UK at risk of massive security breach from national IT meltdown
Exclusive: The government is warned of a ‘major’ cyberattack by Russian and Chinese hackers if they keep ignoring warnings to fix HMRC’s crumbling computer system
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.The UK is at risk of a massive security breach that could see bank account details and national insurance numbers leaked because of the government’s failure to upgrade Whitehall’s ageing computer system, The Independent can reveal.
HM Revenue and Customs (HMRC) has sounded the alarm over its “old and ageing IT systems”, sparking warnings from experts that hackers could steal taxpayers’ sensitive data or leave the UK open to the threat of Russian and Chinese hackers.
The risk to the UK’s entire taxation system came as parliament’s Treasury committee prepares to grill HMRC chiefs and board members over the issue, as well as other topics, on Wednesday.
The security warning in the tax authority’s annual accounts, uncovered by The Independent, states the outdated tech could lead to a “major IT failure or security breach” that could “harm our business operations permanently”.
It ranks the risk – codenamed red – and impact of such a breakdown as “high” and warns a cyberattack or malfunction is becoming more likely.
It is the latest warning the government has ignored that could come back to haunt ministers after senior civil servants sounded the alarm about crumbling concrete in schools years before the government was forced to shut over 100 schools in September.
“This risk is red due to continued reliance on old and ageing IT systems with an increased risk of inability to meet operational needs,” the accounts, signed off by HMRC boss Jim Harra state.
The chair of parliament’s Treasury committee, Conservative MP Harriett Baldwin, said the warning was “concerning” and that she would be demanding answers from HMRC officials.
She told The Independent: “It is concerning that our taxation systems, which support our key public services, could potentially be harmed permanently because of out-of-date IT equipment.
“I am sure the committee will seek answers on this issue during our regular scrutiny sessions with HMRC.”
Hanah-Marie Darley, director of threat research at cybersecurity firm Darktrace, told The Independent HMRC was at “increased risk” from hackers because it holds “very sensitive data”.
She said those likely to target its vulnerabilities could include political actors from the “big three” countries for hackers – Russia, China and North Korea – as well as “opportunistic cybercriminals”.
Ms Darley warned that any data stolen from HMRC could be used for identity fraud and even to take over people’s bank accounts.
James Murray, Labour’s shadow financial secretary, said the warning was “shocking”.
He told The Independent: “It is shocking that after 13 years of short-sighted politics, the Tories have let HMRC’s IT systems get so bad that they admit permanent damage could be done by a security breach.
“The Conservatives have failed to make sure schools are safe – and now we learn they have failed to make sure British taxpayers’ sensitive personal data is safe either.”
The Liberal Democrats said the revelation was a symptom of “Conservative neglect” and a “huge cause for concern”.
“It just further proves that Conservative neglect and underinvestment is leaving the public vulnerable at every level. The government’s mismanagement is shocking," said the party’s Treasury spokesperson, Sarah Olney.
Heather Self, a tax expert at advisory Blick Rothenberg, said HMRC holds information on names, addresses, dates of birth, unique taxpayer reference numbers and national insurance numbers, which were attractive to hackers who could sell it on.
Criminals could target “lists of people in specific government departments or people in specific tax brackets”, she said, or steal data to commit identity theft, fraudulent bank transfers, money laundering and open new bank accounts.
“There’s a massive market out there for data like this, and that’s why it’s so important for not just HMRC but for every organisation to be super conscientious of their data security.”
She said it was easy to draw parallels with the recent Raac concrete crisis because maintaining and upgrading IT systems for an organisation the size of HMRC is a “huge expenditure”.
“If budgets are really tight, you don’t necessarily spend the money you should be doing on preventative upkeep of your IT systems,” she added.
The HMRC warning comes after spending watchdog the National Audit Office (NAO) said ageing IT could be the next scandal to hit the government.
NAO boss Gareth Davies said that while IT is not “glamorous”, keeping it up to date is a “driver of long-term value for money”.
“Investing adequately to maximise value for taxpayers and service users is equally vital for IT systems,” he wrote in The Times.
“Recent NAO reports chart how ageing systems are creating problems for service users, such as state pensioners missing out on payments they are entitled to. Outdated technology also acts as a brake on vital innovation in the delivery of frontline services.”
An HMRC spokesperson said: “We run a 24/7 operation across a large IT estate with well-developed systems and processes to monitor and respond to incidents.
“Security and privacy are at the heart of our work, and we are continuously strengthening and modernising our IT estate.”
The Cabinet Office declined to comment.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments