Serious IT governance issues at UK Revenue & Customs (HMRC)

HM Revenue & Customs (HMRC) continues to face multiple IT-related security, procurement, and systems issues. These problems raise serious doubts about the agency's IT governance and management.
Written by Michael Krigsman, Contributor

HM Revenue & Customs (HMRC) continues to face multiple IT-related security, procurement, and systems issues. These problems raise serious doubts about the agency's IT governance and management.

Most recently, HMRC lost a CD containing personal information and pension data for 15,000 clients of UK insurer Standard Life. According to The Register:

The lost disc contained names, national insurance numbers, dates of birth, addresses, and pension data. Information such as this would easily lend itself to abuse by crooks if it fell into the wrong hands. Providing fraudsters were able to read the disc they might be able to apply for loans or credit cards under false names.

News of the loss of the disc, which should have arrived five weeks ago, emerged over the weekend after Standard Life sent out warning letters to its clients. Standard Life's director for customer services, John Gill, told BBC Radio 4's Money Box program: "We have no evidence that the disc has fallen into third party hands and we have also been closely monitoring all the accounts and have seen no indications of any suspicious activity."

Despite the severe identity theft risk posed by the data loss, Standard Life did not notify its customers until five weeks after the loss occurred.

HRMC refused initially to confirm whether or not the disc was encrypted. However, a follow-up by ZDNet in the UK established that the disc was not encrypted:

[The disc] was not encrypted, an HMRC spokesperson told ZDNet.co.uk.

The data contained on the disk included the surnames and initials of the individuals, as well as their National Insurance numbers, dates of birth and pension plan numbers. That the disc was not encrypted means the details can be read more easily.

In a separate incident, the BBC reported that a laptop containing sensitive taxpayer data was stolen from an employee's car trunk:

HMRC refused to comment on how many individuals may now be at risk, or how many financial institutions have had their data stolen as well.

But inquiries by the BBC suggest the computer held data on around 400 customers with high value individual savings accounts (ISAs), at each of five different companies - including Standard Life and Liontrust.

The HMRC has contacted the firms involved and asked them to contact their customers in turn.

In yet another situation, HMRC has threatened to sue EDS over botched project payments. From Techworld:

The UK's revenue and customs department (HMRC) is considering court action against IT services contractor EDS over the level of compensation it has so far paid under a controversial deal linking re-payments to future government contracts.

Problems with a computer system provided to implement tax credits at HMRC led to millions of pounds of over-payments. HMRC signed the £71.25 million ($146 million) compensation deal with the firm in November 2005, with more than £25 million of the settlement dependent on the contractor winning future government work - a provision strongly criticized by the Public Accounts Committee.

But last week HMRC chair Paul Gray told the committee that the level of payments made by EDS so far had been "lower than expected." At the end of last year, payments made under the clause were just £250,000. Gray said: "The flow of further payments over the last few payments continued to be extremely small."

Gray had met senior EDS executives and "agreed steps that we believe will accelerate the rate of payments from January 2008", but pledged to "return to litigation" to secure the full balance. HMRC was determined to recover the money even if the flow of new business to EDS was not sufficient to fund the repayments, he told the MPs.

Something is wrong at HMRC. While these incidents may be completely unrelated, more likely they point to an underlying, systemic IT management and governance problem at the agency.

Editorial standards