Friday 30 November 2007

What a Shambles!

Poor old HMRC, they really can't quite get the hang of addressing an envelope properly.

I guess what with the strain of losing data discs on a regular basis, they can't quite focus their minds on more mundane activities such as envelope addressing.

The Oxford mail reports that the good old boys in HMRC sent Ron Leaver and Tracey Giles a number of letters over a period of months.

So far so good.

Unfortunately, the letters contained child benefit and national insurance numbers meant for other people.

Mr Leaver, from Merton near Bicester, received over a dozen letters that were in fact meant to go to Buckinghamshire County Council.

The letters contained a veritable smorgasbord of names and NI numbers of former council employees, one even contained a cheque for £2,000.

HMRC had managed to delude themselves that the local authority, whose headquarters are in Aylesbury, was in fact based 18 miles away at a private house in a small Oxfordshire village.

Mr Leaver needless to say did point out the mistake to the ever alert HMRC, yet HMRC continued to send him the letters.

He is quoted in the Oxford Mail:

"I'm disgusted with the situation. No one has been able to tell me why they did this.

If it's happening to me is it happening to other people?

It's an absolute shambles
."

Needless to say if it happens to one person, as sure as eggs are eggs, it will happen to another. Tracey Giles, from Hempton, found this out for herself. She was sent a letter meant for a Tracey Mason.

The letter was an apology for losing the data discs, and of course contained the NI and child benefit numbers of the intended recipient.

Ms Giles is now worried, not unreasonably, that someone else has her details thanks to the mind numbing incompetence of HMRC.

An HMRC spokesman said:

"We apologise for any inconvenience caused. We are currently writing to over seven million child benefit claimants. Letters are still being sent, so people shouldn't worry if they haven't yet received an apology."

Here is a free piece of advice to HMRC, the sending of the apology letters (as pointed out earlier on this site) is a major security blunder. Given that all of the letters have not yet been sent, HMRC should stop sending any more now.

Now that they have been publicly told that the apology letters represent a major security risk, not to stop sending them is criminally negligent.

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Thursday 29 November 2007

Fuckwits

Congratulations to the HMRC for proving that despite things being farking awful last week, it is more than capable of making things worse.

In a rush to cover backsides, and to look contrite, HMRC sent millions of apology letters to those who had their personal details placed at risk as a result of the HMRC disc blunder.

Unfortunately this act of contrition exposed the hapless victims of HMRC incompetence to even greater risk of fraud and id theft:
  • The postal system is notoriously open to abuse and theft (over a million letters are lost everyday)


  • The apology letters contained the details on the missing discs. Thereby giving the criminals another bite of the apple


  • The letters which contain names, National Insurance and child benefit numbers are being delivered to the last known addresses of the recipients.

    It doesn't take a genius to realise that some of the millions of people sent these letters may have moved (1 in 10 people move each year). Therefore many of the letters containing these private details are being delivered to the wrong people.

    Oh, but that's alright, HMRC are blaming the taxpayers who have moved for not keeping HMRC up to date with their moves
Hardly a stellar performance from the HMRC.

Have the people in HMRC never been trained in the basics of security, fraud and id theft prevention?

Needless to say this latest screw up has brought more problems down on the heads of those claiming to run the HMRC. The Information Commissioner will now investigate this latest security lapse.

The Information Commissioner is now pursuing three inquiries into breaches of confidentiality by HMRC.

It would seem that the people running HMRC, and indeed the government itself, has little clue about the concept of security and id theft; this is the same government that wants to impose a national id card scheme on an unwilling population.

Those who don't receive a letter of apology are being asked to ring an HMRC helpline.

Congratulations to the HMRC for making matters worse and exposing 25 million people to the threat of fraud and id theft twice in two weeks, a double whammy.

Fuckwits!

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Wednesday 28 November 2007

Disgruntled Lemmings

Not surprisingly, given the recent "kerfuffle" at the HMRC, morale amongst the hapless staff of this much maligned organisation is at an all time low.

Seemingly the employees have requested punchbags, squeeze balls and aromatherapy in order to relieve the stress that they feel.

What about the tax payers who have to deal with HMRC?

These demands had been posted on an HMRC staff discussion website (www.disgruntled-lemmings.com) which has been taken offline.

HMRC have stated that the website is not one of theirs.

Here is what the site looked like in July 2007 Disgruntled Lemmings.

Those of you who are keen to search a bit more on Google etc for caches may be pleased to know that HMRC staff are normal human beings, just like ourselves.

I was heartened to read the profile of one tax credits adviser in Newcastle, who lists among her interests "drugs".

Another member of HMRC lists his interests as "fucking up binis" (I believe that they emanate from Africa).

How very "reassuring" that HMRC staff have such eclectic hobbies, and are so cavalier with their personal information.

Fortunately they would never be so indiscreet with the personal information of their customers....oh, hang on a minute...

Tuesday 27 November 2007

The Vengeful HMRC

Members of the House of Lords vent their spleens against HMRC in The Times:

Sir,

Comment on the fiasco of the missing discs has concentrated on the sheer incompetence of those involved. Little attention has been paid to the doubtful legality of what Her Majesty’s Revenue and Customs sought to do.

The discs contained highly confidential information on 25 million people. HMRC had no right whatever to supply such information to a third party except in response to a request from a body with a statutory power to demand it. It may be assumed that the National Audit Office has such a power; but it did not ask for the banking and other details that HMRC included in the information it tried (unsuccessfully) to supply.

It would be interesting to know what possible justification the department had for attempting to supply confidential information for which it was not asked. The cost of excluding such information cannot possibly be a sufficient excuse.

Lord Millett
House of Lords

Sir,

I agree with Libby Purves (“They hate you. And in the end R&C will get you”, Nov 23). In common with quite a number of people, the compilation of my tax return is a complex exercise and I have to employ a professional adviser. Six years ago it sent me a refund cheque for £138,512.48 which, although a very pleasant surprise, was totally wrong. I subsequently learnt that to send a refund cheque of such magnitude required the approval of several people.

I wrote to the Chairman of Inland Revenue returning the cheque, and in my letter made a comment which proved to be extremely accurate. I said: “What concerns me in this issue is that if I, or indeed, any other taxpayer, had made a fraction of the errors which the Revenue has made, then I would be rapidly pursued and taken to task in no uncertain way for such an error.” David Hartnett, who has now taken over as acting chairman of HMRC, said: “I am very sorry that we have compounded our earlier errors by incorrectly sending you such a very large cheque.”

I made an error myself in a recent tax return. My “case owner” pointed out the omission to my adviser, so the likelihood of it not coming to HMRC’s attention was nil. I immediately apologised, paid the outstanding tax by return and acknowledged that I would be liable to an interest charge. I thought this would be an end to the matter, but I received a letter which inferred that my case owner thought that what I had said might be a pretty tall story, but if I confessed and agreed to pay a penalty as well as the outstanding tax and interest, the taxman might let me off lightly.

HMRC can make mistakes, no matter how large or crass. But we, the despised “customers” (do they still use that term?), are, in the words of Libby Purves, all “on the fiddle”.

I spent six years as a Permanent Secretary, and developed an enormous respect for the Civil Service, but for some reason the Inland Revenue, now HMRC, does not believe that it is the servant of the taxpayer, but rather its master. Perhaps, just perhaps, this most recent blunder will make it realise that the customer, too, should be permitted to make the occasional mistake. (HMRC has now accepted my explanation.)

Lord Levene of Portsoken
House of Lords

Monday 26 November 2007

Systematic Failure

The data protection minister, Michael Wills, today said it was "too soon" to judge whether HM Revenue & Customs had been guilty of "systemic failure" in losing the personal information of 25 million people.

His comments came as police continued to search for the two CDs, containing child benefit data relating to 7.25 million families, which have been missing since a HMRC junior manager posted the discs to the National Audit Office on October 18.

Appearing before the joint committee on human rights, Wills said there were a "number of reasons" why he was not told about the loss of data before Alistair Darling's Commons statement.

Asked by the committee chair, the Labour MP Andrew Dismore, if he agreed with the Tories' accusation that HMRC was guilty of "systemic failure", he said:

"It's far too soon for me to be able to judge that. It's certainly wrong, deeply regrettable and the prime minister has already apologised for it."

Committee members expressed incredulity that Wills, as data protection minister, was not told about the problem before it was revealed in Parliament.

Source The Guardian

Money Saving Caused Data Loss

E-mails released by the National Audit Office have confirmed that officials at HM Revenue and Customs, did not want to remove sensitive information from child benefit data sent to the auditors because doing so would cost extra.

The revelation comes as the fallout from HMRC's loss of 25 million people's records continues to rock the British government.

Chancellor Alistair Darling blamed the loss -- Britain's biggest data breach ever -- on a junior official at HMRC who had sent unencrypted disks with information on child benefit claimants to the NAO.

But the e-mails, published by the NAO alongside its briefing for the chancellor, appear to bear out key accusations made by the Conservative Party that cost was an issue and that a senior official at HMRC was aware that unfiltered data was likely to be sent.

Source Computer World

Saturday 24 November 2007

More Discs Lost

HM Revenue and Customs has confirmed that a further six data discs have gone missing in transit between its offices in Preston and London.

The discs, which were reported missing on 30 October, contained recorded conversations between a member of staff and a customer making a complaint.

Police are still searching for two computer discs containing the details of 25m Child Benefit claimants.

The HMRC says evidence suggests these two discs are still on its premises.

The second lost package, containing six discs, went missing after being sent from a tax credit office in Preston to HMRC's Whitehall headquarters in London.

They were despatched through the same internal mail system used by those who sent the two missing Child Benefit discs, which have not been seen since being posted at HMRC in Washington, Tyne and Wear, on 18 October.

Source BBC

Is the HMRC fit for purpose?

Friday 23 November 2007

Data Laws May Have Been Breached

Unencrypted discs with 25 million Child Benefit records on them were handed to an accountancy firm by government auditors, it has emerged.

The National Audit Office (NAO) gave the CDs - similar to the ones lost by HM Revenue and Customs (HMRC) officials - to accountants KPMG for auditing.

It said the discs - with bank account details on them - were delivered "by hand" to KPMG and returned safely.

The Information Commissioner is probing whether data laws were broken.

A spokesman said the commissioner would be looking at "all aspects" of data protection surrounding the missing Child Benefit records as part of its investigation.

Source BBC

The HMRC has been remarkably cavalier with people's data. Do they have any concept of the risks posed by distributing private data to all and sundry?

Darling Denies Cover Up

Chancellor Alistair Darling is standing by his version of events of how discs containing the personal details of 25 million people went missing.

The Treasury said there was nothing in e-mails released on Thursday to contradict the chancellor's account.

The e-mails suggest a senior manager was involved - something not mentioned in Mr Darling's statement to MPs.

BBC Political Editor Nick Robinson said:

"I am told that when he spoke to the Commons the chancellor had not seen the e-mails and had not been told of the potential involvement of a senior official."

He added:

"The suggestion that a single 23-year-old on low pay at the Child Benefit Centre in Washington is solely responsible for this saga may suit certain people - including the managements of the NAO and HMRC who have clearly clashed in their accounts of this affair - but it beggars belief."

Source BBC

Breathtaking Loss

Ovum principal analyst Graham Titterington encapsulated the scale of the event by saying:

"This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from Her Majesty's Revenue & Customs [HMRC] in just three months."

Titterington continued:

"If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations. The UK government and the nation is reduced to hoping that these two CDs are languishing in a rubbish bin somewhere."

Source ZDNet

Thursday 22 November 2007

HMRC Chairman Quits

The taxman’s policy chief Dave Hartnett has been appointed acting chairman of the department.

The appointment of Hartnett follows the sensational departure of Paul Gray over the loss of the personal data of 25 million people.

Chairman Paul Gray tendered his resignation on Tuesday immediately as the news was announced, bringing to an end his brief run at the department and disappointing advisers who had warmed to his style of management.

Source Accountancy Age

The real responsibility for this fiasco lies with Brown who set up the unmanageable HMRC in the first place.

Wednesday 21 November 2007

Government Under Fire for HMRC Data Fiasco

Ministers are facing demands for answers after 25 million people's personal details were lost in Britain's worst ever data protection breach.

The "catastrophic" blunder by HM Revenue and Customs (HMRC) means nearly half the UK's population - including leading politicians and businessmen - are at risk of identity fraud.

Chancellor Alistair Darling revealed the staggering scale of the debacle in an emergency statement to MPs, as Paul Gray, the head of HMRC, fell on his sword.

Two compact discs containing names, addresses, dates of birth, child benefit numbers, national insurance numbers and bank or building society account details of some 25 million individuals and 7.25 million families have gone missing.

The Commons emitted a collective gasp as Mr Darling explained how a junior official sent the entire child benefit database from the HMRC HQ in Newcastle to the National Audit Office in London on October 18.

In flagrant breach of the agency's procedure, the package was not even posted recorded delivery through contracted courier TNT, and never arrived at its destination.

However, senior management at HMRC were not informed of the problem until November 8, with Mr Darling and Prime Minister Gordon Brown finally brought into the loop two days later.

The officials involved apparently waited to raise the alarm because they hoped the password-protected discs would "turn up".

The Metropolitan Police is now leading the hunt for the package, while Mr Darling has ordered a probe into security procedures at HMRC and the Independent Police Complaints Commission is also investigating.

The Chancellor stressed there was no evidence that the information had fallen into criminal hands and said the public would be protected against any fraud by the Banking Code.

Source The Guardian

HMRC Failure Beggars Belief

Fred Piper, professor, director, of information security group at Royal Holloway University of London, said it "beggars belief" as to how this data loss could have occurred.

"It shouldn't happen. It beggars belief as to who authorised this, and whether they had authority to send the data or just did it," he said.

"It's a straightforward, irresponsible cock up. If you must transfer data, there should be a clear reporting structure to the value of data. If it is valuable data, then only senior staff should authorise it and that data needs adequate protection."

Source CIO

Gordon Brown set this organisation up, the responsiblity lies with him.

Fraud Threat To Last For Years

The treat of fraud arising from the HMRC lost data fiasco will last for years, and could have a catastrophic effect on the economy and on people's lives.

Children whose personal data has gone missing could be at risk of identity fraud for many years, credit reference agency Experian has warned.

The company said fraudsters could wait until children turn 18 before trying to apply for credit in their name.

Compliance director Helen Lord said this could have a "catastrophic effect" on their ability to buy or rent a home or obtain a loan or credit card.

Source BBC

Life of Misery Inside HMRC

Former employees of under-fire HM Revenue and Customs service have contacted the BBC News website to describe life inside its offices.

The news that the details of 25 million recipients of Child Benefit payments have gone missing has shone a spotlight on HMRC.

The agency collects and administers direct and indirect taxes; and pays and administers Child Benefit, Child Trust Fund and Tax Credits. It is also responsible for environmental taxes, enforcing the National Minimum Wage and recovery of student loans.

Formed in 2005 following a merger between HM Customs and Excise and the Inland Revenue, it has proved controversial since its inception.

But now it faces intense criticism after junior officials were blamed for sending computer discs with personal details of all UK families through the post - only for the discs to disappear.

Speaking anonymously - as they have signed the Official Secrets Act - two workers who recently left HMRC - have told the BBC News website that they were not surprised to hear of the blunder.

Worker A, who left after more than 10 years' service, said: "I wasn't surprised in the least when I heard the news.

The problems with Child Benefit are only the tip of the iceberg.

"Morale is non-existent. Mistakes happen continuously. Rooms full of unopened post are not uncommon.
"

Following the 2005 merger, the agency is now governed by a board made up of a chair, eight other executive directors and five non-executive directors.

Critics and unions complained that combining two distinct organisations, with very different cultures and legal powers, was always going to be a difficult task.

The government has targeted job cuts of 12,500 from the 100,000-strong workforce.

"When the merger was introduced, job duplication meant that many experienced people were made redundant," worker A said.

"So we lost many of our best people.

"Others were moved from pillar to post, and the experience hit morale even harder.

"The lowest paid were all laid off, and all of their workloads were added to everyone else's
."

He complained that after a system called "lean processing" was introduced, jobs were divided up into their individual parts - every aspect was dealt with separately, and no-one has overall ownership or responsibility for the task, he said.

"Arbitrary, individual hourly targets meant that people cut corners," he added. "It doesn't matter if you make mistakes because you won't be held accountable."

Worker B, who was in a middle management post before he left in 2006, also claimed the merger of HM Customs and Excise and the Inland Revenue negatively affected the way the departments worked.

"There was the move to using call centres, which meant that people didn't take personal responsibility any more," he said.

There were all sorts of closures of offices going on and all those sorts of things had a domino effect.

There were additional targets - stretching targets - with reductions in staff, especially experienced staff, which really didn't help the cause
."

He said he would lay the blame for the current problems "primarily at the politicians' doors".

"This is a top-down matter - due to the target-driven, staff-reducing culture."

Source BBC

Tuesday 20 November 2007

Darling Admits HMRC Data Loss

Alistair Darling told the House of Commons this afternoon that a police investigation has been launched into how Her Majesty's Revenue and Customs has lost child benefit records relating to 25 million people.

Records for 25 million people, relating to child benefit payments for 7.25 million families, were sent using the HMRC's own postal system, called grid, but never arrived.

The Chancellor, flanked by PM Gordon Brown, told the House that the National Audit Office requested information which was first sent to them in March, in breach of HMRC procedures, and then returned to HMRC.

In October the NAO made another request and the entire database was put onto two password-protected discs which were sent by grid post.

Those discs did not arrive and cannot be found. A further copy of the information was sent again, this time by registered post.

Darling was first told November 10 and called for an immediate search. On Monday, November 12, he was told HMRC believed it would find the data but on Wednesday Darling called the police in to investigate. Police are continuing to search NAO and HMRC offices.

Darling said in light of the most recent failures, along with previous losses of a laptop and 15,000 records, he was asking Kieron Poynter of PWC to investigate HMRC procedures. An interim report is expected next month and the full report next spring.

Banks have been informed and are monitoring relevant accounts as well as tracking back to transactions made after 18 October. Darling said police had found no evidence of the data being misused.

Vincent Cable, acting leader of the Lib Dems, asked why any information was being sent around via CD rather than electronically and if this was a result of HMRC's ancient IT system.

Richard Thomas, Information Commissioner, said:

"This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches.

Any system was only as good as its weakest link
."

Thomas said:

"The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly.

As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour
."

Thomas said the PWC report would be passed on to him, "and we will then decide what further action may be appropriate. Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO."

Jamie Cowper, Director of European Marketing at PGP Corporation, said in a statement:

"These discs should never have been transported in the first place - information of this type should only be transmitted using the strongest security protocols available such as encrypted batch transfer - but more to the point, these details should not have been stored in this medium.

Discs are easy to lose, but difficult to protect. This type of information should only be stored on formats where the data can be encrypted transparently, so that it remains protected wherever it resides, and whether at rest or in motion
."

Source The Register

The Litany of Disasters

Revenue & Customs has a long litany of disasters to confess, ranging from lost laptops to the tax credit 'nightmare':

October 2007

A laptop containing data on up to 2,000 people with investment ISAs is stolen. In Parliamentary answers Ministers reveal that 41 laptops were stolen from HMRC in the past 12 months

September 2007

A CD containing names, national insurance numbers, dates of birth and pension data of about 15,000 Standard Life customers goes missing. The data was lost en route from the Revenue office in Newcastle to the company's headquarters in Edinburgh

August 2007

Businesses registering for VAT for the first time face unprecedented delays because of the Government’s attempts to crack down on carousel frauds and cut costs. In extreme cases, businesses have had to wait more than six months for their VAT registration

May 2007

HMRC forced to extend the self-assessment filing deadline to 28 May and mitigate penalties for late filing, after tax agents complain that the online serivce is so slow that the only way to file a return is at 4am or weekends

May 2007

Parliamentary Accounts Committee reports again on the tax credit system. Committee says £5.8 billion was overpaid to claimants in the first three years of the current tax credits scheme, due to administrative errors by HMRC

February 2007

HMRC comes under fire for offering tax inspectors bonuses of up to £2,000 to encourage them to collect 25 per cent more tax during 2007

December 2006

A National Audit Office report indicates that 5.7 million taxpayers may not be paying the right amount of tax because they are using the wrong tax code. HMRC estimates are that taxpayers have overpaid around £500 million via PAYE, and that £1 billion of tax may have been underpaid

January 2006

HMRC apologises to 10,000 firms after fining them at least £400 each by mistake because of a basic flaw in the design of automatic systems that issue penalty notices

September 2005

The Public Accounts Committee denounces the tax credit system as a "nightmare". MPs say tax credits have been routinely overpaid to 1.8 million claimants and claims the system may be fatally undermined by its complexity. Follows reports from the Ombudsman and complaints from Citizens Advice.

May 2002

Ten months after its launch, the Inland Revenue's self-assessment online tax returns service suffers a major security breach when taxpayers filing their tax return online were able to view each others' personal information.

Source The Times