HMRC records 60% rise in serious personal data incidents in FY24


The tax department’s annual report reveals that a total of 29 breaches, affecting more than 35,000 individuals, were escalated to data watchdog the Information Commissioner’s Office during the 2023/24 year

HM Revenue and Customs recorded an annual rise of more than 60% in the number of personal data incidents that required reporting to authorities in the 2023/24 year.

In the 12 months to 31 March of this year, the tax agency reported 29 “serious data-related incidents” to regulator the Information Commissioner’s Office. These incidents collectively impacted 35,645 individuals, according to the department’s annual report.

Both of these figures represent a big rise on 2022/23, when HMRC reported to the ICO 18 serious potential breaches of personal data that affected a cumulative tally of 10,209 people.

The 29 incidents that occurred in FY24 included six occasions in which “personal information [was] used to make changes to customer records on HMRC systems without authorisation”, and three instances of the “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises”. There were also two further times in which such losses took place from non-government locations.

This tally of 11 breaches is more than double the five incidents recorded across these categories in the prior year.


Related content


In 2023/24 there were 14 reports of other forms of “unauthorised disclosure”, and four additional incidents which do not fall into any category. These figures compare with 11 and two such breaches that occurred in FY23.

“We take all these incidents seriously and are acting to address them,” the HMRC report said. “We have used the lessons learned from these incidents to review and strengthen our customer identity and authentication processes. Protecting customer data is important to us and we continually monitor our processes to prevent recurrences. We are also delivering enhanced data security, governance and reporting across HMRC.”

During the 2024 fiscal year HMRC continued delivery of a £200m programme intended to “review and remediate existing systems to ensure they are fully compliant with General Data Protection Regulations”.

By the end of the year, a total of 76 IT systems had completed their remediation process – a rise of 17 compared with March 2023.

The report noted that such are important as the department encounters “1.5 billion suspicious or malicious events [that are] blocked by our cybersecurity team every month”. These events are drawn from a total of 200 billion that are analysed for potential security threats.

In response to enquiries from PublicTechnology, HMRC indicated that heightened protections implemented by the department include the use of the new GOV.UK ID Check app to verify users’ identity via biometric facial scans, as well as the use of multi-factor authentication to secure online tax accounts.

A spokesperson for HMRC added: “We take the protection of our customers’ information very seriously and monitor our systems and data to ensure information is safe. We investigate all security incidents and continuously invest in security systems to ensure they offer the latest protection. We are aware of our data protection obligations and are committed to meeting them.”

Sam Trendall

Learn More →

2 thoughts on “HMRC records 60% rise in serious personal data incidents in FY24

  1. Beauty Fashion November 25, 2024 at 9:17 am

    I’d like to find out more? I’d love to find out more details.

  2. Beauty Fashion December 2, 2024 at 4:48 am

    I just like the valuable information you supply on your articles. I will bookmark your blog and take a look at again here frequently. I’m quite certain I will be told plenty of new stuff proper here! Best of luck for the next!

Leave a Reply

Your email address will not be published. Required fields are marked *