Tag Archives: security

OMG – OCG attacks HMRC

ICO declines to take action after 1000 HMRC customer records apparently altered in 2020 by Organised Crime Gang and used to make fraudulent claims

Rather hidden away on the Information Commissioner’s Office (ICO) website is information, disclosed under the Freedom of Information Act 2000 (FOIA), in relation to an ICO investigation of a security incident involving HMRC, and an organised crime gang (OCG).

It appears that, in June 2020, an OCG had used 193 genuine National Insurance Numbers (NINOs) which it had managed to “hijack” (it is not clear how) from external sources, and set up bogus Government Gateway (GG) accounts. This subsequently “enabled the OCG to carry out enrolments on the bogus GG accounts of genuine Self-Assessment customer Unique Tax References”, which in turn enabled the submission of fraudulent tax returns with the aim of the OCG being to make fraudulent expenses claims.

It was also discovered that details of 130 of the data subjects whose NINOs had been compromised were also used to “utilise” the DWP universal credit service.

HMRC did not become aware of this incident until 2 December 2020, and it notified the ICO (pursuant to its obligations under Article 33 GDPR) on 14 December 2020.

Details of the incident also appear to be contained in HMRC’s Annual Report for the period in question, where (at page 188) it refers to an incident involving 1023 people where “Personal information [was] used to make changes to customer records on HMRC systems without authorisation”.

There are many redactions in the information that the ICO has now published, but the headline point is that it did not view the incident as a serious enough infringement of HMRC’s obligations under GDPR so as to warrant a monetary penalty. The ICO noted that

…there is no indication that any of the originating personal data used to commit the fraud was obtained from HMRC.

However, it does appear that some people might have lost money, although this has since been repaid to them:

…any repayments due to genuine customers have been (or will be) made good…and therefore all the financial losses will be HMRC’s.

Also redacted are what would probably be details of systems changes that HMRC has taken or agreed to undertake as a result of the incident. These would, says the ICO

increase the protection applied to customer records and data and make stacks of this nature more difficult…

This wording suggests that the ICO felt that the level of protection had not been adequate, in line with HMRC’s security obligations under the GDPR. That being the case, the ICO must have decided that, in this instance, despite the infringement, it wasn’t necessary, or appropriate, to issue a fine or take other enforcement action.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach Notification, Data Protection, GDPR, HMRC, Information Commissioner, security

ACPO encourage the sending of identity documents over insecure connection

ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.

One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.

The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:

Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…

But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.

image1

This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that

Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems

At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, data security, Information Commissioner, police