More than 10,000 customers were potentially affected by serious data incidents overseen by Her Majesty’s Revenue & Customs over the past year, according to its Annual Report & Accounts 2021-22.
HMRC, the government department responsible for tax collection, reported a total of 22 personal data-related incidents to the Information Commissioner’s Office in the last 12 months, stating that these incidents potentially affected 10,896 customers.
The number of serious personal data breaches rose from 18 in 2020-21 to 22 in 2021-22. Despite this, the number of potentially affected customers decreased, from 18,298 to 10,896.
HMRC noted that it has delivered a Cyber Tactical Remediation Programme, moved a significant number of services out of legacy data centres and implemented a new Security Incident Response Tool to strengthen the identification and reporting of personal data breaches.
Five additional data incidents occurred over the past year which were handled internally, potentially impacting a further 911 customers.
As part of its aim of “reaching a tolerable position by March 2025”, HMRC stated that it was in the process of implementing a three-year Enterprise Security Programme, alongside its Securing our Technical Future Programme.
These efforts aim to build upon its switch of key platforms to cloud-based infrastructure and strengthening of its data analysts team, having previously splashed £12 million on data staff over the past five years.
Cybersecurity expert Achi Lewis, Area VP EMEA for Absolute Software, commented: “Due to the volume of staff that large organisations like HMRC employ, it is inevitable that data incidents are going to occur.
“What’s crucial is that these organisations mitigate the volume of breaches as protecting customer data is vital.
“Staff training programmes are one aspect of the solution, and HMRC should be commended for taking this seriously. Arming staff with the knowledge of potential threats and the consequences of breaches can help them stay vigilant, and prevent potential losses before they occur, as well as being able to improve their reporting of these incidents.
“Solutions such as Zero-Trust Network Access can help to evaluate all users and their devices each time they connect to a network or application, only granting access if they are trusted. Should a malicious actor breach an application, they will be shut off from the rest of the network.
“Secure access controls, on top of this, can give IT teams the power to freeze or shut off compromised devices to prevent further breaches from occurring across a network.”