10,896 HMRC customers have been potentially affected by data incidents reported to the Information Commissioner's Office (ICO) over the past 12-months.

In its latest annual report and accounts for 2021 to 2022, the government department revealed that on three occasions personal information was used to make changes to customer records on HMRC systems without authorisation.

There were 16 cases of unauthorised disclosure and one incident where there was a loss of inadequately-protected electronic equipment, devices or paper documents from secure government premises.

Two further incidents were not disclosed by HMRC.

The scope of impact for personal data related incidents has declined over the past year in comparison to 2020-2021, when 18,298 customers were potentially impacted. However, there were four more incidents recorded for the latest year.

HMRC said that this year it has implemented a Cyber Tactical Remediation Programme, moved a significant number of its services out of legacy data centre environments, and continued de-commissioning services.

“Due to the volume of staff that large organisations like HMRC employ, it is inevitable that data incidents are going to occur,” said Achi Lewis, area vice president EMEA for Absolute Software. “What’s crucial is that these organisations mitigate the volume of breaches as protecting customer data is vital.

“Staff training programmes are one aspect of the solution, and HMRC should be commended for taking this seriously. Arming staff with the knowledge of potential threats and the consequences of breaches can help them stay vigilant, and prevent potential losses before they occur, as well as being able to improve their reporting of these incidents.”

Share Story: