{"id":8333,"date":"2024-05-16T13:49:06","date_gmt":"2024-05-16T12:49:06","guid":{"rendered":"https:\/\/www.gpsj.co.uk\/?p=8333"},"modified":"2024-05-16T14:01:26","modified_gmt":"2024-05-16T13:01:26","slug":"data-of-over-10000-customers-put-at-risk-by-hmrc-breaches-declared-to-ico","status":"publish","type":"post","link":"https:\/\/www.gpsj.co.uk\/?p=8333","title":{"rendered":"Data of over 10,000 customers put at risk by HMRC breaches declared to ICO"},"content":{"rendered":"\n

Reporter: Stuart Littleford<\/p>\n\n\n\n

More than 2,000 devices reported lost or stolen across seven government departments in 2023<\/em><\/p>\n\n\n\n

Apricorn<\/a><\/u><\/strong>, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, has today announced findings from annual Freedom of Information (FoI) responses into data breaches and device loss within government departments. The results highlight an alarming number of customers potentially affected by breaches declared to the Information Commissioner\u2019s Office (ICO) by the HM Revenue and Customs (HMRC) during 2023.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

HMRC noted that the number of customers potentially affected by the 18 breach reports on notifiable incidents disclosed to the ICO totalled 10,209. This is concerning given the sensitivity of the data that HMRC houses which ranges from personally identifiable information (PII) to financial data concerning tax, benefits and pensions which could pose a significant risk if it should fall into the wrong hands.<\/p>\n\n\n\n

Worryingly, the Driver and Vehicle Licensing Authority (DVLA), which declared 19 breaches in 2021 and just nine in 2022, disclosed a colossal 278 breaches in 2023. This marks a huge increase on previous years and implies that standards are slipping and that there\u2019s work to be done in securing data.<\/p>\n\n\n\n

Other departments disclosing data breaches included the House of Commons which experienced 41 data breaches in total and the House of Lords which disclosed eight Near Misses (where there may be no evidence that data has been accessed inappropriately) Losses and Breaches. Of these eight incidents, one was recorded as a Loss and one as a Breach.<\/p>\n\n\n\n

\u201cGovernment departments will inevitably fall victim to data breaches due to the valuable data they handle, but it\u2019s positive to see these breaches being rightfully declared to the ICO. However, the effects and repercussions for the government departments and their customers could be hugely detrimental. With so much at risk, a back-to-basics approach may well be required to establish how so many breaches are slipping the net\u201d, said Jon Fielding, Managing Director, EMEA Apricorn.<\/p>\n\n\n\n

Breaches aside, of the 15 departments questioned, nine declared the loss and theft of multiple organisational devices. The HMRC again tipped the scale, having reported 1015 lost and stolen devices, including 583 mobiles, 428 tablets and four USBs. Somewhat more than the 635 that went amiss in 2022, 346 in 2020 and 375 in 2019. A significant number of the reported phone losses were, however, the result of an internal audit of legacy phones that had been replaced with newer models.<\/p>\n\n\n\n

Amongst others, the Ministry of Justice misplaced 653, the Department for Energy Security and Net Zero \u2013 122, the Department for Education (DfE) – 78, Home Office \u2013 153, House of Commons \u2013 65,  and Department for Science, Innovation and Technology \u2013 54.<\/p>\n\n\n\n

\u201cThe number of devices being lost or stolen within these departments is huge and whilst they are all encrypted, it\u2019s important that they have robust back-up plans in place. This is particularly prudent in the throes of a ransomware attack which is highly plausible with such sensitive data at play. Ensuring they have at least three copies of data, on at least two different media, with at least one copy held offsite is a must. Equally, the recovery process must also be rigorously and regularly tested to ensure full data restoration can be achieved effectively,\u201d added Fielding.<\/p>\n\n\n\n

An HMRC spokesperson told GPSJ:<\/strong> \u201cSecurity and privacy are at the heart of our work as we deal with tens of millions of customers every year.<\/p>\n\n\n\n

\u201cWe take quick action to deactivate any lost or stolen devices and investigate all security incidents, taking steps to reduce future recurrences.\u201d\u00a0<\/em><\/strong><\/p>\n\n\n\n

Background<\/u><\/p>\n\n\n\n