More than 10,000 customers were potentially affected by serious data incidents overseen by Her Majesty鈥檚 Revenue & Customs over the past year, according to its Annual Report & Accounts 2021-22.
HMRC, the government department responsible for tax collection, reported a total of 22 personal data-related incidents to the Information Commissioner鈥檚 Office in the last 12 months, stating that these incidents potentially affected 10,896 customers.聽
The number of serious personal data breaches rose from 18 in 2020-21 to 22 in 2021-22. Despite this, the number of potentially affected customers decreased, from 18,298 to 10,896.聽
HMRC noted that it has delivered a Cyber Tactical Remediation Programme, moved a significant number of services out of legacy data centres and implemented a new Security Incident Response Tool to strengthen the identification and reporting of personal data breaches.聽
Five additional data incidents occurred over the past year which were handled internally, potentially impacting a further 911 customers.聽
As part of its aim of 鈥渞eaching a tolerable position by March 2025鈥, HMRC stated that it was in the process of implementing a three-year Enterprise Security Programme, alongside its Securing our Technical Future Programme.聽
These efforts aim to build upon its switch of key platforms to cloud-based infrastructure and strengthening of its data analysts team, having previously splashed 拢12 million on data staff over the past five years.聽
Cybersecurity expert Achi Lewis, Area VP EMEA for Absolute Software, commented: 鈥淒ue to the volume of staff that large organisations like HMRC employ, it is inevitable that data incidents are going to occur.聽
鈥淲hat鈥檚 crucial is that these organisations mitigate the volume of breaches as protecting customer data is vital.聽
鈥淪taff training programmes are one aspect of the solution, and HMRC should be commended for taking this seriously. Arming staff with the knowledge of potential threats and the consequences of breaches can help them stay vigilant, and prevent potential losses before they occur, as well as being able to improve their reporting of these incidents.聽
鈥淪olutions such as Zero-Trust Network Access can help to evaluate all users and their devices each time they connect to a network or application, only granting access if they are trusted. Should a malicious actor breach an application, they will be shut off from the rest of the network.聽
鈥淪ecure access controls, on top of this, can give IT teams the power to freeze or shut off compromised devices to prevent further breaches from occurring across a network.鈥