HMRC 'serious data-related incidents' up by 60% in a year

29 breaches, affecting more than 35,000 individuals, were escalated to the ICO in 2023-24
Image: Adobe Stock

By Sam Trendall

15 Aug 2024

HM Revenue and Customs recorded an annual rise of more than 60% in the number of personal data incidents that required reporting to authorities in 2023-24.

In the 12 months to 31 March, the tax agency reported 29 “serious data-related incidents” to regulator the Information Commissioner’s Office. These incidents collectively impacted 35,645 individuals, according to the department’s annual report.

PublicTechnology.net logoBoth of these figures represent a big rise on 2022-23, when HMRC reported to the ICO 18 serious potential breaches of personal data that affected a cumulative tally of 10,209 people.

The 29 incidents that occurred last year included six occasions in which “personal information [was] used to make changes to customer records on HMRC systems without authorisation”, and three instances of the “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises”. There were also two further times such losses took place from non-government locations.

This tally of 11 breaches is more than double the five incidents recorded across these categories in the prior year.

In 2023-24 there were 14 reports of other forms of “unauthorised disclosure”, and four additional incidents which do not fall into any category. These figures compare with 11 and two such breaches respectively that occurred in the year before.

“We take all these incidents seriously and are acting to address them. We have used the lessons learned from these incidents to review and strengthen our customer identity and authentication processes,” the HMRC report said.

“Protecting customer data is important to us and we continually monitor our processes to prevent recurrences. We are also delivering enhanced data security, governance and reporting across HMRC.”

During 2023-24, HMRC continued delivery of a £200m programme intended to “review and remediate existing systems to ensure they are fully compliant with General Data Protection Regulations”.

By the end of the year, a total of 76 IT systems had completed their remediation process – a rise of 17 compared with March 2023.

The report noted that such are important as the department encounters “1.5 billion suspicious or malicious events [that are] blocked by our cybersecurity team every month”. These events are drawn from a total of 200 billion that are analysed for potential security threats.

In response to enquiries from CSW's sister title PublicTechnology, HMRC indicated that heightened protections implemented by the department include the use of the new GOV.UK ID Check app to verify users’ identity via biometric facial scans, as well as the use of multi-factor authentication to secure online tax accounts.

A spokesperson for HMRC added: “We take the protection of our customers’ information very seriously and monitor our systems and data to ensure information is safe. We investigate all security incidents and continuously invest in security systems to ensure they offer the latest protection. We are aware of our data protection obligations and are committed to meeting them.”

Read the most recent articles written by Sam Trendall - AI unit grows to more than 40 staff after move to DSIT

Share this page