top of page


  • Tech Journalist

HMRC Annual Report 2020 to 2021 surfaced 17 data breaches in 15 months

Her Majesty’s Revenue and Customs (HMRC) performance summary 2020 to 2021 surfaced unique financial year reports along with COVID-19 allegations. Revenue concerned public service, non-compliance benefits and practical measures taken in dire times. Through all that, data breaches remain an uncommon factor in the cyber world.

The Information Commissioners Office (ICO) said in over 15 months period, a total of 17 breaches were reported. These breaches affected more than 3,000 individuals between January 2020 and March 2021.

In June 2020, the attacks were most simultaneous, according to HMRC. Personal information’s were used by the department in fining unauthorised changes to the records. Another breach affected 1,023 individuals where personal information’s were leaked.

On January 16 2020, primary identifiers such as name and contact details were affected, causing 326 people affected by the HMRC system authorixsation. We saw a similar trait but at a lower margin.

The Cyber Security Breach Survey 2021 reported on six surveys in the annual series, which said four in ten businesses (39%) and a quarter of charities (26%) in the past year. Before that, it was pretty higher where medium companies suffered the most (65%). Extensive business and high-income charities had 64 per cent and 51 per cent security breaches, respectively.

In 2021 it came with a lot less marginal proportion (46%) while charity results remain unchanged. According to experts, it was due to the pandemic the charities received lesser threats online though businesses suffered as usual.

HMRC reported 11 ‘serious’ personal data incidents to the ICO (Information Commissioner’s Office). HMRC outlined 23,000 people been affected in the recent incidents, which is far greater than anticipated.

These cybercrimes used customers personal information and made changes throughout the occasion without proper authorization in 17 bulk breaches, except two violations where customers were informed of the incidents. It affected 48 and 160 individuals, respectively.

HMRC said they take the protection of ‘customers information extremely seriously and continually monitor the system. Primary identifiers such as name, contact details, etc., were breached, and further investigation found no evidence of any impact on customers.

The most severe personal data incident recorded recently was when National Insurance number letters of 16-year-old-children were sent out, with missing details, impacting 18,864 members. In February, a fraudulent attack in the PAYE scheme exposed 64 employee details, and another 573 were directly affected. These incidents are ignorable, and the matter gained extreme attention through the HMRC publication.

There are times when an incident report involves sending one’s bank statement to others. In some cases, customer accounts were accused of using personal data. Criminals obtain these data using various methods such as social engineering, data mining, virus, malware, keylogging, scripting. There is no shortage of sabotaging procedures, and it takes one little mistake by the user to fall victim to many ways of attacks.

HMRC said, "we deal with millions of customers every year and tens of millions of paper and electronic interactions."

Issues regarding data security are taken extremely seriously in the HMRC, and all investigations- analyses help the active learning process ongoing. Confidential information to change customer records on Her Majesty’s Revenue and Customs systems has taken a toll as many details were changed without authorisation.


Founder of Griffin Law, Donal Blaney, said ‘HMRC wields draconian powers, and is increasingly out of control.’ Further added, ‘"uch criminality should be investigated to the fullest extent possible by the Information Commissioner and the police if taxpayers retain any confidence in HMRC."

Notes to the Statement of Outturn against Parliament Supply has also been published in the HMRC annual report to outturn detail by estimate line. According to it, HM Treasury will require additional income and expenditure analysis between administration.


bottom of page