HM Revenue and Customs (HMRC) reported 11 ‘serious’ personal data incidents to the Information Commissioner’s Office (ICO) in the most recent financial year.
This is according to litigation practice Griffin Law, which analysed HMRC’s latest annual report, and predicts that the personal data incidents may affect 23,173 people.
All government departments are required to publish information about any serious data-related incidents, which have to be reported to the ICO.
Events reported by HMRC during 2019 to 2020 include an incident in which National Insurance number letters relating to 16-year-old children were sent out with incorrect details, impacting up to 18,864 members of the public.
Another serious incident that occurred was a fraudulent attack resulted in 64 employees’ details being obtained from three PAYE schemes. Name, contact details and ID data, such as passwords and usernames, were leaked, impacting around 573 people.
Other incidents include paperwork regarding a member of staff being left on a train.
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
In the report, HMRC also noted that the number of centrally-managed security incidents impacting on protected personal data in HMRC rose from 13 to 15 in 2019 to 2020. The number of customers potentially affected by these incidents was 3,616
The report went on to say that HMRC takes the “issue of data security extremely seriously” and “continually [looks] to improve the security of customer information”.
Cyber security expert Tim Sadler, CEO, Tessian said:
“Human error is the leading cause of data breaches today. And given that people are in control of more data than ever before, it’s also not that surprising that security incidents caused by human error are rising.
“That’s not to say, though, that people are the weakest link when it comes to data security. Mistakes happen – it’s human nature – but sometimes these mistakes can expose data and cause significant reputational and financial damage. It’s an organisation’s responsibility, then, to ensure that solutions are put in place to prevent mistakes that compromise cybersecurity from happening – alerting people to their errors before they do something they regret.”