Actu
Data of over 10,000 customers put at risk by HMRC breaches declared to ICO
May 2024 by Apricorn
Apricorn has announced findings from annual Freedom of Information (FoI) responses into data breaches and device loss within government departments. The results highlight an alarming number of customers potentially affected by breaches declared to the Information Commissioner’s Office (ICO) by the HM Revenue and Customs (HMRC) during 2023.
HMRC noted that the number of customers potentially affected by the 18 breach reports on notifiable incidents disclosed to the ICO totalled 10,209. This is concerning given the sensitivity of the data that HMRC houses which ranges from personally identifiable information (PII) to financial data concerning tax, benefits and pensions which could pose a significant risk if it should fall into the wrong hands.
Worryingly, the Driver and Vehicle Licensing Authority (DVLA), which declared 19 breaches in 2021 and just nine in 2022, disclosed a colossal 278 breaches in 2023. This marks a huge increase on previous years and implies that standards are slipping and that there’s work to be done in securing data.
Other departments disclosing data breaches included the House of Commons which experienced 41 data breaches in total and the House of Lords which disclosed eight Near Misses (where there may be no evidence that data has been accessed inappropriately) Losses and Breaches. Of these eight incidents, one was recorded as a Loss and one as a Breach.
"Government departments will inevitably fall victim to data breaches due to the valuable data they handle, but it’s positive to see these breaches being rightfully declared to the ICO. However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net", said Jon Fielding, Managing Director, EMEA Apricorn.
Breaches aside, of the 15 departments questioned, nine declared the loss and theft of multiple organisational devices. The HMRC again tipped the scale, having reported 1015 lost and stolen devices, including 583 mobiles, 428 tablets and four USBs. Somewhat more than the 635 that went amiss in 2022, 346 in 2020 and 375 in 2019. A significant number of the reported phone losses were, however, the result of an internal audit of legacy phones that had been replaced with newer models.
Amongst others, the Ministry of Justice misplaced 653, the Department for Energy Security and Net Zero – 122, the Department for Education (DfE) - 78, Home Office – 153, House of Commons – 65, and Department for Science, Innovation and Technology – 54.
"The number of devices being lost or stolen within these departments is huge and whilst they are all encrypted, it’s important that they have robust back-up plans in place. This is particularly prudent in the throes of a ransomware attack which is highly plausible with such sensitive data at play. Ensuring they have at least three copies of data, on at least two different media, with at least one copy held offsite is a must. Equally, the recovery process must also be rigorously and regularly tested to ensure full data restoration can be achieved effectively," added Fielding.
