, Her Majesty’s Revenue and Customs department (HMRC), has reported 11 “serious” personal data incidents to the Information Commissioner’s Office (ICO) in 2020.
According to litigation practice Griffin Law, the incidents affected a total of 23,173 people and further investigation is warranted.
The biggest incident by volume occurred in May this year, when National Insurance number letters belonging to 16-year-olds went out with incorrect details. A total of 18,864 members of the public were affected by this slip-up, it was said.
The most significant incident, however, happened in February this year, when criminals managed to obtain personal details of 64 HMRC employees through three PAYE schemes. They harvested the usernames and passwords of a total of 573 people, none of which have yet been contacted by HMRC or law enforcement.
HMRC also reported various other slip-ups, including incorrectly handling Excel databases, employees leaving sensitive data on a train, and a cyberattack against an agent and their client data, all of which resulted in personal and other sensitive data being exposed to third parties. Also, a further 3,616 “centrally managed” incidents were recorded, with no further details revealed.
Commenting on the report, HMRC claimed it is doing all it can to protect its data and that it’s constantly learning and improving.
But Donal Blaney, Principle at Griffin Law, believes taxpayers have a right to expect their sensitive personal data to kept secure, and called for the ICO to “immediately investigate HMRC” for these breaches and hold the taxman to account for this “breathtaking incompetence”.