HMRC Hackers

There was a rather interesting article in yesterday's Sunday Times, about hackers gaining access to HMRC systems and diverting tax refunds.

The article also refers to an earlier piece on this site (published in June 2011) about 91client accounts being hacked. The Sunday Times uses the "polite" alternative domain name of this site www.hmrconline.com.

Here is the article in full:

Tax rebates stolen by Revenue and Customs hackers

HMRC has emerged as the most recent target of hackers after fraudsters tap refunds system and divert funds into their own accounts

Jon Ungoed-Thomas and Cal Flyn


Fraudsters have found a way to hack into government tax records and divert refunds meant for others into their own bank accounts.

An investigation by The Sunday Times has revealed that criminals are secretly examining HM Revenue & Customs’ records looking for anyone who has paid too much tax. They then change the details of the bank accounts into which the repayments are to be made.

Alternatively, the hackers file fictitious tax returns showing large overpayments directly into the HMRC computer in the names of genuine taxpayers, then ask for refunds.

Victims become aware of the scam only when they are officially contacted by HMRC and told an overpayment is being transferred into their account.

HMRC is now facing questions over its security procedures and how the hackers are able to infiltrate its records. Experts claim it has failed to react as promptly as the banks to the risk of online fraud.
Roger Symes, 53, a ship broker from Surbiton, in south-west London, received a letter last month from HMRC advising him of a refund. He said: “They gave details of a bank account into which they were paying the money, but it wasn’t my bank account.

“My accountant said he had the same problem with 18 other clients.” The refunds applied for were between £100 and £4,000.

The hackers are accessing the tax files using the sign-on and passcodes assigned to accountants who file clients’ tax returns online. How they are obtaining these security details is unclear. It is not known whether it is via computer attacks on individual accountancy firms or by breaching HMRC’s own systems.

One hacker who spoke to The Sunday Times this year said he had accessed HMRC’s systems and had been able to obtain details of agent sign-ons and passcodes. A security expert said the claim was credible but HMRC denied its systems had been compromised.

Once a hacker has an agent sign-in, he can read the tax records of all the accountant’s clients, amend them and change the bank account details. Accountants who have spoken to this newspaper said hackers have been accessing taxpayer records for at least two years.

Claire Savage, a chartered accountant in Milton Keynes, Buckinghamshire, spotted irregularities in one of her clients’ files in June last year.

She said: “I called him up to ask about his new bank account, which turned out not to be his at all. When I realised that security had been breached I went through all of my clients’ files. A fair chunk of them — around 10 — were affected, and repayments of up to £3,000 had been requested in each case.” None of Savage’s clients lost money to the fraudsters.

Ralph Hayden, a chartered accountant at GW Cox & Co in Frinton-on-Sea, Essex, said 41 of his clients had been affected by a similar scam, which was first noticed in November 2009.

He said: “HMRC said that it must be our systems that had been breached but we called in computer experts who confirmed that it definitely wasn’t.

“In most cases, a tax return had not yet been filed, so a false return was submitted. In others, their returns had been edited, so that a repayment was now due. HMRC were not advising their frontline staff in case it was an inside job.”

On hmrconline.com, a blog about the HMRC, one taxpayer reveals that his accountant was also targeted. The posting states: “We recently returned from holiday to the news that 91 of our accountant’s client accounts had been hacked at the HMRC government gateway website.
“Hackers had accessed information on 91 individuals or organisations and had entered false end-of-year accounts in order to claim self-assessment refunds.

“We then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts. They actually paid out. HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people [whose] accounts had been hacked.”

Unlike HMRC, the big banks ask customers conducting transactions online to provide additional passcodes for each financial transaction. These are generated by inserting a bank card into a hand-held reader provided by the bank.

Jason Hart, managing director of Cryptocard, a computer security company, said: “If you just had a static passcode, then once it’s compromised, you’re going to be a massive target for the fraudsters. It’s an invisible threat because they can get into your system at any time and you don’t even realise.”
A spokesman for HMRC said: “We take the security of our customers’ data extremely seriously and we do not discuss the details of our security defences ... We actively monitor repayment transactions and continue to address any fraudulent repayments.”



Tax does have to be taxing.

UK EXPATS: Reduce tax on UK Pensions
HMRC QROPS provider. Unlock your UK pension and access a 25% lump sum today.

Quote ID code "ABC" when contacting a QROPS specialist.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Fraud Matters

UKauthorITy.com reports that Cabinet Office minister, Francis Maude, in an interim report has claimed that steps taken to tackle fraud worth £21BN a year across the public sector had saved £12M in their first few months.

Maude said that eight pilot projects had had shown "immediate and startling results" and signalled the end of the "pay first, check later" culture.

One of the projects involved HMRC, which spent (Maude uses the Gordon Brown weasel word "invested") £1M on an "innovative" screening technique for tax credit applications. The tool analyses information provided by prospective claimants on their tax credit application form, compares this against internal and external data, from credit reference agencies for example, and decides the likelihood of the application being fraudulent.

"HMRC piloted the exercise on approximately 4,000 new tax credit applications to test proof of concept and subsequently piloted the new process preventing losses of £10.63m between September 2010 and March 2011".

That seems to be a positive result. However, there still appear to be fraud issues in other areas that need to be addressed.

The ICAEW report the following:

"We have just been advised by one of our members that self assessment tax return fraudsters have struck again...

..the fraud involves repayment claims which are submitted to HMRC online using valid log in details and passwords, requesting payment to a third party bank account."

This chimes with an email I received recently from a loyal reader, who advised me that 91 of his accountant's files had been hacked (it is not clear as to whether the security issue is a failing of an HMRC system, the Government Gateway website or at the accountant's office). I reproduce the text of his email in full:

"We recently returned from holiday to the news that 91 of our accountant's client accounts had been hacked at the HMRC Government Gateway Website, in short hackers had accessed information on 91 individuals or organisations and had entered false end of year accounts in order to claim Self assessment refunds.

The individuals responsible for the aforementioned fraud had managed to set up 91 separate accounts in various banks in the UK and had provided HMRC with the false account numbers and sort codes in order that payments were made direct.

Our accountant spent days talking to HMRC officials advising them of the fraud and I tried constantly to contact them at .70 pence per minute to no avail, I telephoned the police at both Peterborough and Scotland Yard who both said "well it's not your money why worry".

I contacted a corporation tax official who was horrified and did what she could but hit a brick wall, the National Fraud helpline were unable to help and my MP (name supplied) did not have the decency to respond to either my telephone call or my e mails.

Well guess what, we then received a letter from HMRC to advise us that the refunds were on their way to what we knew were false accounts, they actually paid out, HMRC now apparently know what they have done but to add insult to injury they have now started to send demands for repayment to the people who's accounts had been hacked, I myself received one this morning.

This is my last attempt at bringing this matter to light.."

In a further update, it seems that HMRC have now admitted that my loyal reader owes them nothing.

The above indicates that, whatever Maude says, there are still issues that need to be addressed.

Tax does have to be taxing.

UK EXPATS: Reduce tax on UK Pensions
HMRC QROPS provider. Unlock your UK pension and access a 25% lump sum today.

Quote ID code "ABC" when contacting a QROPS specialist.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Datagate III - An Ongoing HMRC Farce

HMRC seems to be developing an addiction to sharing people's private financial details with the wider world.

Not content with the Datagate fiasco of 2007, when a database containing 25 million child benefit records went missing, HMRC have sent by the post the private financial details of up to 50,000 people who claim tax credits to other claimants.

Claimants were sent their annual tax credit award notice, coupled with personal details of other claimants (eg earnings, bank sort codes and the last four digits of the bank account number of other claimants).

HMRC claim that this was a printing error.

By "printing error" do they actually mean IT error?

HMRC also claim that the details mistakenly sent out cannot be used to commit id theft.

This of course is bollocks, any extra details about a person's bank or financial status can make a fraudster's task just a little bit easier.

It seems that, despite numerous warnings and cock ups, HMRC still don't "get" the concept of data security.

I guarantee that the HMRC "investigation" into this will finger some junior member of staff as the official scapegoat.

Does anyone actually trust HMRC anymore with their private data?

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Hackers Steal £1M From HMRC

In August I noted the following:

"Be warned there is a nasty fraud going on whereby agents' online details are being highjacked, and tax refunds diverted.

'There is no reason to believe that the users' security details that have been used fraudulently were obtained from HMRC.'

As per an HMRC statement quoted on Accounting Web

Given the security risks, is compulsory online filing such a good idea?"

Last weekend This Is Money reported that £1M has been stolen from HMRC by hackers.

"The thieves filed returns online using the passwords of genuine self assessment taxpayers - then diverted the money to bogus accounts.

The sting prompted concern yesterday that the fraudsters may have obtained the passwords from one of the many Whitehall laptops stolen over the past few years."

I wonder if this is in anyway part of the same fraud I warned about in August, that HMRC tried to blame the tax agents' "poor" poor in house security for?

Somewhat of a coincidence is it not?

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

ID Theft

Be warned there is a nasty fraud going on whereby agents' online details are being highjacked, and tax refunds diverted.

"There is no reason to believe that the users' security details that have been used fraudulently were obtained from HMRC."

As per an HMRC statement quoted on Accounting Web

Given the security risks, is compulsory online filing such a good idea?

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Security and Outsourcing

It seems that the government and HMRC are considering outsourcing certain IT functions to processing offices in India, in an attempt to save £205M per annum.

HMRC and its main IT contractors Capgemini and Fujitsu are considering outsourcing certain IT functions to India under the Quantum cost reduction project.

Staff, the media and politicians speculate that this may mean that tax records will be sent abroad. HMRC deny this.

However, a leaked memo states that the Quantum project included looking at the "potential off-shoring of some future work".

That would indicate that some records will be sent offshore.

Given the lax security standards of Asian processing centres, this proposal needs to be nipped in the bud ASAP.

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Power Corrupts - ID Cards and HMRC

The Guardian highlights the dangers of government departments, such as HMRC, using the data gathered via the ID card scheme to go on fishing trips (outwith genuine enquiries, wrt serious criminal offences being investigated).

"The controversial ID card system, which has been amended over the last few weeks, may well be used by various government departments to track individual spending habits and assets.

In a relatively unpublicised move the UK government has given the Treasury department, and specifically tax inspectors, the ability to access the ID card database, which shows big-ticket items acquired by individuals in the UK.

It is believed that by using information on the database, the various tax authorities could ultimately create an audit trail of spending and assets for each individual in the UK."

It seems that the Home Orifice is reluctant to comment on this issue.

Using HMRC as a government spy will further undermine its reputation and indeed its effectiveness (as time will be wasted by HMRC staff who end up spending their time fishing in "uninteresting backwaters", rather than proactively targeting those who are known to be defrauding the tax system).

It goes without saying that the civil liberties implications of this are somewhat "worrying", to say the least.

Tax does have to be taxing.

Professional Cover Against the Threat of Costly TAX and VAT Investigations

What is TAXWISE?

TAXWISE is a tax-fee protection service that will pay up to £75,000 towards your accountant's fees in the event of an HM Revenue & Customs full enquiry or dispute.

To find out more, please use this link Taxwise

Tax Investigation for Dummies, by Nick Morgan, provides a good and easy to read guide for anyone caught up in an HMRC tax investigation. A must read for any Self Assessment taxpayer.

Click the link to read about: Tax Investigation for Dummies

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

Catch 22 - A Dilemma

I understand that those in charge of HMRC have presented those who work for HMRC with something of Catch 22 dilemma.

Allow me to explain.

When people apply for a CIS card, Tax Credits, or register for Self Employment they are required to produce several forms of ID at a Revenue office.

So far so good.

One of the forms of ID can be a letter from a Government department to the applicants home address.

With me so far?

Now here is where it becomes a little more tricky.

Imagine that you are a failed asylum seeker.

What would you do to prove your identity?

Yes, that's right, you would use a letter from the Home Orifice.

After all, the Home Orifice is a "respected" government institution, a letter from them surely would cut the mustard...wouldn't it?

In theory yes it would, until that is you actually read what the letter says.

Now what do you think that this letter says?

Shall I help you here?

It says that the failed asylum seeker is specifically forbidden from working or claiming benefits, as the failed asylum seeker has been denied rights to asylum.

Now a logical and sensible employee of HMRC would of course use this letter as the basis for denying benefits/tax credits. Unfortunately those who run HMRC are not very logical, sensible or indeed very bright.

Those in charge of HMRC have issued an edict to their staff telling them to accept these letters as a valid form of ID for verification purposes.

Let me just remind you one more time:

THE LETTERS SPECIFICALLY FORBID THE RECIPIENT FROM WORKING OR CLAIMING BENEFITS!!!

To add insult to injury, the staff at HMRC have also been expressly forbidden from notifying the Home Orifice etc of the fact that this "client group" is breaking the law, due to the "data protection" implications.

Am I the only one who finds this to be completely absurd?

Would those who "run" HMRC care to comment?

Tax does have to be taxing.

The New Statesman, Britain's leading political magazine is delighted to announce that HMRC Is Shite has been nominated for a New Media Award in the category of Campaign For Change. The campaign for change award will go to the individual or organisation that has most effectively influenced opinions and behaviour through the use of new media technology. The winner of this award will champion a cause and provide information and tools to instigate change.

The full press release can be downloaded here.

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

HMRC Buys Stolen Goods

Some rather interesting news emerged over the weekend, about HMRC buying a series of CDs containing the personal details (eg bank accounts) of a large number of British citizens.

Could this be the missing CDs that HMRC lost last year, containing the details of 25 million child benefit claimants?

Errrmmm......No.

These CDs apparently contain the details of a large number of wealthy people who hold bank accounts in Liechtenstein.

HMRC are so keen to track down every penny of tax, that they believe is owed to them, that they have now stooped to paying off nefarious characters in order to obtain information about suspected tax evaders.

HM Revenue & Customs paid £100K to Heinrich Kieber, for data that it will use to launch investigations of up to 100 British citizens who have accounts at Liechtenstein's biggest bank (LGT).

Now, you may well ask, how did Herr Kieber obtain this data?

Well, he seems to have nicked it.

In 2004 he was convicted of fraud for stealing sensitive information from his employer, LGT, the biggest bank in Liechtenstein, which is controlled by the principality's royal family.

Nice doing business with you Herr Kieber!

Maybe someone should remind HMRC that it is an offence to knowingly handle stolen goods?

Now that these CDs are in the hands of HMRC, given their lamentable track record with regard to information security, can we expect these CDs to be "lost" and then appear on the open market again for purchase at the highest price?

Of course HMRC would argue that none of this subterfuge, unpleasant dealings and costs (in terms of time, money and effort) would have to be undertaken if people didn't go to such extraordinary lengths to evade tax.

That in itself is true, up to a point. However, one of the prime motivations for tax evasion is the complexity of the tax system.

Simplify the tax system to resolve this problem, and cut the costs of collecting tax:

- increase the personal allowances to around £10K
- introduce a flat rate of tax of around 20%
- abolish all other perverse taxes such as; stamp duty, CGT, IHT, NI etc
- increase the rate of VAT to make up the shortfall

Do the above, and there will be a dramatic reduction in the amount of time, effort and money expended by both taxpayers and HMRC in trying to wade their way through the tax system.

Tax does have to be taxing.

HMRC Is Shite (www.hmrcisshite.com) is brought to you by www.kenfrost.com "The Living Brand"

HMRC Talks Bollocks

You will doubtless all recall the recent furore over the news that certain "special" people (eg MPs and celebs) are forbidden from filing their tax returns online, because HMRC believe that they deserve greater security?

In other words, HMRC don't believe that their online filing system is secure.

Needless to say, HMRC don't quite agree with that interpretation (as it totally undermines the credibility - not that it has any - of their online filing system).

As such, they recently issued the following announcement

"HMRC Online Services - secure and safe to use

Some newspapers and broadcast media have claimed that that HMRC's online filing systems are not secure because Members of Parliament and a small number of other taxpayers cannot use the Self Assessment service.

This is completely untrue. A small minority of taxpayers, including MPs, cannot currently use online services because the additional internal safeguards on their records mean that their taxpayer reference numbers are not recognised on the authentication system.

This therefore has nothing to do with the security of our online services. HMRC online services use the highest levels of encryption generally available and authentication processes similar to online banks.

HMRC is continuing to explore ways to extend online filing to all taxpayers.

Almost 3 million Self Assessment taxpayers have used SA online to file their return safely and securely."

So that's alright then, isn't it?

Errrmmmm...no, not quite!

When they say "HMRC online services use the highest levels of encryption generally available and authentication processes similar to online banks" they are talking bollocks.

As we all know, banks (eg Barclays) are in fact rolling out authentication terminals to be used at home for all of their online account customers.

For why?

Banks know that simple password/username security systems are not actually that secure; and can be/have been breached.

Meanwhile, the good old boys in the HMRC bunker continue to insist that a username/password system (not even random character password) is safe. They have no stated intention of upgrading it.

Complete bollocks!

Tax does have to be taxing.

HMRC Is Shite (www.hmrcisshite.com) is brought to you by www.kenfrost.com "The Living Brand"

Duchy Originals

Following on from my earlier article about HMRC's security protocols preventing "special people" (MPs, celebs and royals) from filing their tax returns on line (seemingly HMRC do not feel that the IT system is secure enough for such high profile individuals), I have been advised that this special status also appears to apply to anyone who works for the Royal Family.

That would include, for example, the staff employed by the Duchy of Cornwall (98 as per the 2007 accounts).

Add in all other royal staff at the numerous palaces, castles etc and you come up with a reasonably large number of people.

Given that the data will have to be manually input into a special secure area, does this not represent quite a large amount of unnecessary extra work for the already overworked HMRC staff at the "coal face"?

Wouldn't it be better to simply improve the IT systems, and ensure that they offer all citizens the same level of security?

HMRC Is Shite (www.hmrcisshite.com) is brought to you by www.kenfrost.com "The Living Brand"

Back To The Stoneage

I understand from my sources that HMRC is so rattled by the data loss problems that it has been experiencing, that it is now attempting to "improve" its internal security.

-More firewalls?

-Improved procedures?

-Upgrading systems?

-Encrypting discs?

Errmmm not quite.

HMRC's "new" policy allows them to use second class post (how many credit cards get "lost" by our world class post office?).

Not very secure so far is it?

However, here is the really cunning part of the plan; designed to stop security breaches once and for all.

Revenue staff are now no longer allowed to use email or fax to communicate with the world.

Brilliant!

A master stroke!

They are allowed to speak on the telephone, once the security checks have been done.

I guess that in the 21st century, reverting to stoneage methods of communication may well foil those criminals who use "sophisticated" methods to steal data. However, given:

- the workload of the HMRC,
- the staff cuts,
- the complexity of the tax rules
- and the fact that we live in the 21st century

I would have thought that HMRC staff should be allowed to use modern techniques and tools.

Stones and flints are really not the most effective tools for a 21st century organisation.

However, all is not lost, HMRC have allowed one modern technique to still be used. It is still possible for staff at HMRC to download databases onto discs, then send them by second class post.

What a fantastic organisation!

Coming soon, to an HMRC office near you, the semaphore.




HMRC Is Shite (www.hmrcisshite.com) is brought to you by www.kenfrost.com "The Living Brand"

The Accident Waiting To Happen

It should come as no surprise whatsoever to learn that the government was warned, nearly 4 years ago, that the "Datagate" fiasco at HMRC was an accident waiting to happen.

Auditors warned the government in March 2004 about a series of potential dangers in the way that HMRC staff used a database containing 25 million child benefit records.

Specifically the auditors warned that the system was open to fraud.

Did the government or HMRC do anything to address the issues raised by the auditors?

Did they fuck!

HMRC and the government, because of their negligence and incompetence, have jeopardised the personal security of 25 million people for the next 20 years.

The 25 million people affected should sue the government and HMRC, via a class action, for negligence and incompetence.

Despite "Datagate", it seems that the governement still hasn't learnt its lessons from this fiasco:

• Two computer discs with details of more than 7,000 Northern Ireland motorists have been lost in the post after being sent to the DVLA in Swansea



• Confidential personal details of dozens of prisoners, including their criminal records, have been delivered to a private company instead of going to Norfolk Police



• Personal details of 1,800 Merseyside health-authority staff, including their salaries and pension details, have been accidentally sent out to a number of private firms

The government, and its organs of state, cannot be trusted with the private details of its citizens.

The only way to make this government take security of personal data seriously is to make a class action against it, using the HMRC case.
www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Wanted Dead or Alive

Following on from the "Datagate" fiasco, the ever "on the ball" and "alert" directors of HMRC have "sprung" into action and offered a reward for the return of the missing discs that contain the personal details of 25 million people.

Now the data on the discs, were it to fall into the wrong hands, is estimated to be worth around £1.5BN on the black market. Therefore only a substantial reward is likely to encourage the more nefarious elements of society to hand these discs over.

How much then are HMRC offering as a reward?

-£1M?

Lower!

-£500K?

Lower!

-£100K?

Lower!

-£50K?

Lower!

Give up?

HMRC value the data at a mere £20K maximum. That means that they believe that the data, and by definition the security of the individual tapxayer, is worth no more than 0.008 pence per head.

That is how little they value their "customers", no wonder they treat security with such a cavalier attitude!

The search by the police has proved fruitless, and they have issued an appeal to all HMRC, the National Audit Office and the Treasury to check at work and "other locations" for the discs.

I wonder if HMRC know where all these "other locations" really are?

A pathetic response to a fiasco that should never have happened in the first place.

Send for Dog The Bounty Hunter!

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Systemic Failure

Quell surprise!

David Hartnett, the director general of the HMRC, has admitted that there have been other HMRC blunders that have led to data loss.

You know I wonder why people don't just take a class action against these idiots for negligence and incompetence, as their actions have placed the personal security of millions at risk over the next 20 years.

Hartnett has admitted there have been seven other significant data losses in recent years.

He told the Treasury select committee that there had already been seven instances of data loss, classified internally as "of some significance", since the Inland Revenue and Customs & Excise merged in 2005.

Why are we only hearing about these losses now?

Rather embarrassingly for Chancellor Alistair Darling, these revelations contradict his claims that the recent loss of data was an isolated incident.

Hartnett agreed with committee chairman Michael Fallon when he asked:

"If you have had seven serious security breaches in the two-and-a-half years since you were set up doesn't that indicate systemic failure?"

Among the cases of lost data, admitted to by Hartnett, was the case in Nottingham where "confidential waste" literally fell off the back of a lorry.

In another incident a lap top with the information of 15,000 Standard Life customers on was lost by the HMRC.

In May a number of letters with tax credit information on were sent to wrong addresses.

These are just the cases that HMRC are reluctantly prepared to admit to.

What else is going on that they haven't yet admitted to?

Clearly the HMRC is not fit for purpose.

I would also ask this, if HMRC is not fit for purpose and the head of HMRC has publicly admitted that there has been systemic failure, why is it that Gray (the ex head) is still being paid £200K for doing sweet FA?

A class action is what is need here. Lawyers such as these in the US would be ideal for such an action Milberg Weiss.

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

A Question of Security

There has been much "hoo hah" in the media and parliament recently about the HMRC data loss debacle.

That is hardly surprising given that the personal security of 25 million people has been put in jeopardy for the next 20 years or so.

However, when such large numbers are involved, it is sometimes easy to forget that these security lapses affect real people with real families and real lives. It is also worth remembering that this is not the first time (or, I suspect, the last) that HMRC has placed the security of individuals at risk because of its cavalier attitude to its "customers" and their personal data.

Here is one example of lax security, sent to me by Graham:

"Mr Peter Edmondson

Complaints Manager
HM Revenue and Customs
Debt Management and Banking
Complaints and Redress
Victoria Street
Shipley
West Yorkshire
BD98 8AA

C.C. Richard Summersgill,
Director,
Tax Credit Office,
Preston,
PR1 0SB.

28 November 2007.

Reference 1 : xxxxxxxxxx
Reference 2 : SAR ref: xxxxx

Dear Sir or Madam,

I am writing to complain about a most serious occurrence. This becomes even more serious when one takes into account the current publicity about the data protection fiasco that exists not only within HMRC, but throughout Government departments as a whole.

Yesterday I received some of the data requested in my Subject Access Request of 21 October 2007, in the form of a two-inch stack of A4 sized paperwork. Sometime after sealing, the package had been opened and then deposited inside a clear polythene bag, secured with a plastic tie-wrap, by Royal Mail.

The bag contained no communication from Royal Mail that the package had been damaged in transit. The opening on the “jiffy-bag” seems to have been made with a knife or other sharp implement of some description – I believe that it is too neat to have been an accidental opening.

The package was sent by second class, untraceable, mail and the postmark was not dated. The accompanying letter had a date of 20 November 2007, and I received the package on 27 November 2007. There therefore exists the possibility that the extensive data contained within the package could have been open to scrutiny, by the unscrupulous, for several days.

Also, because I had not received an acknowledgement from HMRC to my SAR request, I did not know whether to expect this information or not – and was, in fact, about to write another complaint letter on that very subject; it seems I have been pre-empted. To make the package even more attractive to interception, the return address that was printed on the address label informed the reader that this was from the SAR department – an open invitation for prospective data thieves.

The data printouts contained in the package included:

My address, my previous addresses, my NI number, my telephone numbers, details of my employer and MY BANK DETAILS.

My current partners’ address, NI number, telephone numbers, details of employer and her BANK DETAILS.

My former wifes’ NI number, details of employer and BANK DETAILS.

It is known, although not yet widely, that both internal and external fraud are major problems at the Tax Credit Office. The details, outlined above, are sufficient to pass your current security checks when talking to HMRC Tax Credit Officials or contracted Operatives on the telephone.

HMRC, unfortunately, are in the position of being Trustees of my personal and vulnerable data. I was in the Royal Navy Submarine Service for twenty years, working on Diesel, Fleet Nuclear, Polaris and Trident submarines and know quite a lot about security, security policies and data security. I, therefore, never leave things to chance:

With immediate effect, please issue me with a new NI number.

I will be contacting my bank to ask if it is possible to issue me with a new account number. I have held this account for 33 years! I demand that any costs incurred in changing my bank account number be reimbursed by the relevant Department within HMRC.

I am not in contact with my former wife. HMRC are to inform her of this probable breach of her personal details, and the possible dangers.

My current partner will be contacting you independently.

I have contacted the Police, and they have advised me to contact Royal Mail Investigations. I shall. This, however, will only deal with the probability that my package was intercepted within the postal system. The onus of the content and the method by which it was sent will fall on HMRC.

It is also worth highlighting that this complaint has implications for every communication that HMRC send, from the simplest letter, to award notices and beyond. As the bare minimum, everything should be sent by some traceable means.

Please note that I am forwarding a copy of this letter to my MP, other influential Politicians and The Information Commissioner, as well as several newspapers. I am also the WebMaster for Tax Credit Casualties and will be publicising it to their ever-growing membership.

I will, however, remove my vulnerable details before doing so!!

Yours Sincerely..."

I wonder how many more of these cock ups are out there, yet to be discovered?

http://www.blogger.com/www.hmrcisshite.com is brought to you by http://www.kenfrost.com/ "The Living Brand"

The Comeback Kid

Question:

-When is a resignation not really a resignation?

Answer:

-When you are a senior member of the HMRC.

As proven by the very curious case of the recently "resigned" ex head of HM Revenue and Customs, Paul Gray. Gray "fell on his sword" (temporarily it would seem) over the fiasco of the loss of data belonging to 25 million people.

At the time, when Gray "resigned", one could have had a degree of respect for the man for actually taking such prompt and swift action to demonstrate that he took responsibility for this mother of all fuck ups.

Unfortunately any feelings of respect for him have been somewhat short lived, as he has now made a stunning comeback (after only 13 days) on a salary of £200K per annum.

Not bad for someone who put the security of 25 million people at risk for the next 20years.

Gray has taken up a position under Sir Gus O'Donnell, the Cabinet Secretary.

Here's a few more questions:

-What is his new role?

-Something important?

-Something worth £200K per annum?

Well, not exactly.

He is now involved with "special projects to develop civil service skills".

The Civil Service bullshit their way through this "jobs for the boys" appointment as follows:

"..for contractual reasons, he remains a senior civil servant. He will be leaving the civil service at the end of this year.

In the meantime, he has agreed to a request from Cabinet Secretary Sir Gus O'Donnell to undertake a short piece of work on cross-government matters until Christmas.

When he resigned with immediate effect, Paul Gray's period of notice meant that he would be paid until the end of the year.

As a result, he could receive payment for no work, or receive payment for doing some work.

It was thought to be better in the public interest that he did some work. There is no additional cost to the public purse. He will leave the payroll on 31 December."

Now that bullshit above might be plausible to those people, such as those in the civil service, who have no experience of the real world. However, those of us who have experience of the real world can use a simple but effective accounting term to describe the above reasoning.

It is bollocks!

It would be very easy to argue, were it to be taken to court, that Gray resigned because of gross incompetence and negligence. After all, if the loss of data belonging to 25 million people isn't incompetent then what is?

Were he not to have resigned he would have been sacked.

Those lower down the pecking order in the HMRC would most certainly not have been treated so well.

Based on the above, he most certainly is not deserving of remaining under contract.

In the private sector, when senior staff are sacked (for restructuring reasons, rather than incompetence) they often re-emerge as "consultants" on a higher level of pay. The nature of the reported figures means that the headcount of full time staff will appear to have fallen, even though the reality is different.

The government, Gordon Brown and Gray's chums haven't got that nice fig leaf to hide his reappointment.

One must therefore ask, what does he know that the government and his ex boss Gordon Brown are so afraid of that they are willing to taken the flack for this most absurd public appointment?

There are some very large skeletons in the HMRC cupboard just waiting to come out.

Mark my words!

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Heads in The Sand

Much like ostriches with their heads in the sand, the people "in charge" of HMRC are refusing to learn the lessons of the recent shambolic loss of data and are still using the post to transfer people's personal details.

The Telegraph reports that details of 9 million people's investments (worth £60BN) are being sent insecurely through the post, because HMRC requires these discs to be unencrypted.

HMRC requires fund managers to submit details every year of all investors' names, addresses, dates of birth, National Insurance numbers and the amount each individual has invested in Isas and Peps.

So far so good.

However, HMRC stipulates that this data must be delivered in an unencrypted extended binary coded decimal interchange code (EBCDIC), or American standard code for information interchange (ASCII) text format.

Why does HMRC make such a stipulation?

Richard Saunders, chief executive of the Investment Management Association (IMA), believes that he has the answer:

"I assume this is because HMRC does not have systems to cope with this information in encrypted form and it may cost more for it to have systems that cope with secure data."

Mr Saunders has written to David Hartnett, chairman of HMRC, asking for this practice to be stopped. He awaits a response.

A spokesman for HMRC said:

"Sorry, we are not commenting as this falls under the terms of reference of the Poynter review."

So that's alright then!

They just don't get this security issue do they?

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Fuckwits

Congratulations to the HMRC for proving that despite things being farking awful last week, it is more than capable of making things worse.

In a rush to cover backsides, and to look contrite, HMRC sent millions of apology letters to those who had their personal details placed at risk as a result of the HMRC disc blunder.

Unfortunately this act of contrition exposed the hapless victims of HMRC incompetence to even greater risk of fraud and id theft:

• The postal system is notoriously open to abuse and theft (over a million letters are lost everyday)



• The apology letters contained the details on the missing discs. Thereby giving the criminals another bite of the apple



• The letters which contain names, National Insurance and child benefit numbers are being delivered to the last known addresses of the recipients.
  
  It doesn't take a genius to realise that some of the millions of people sent these letters may have moved (1 in 10 people move each year). Therefore many of the letters containing these private details are being delivered to the wrong people.
  
  Oh, but that's alright, HMRC are blaming the taxpayers who have moved for not keeping HMRC up to date with their moves

Hardly a stellar performance from the HMRC.

Have the people in HMRC never been trained in the basics of security, fraud and id theft prevention?

Needless to say this latest screw up has brought more problems down on the heads of those claiming to run the HMRC. The Information Commissioner will now investigate this latest security lapse.

The Information Commissioner is now pursuing three inquiries into breaches of confidentiality by HMRC.

It would seem that the people running HMRC, and indeed the government itself, has little clue about the concept of security and id theft; this is the same government that wants to impose a national id card scheme on an unwilling population.

Those who don't receive a letter of apology are being asked to ring an HMRC helpline.

Congratulations to the HMRC for making matters worse and exposing 25 million people to the threat of fraud and id theft twice in two weeks, a double whammy.

Fuckwits!

www.hmrcisshite.com is brought to you by www.kenfrost.com "The Living Brand"

Data Laws May Have Been Breached

Unencrypted discs with 25 million Child Benefit records on them were handed to an accountancy firm by government auditors, it has emerged.

The National Audit Office (NAO) gave the CDs - similar to the ones lost by HM Revenue and Customs (HMRC) officials - to accountants KPMG for auditing.

It said the discs - with bank account details on them - were delivered "by hand" to KPMG and returned safely.

The Information Commissioner is probing whether data laws were broken.

A spokesman said the commissioner would be looking at "all aspects" of data protection surrounding the missing Child Benefit records as part of its investigation.

Source BBC

The HMRC has been remarkably cavalier with people's data. Do they have any concept of the risks posed by distributing private data to all and sundry?