From PAYE to P45: HMRC staff fired for prying into taxpayer data
- Reference: 1755516608
- News link: https://www.theregister.co.uk/2025/08/18/hmrc_prying_staff_fired/
- Source link:
Freedom of Information (FOI) figures pried from His Majesty's Revenue & Customs (HMRC) and published by [1]The Telegraph reveal that between 2022 and 2025, a total of 354 staff were hauled up for data security breaches, and 186 of them were shown the door.
The cull has gathered pace too, with 50 employees booted out in the past year alone – proof that the real tax burden might be resisting the temptation to snoop on your neighbor's payslip.
[2]
The scale of the cull is striking for an organization that repeatedly insists breaches are rare. Officials point out that the total represents around 0.1 percent of HMRC's 68,000-strong workforce. Even so, that is little comfort for taxpayers who might expect the people handling their salary details and National Insurance numbers to be a touch more careful.
[3]
[4]
Some cases read more like a comedy sketch than a serious breach. One HMRC worker was shown the door after emailing himself a file containing names, National Insurance details, and salaries of 100 people so he could print it at home. At a tribunal, he argued that anxiety clouded his judgment. The judge disagreed and ruled the dismissal fair.
Managers have blamed the rise of home working for the jump in incidents. Since the pandemic, staff have been more likely to blur the lines between official data and personal devices. One senior figure admitted that problems had increased since COVID sent much of the workforce to the spare bedroom.
UK tech minister negotiated nothing with Google. He may get even less than that [5]READ MORE
One HMRC manager quoted in the tribunal told staff in an email: "There have been more incidents of this recently as we are working from home a lot more since COVID, but never send anything to your own private email address to print off that contains any personal or business data."
[6]Why the UK public sector still creaks along on COBOL
[7]Fujitsu sorry for Post Office horror – but still cashing big UK govt checks
[8]UK Spending Review prescribes £10B digital remedy for NHS
[9]After leaving citizens on hold for 798 years, UK tax authority has £1B for CRM upgrade
It is not yet clear if the disciplinary data uncovered in this FOI request is connected to the June incident reported by [10]The Register , when fraudsters tricked their way into HMRC systems and accessed details of 100,000 taxpayers. That breach was said to have cost around £47 million in bogus rebates. We have asked HMRC to clarify whether the two are linked, but have yet to hear back.
The revelations come at a time when HMRC is already under fire for its wider use of data. [11]The department has been using AI tools to trawl through social media posts and is feeding financial information into its Connect system to issue automated warnings to potential tax dodgers. Officials stress that access to personal data is limited to criminal investigations and that there are safeguards in place, but critics warn the approach risks creating [12]Horizon-style scandals if errors creep in. The Register has asked HMRC to comment.
[13]
For an agency that prides itself on watching taxpayers, the bigger problem may be that too many of its own staff are watching the wrong things. ®
Get our [14]Tech Resources
[1] https://www.telegraph.co.uk/money/tax/news/hmrc-sacks-dozens-staff-snooping-taxpayers/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKNOGTAeBIxAZGLNCQSR5QAAAFg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKNOGTAeBIxAZGLNCQSR5QAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKNOGTAeBIxAZGLNCQSR5QAAAFg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/07/16/uk_gov_google_comment/
[6] https://www.theregister.com/2025/08/15/cobol_in_the_public_sector_feature/
[7] https://www.theregister.com/2025/07/17/fujitsu_govt_contracts/
[8] https://www.theregister.com/2025/06/12/nhs_tech_spending_review/
[9] https://www.theregister.com/2025/04/29/hmrc_crm/
[10] https://www.theregister.com/2025/06/05/hmrc_fraudsters_broke_into_100k/
[11] https://www.bbc.co.uk/news/articles/cqjyedz202ko
[12] https://www.theregister.com/2025/07/08/post_office_horizon_inquiry/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKNOGTAeBIxAZGLNCQSR5QAAAFg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
How Were They Caught ?
There is some consolation that these people were caught. Yet, how they were caught is not discussed.
i would have thought that any accessing of peoples records would have to be based on an enquiry from the person themselves, or their employer, or part of an investigation. Surely the systems should have such a reference number for the aforementioned to be used to validate the access to the peoples records.
Would it be too difficult for the underlying systems to check every access for the reference number and ensure it is relevant to the access, else flag it up as a rogue access and investigate.
Re: How Were They Caught ?
A properly designed system should at the very least have access logs - who looked at what and when. Security can then analyse for anomalies: if someone suddenly pulls far more records than usual, flag it. Their manager should be asked if there was a legitimate reason, then the employee interviewed if not. Outbound emails should be monitored too - attachments inspected, patterns of data exfiltration flagged.
"helping themselves to taxpayer records"
" anxiety clouded his judgment"
Anxiety about what ? Finding out that some people earn more than you do ?
Welcome to the real world. Now go look for a job that pays better and where you do not have acceee to other people's data.
Good luck with that.
Re: "helping themselves to taxpayer records"
Anxiety about the scammers that were paying for the data if banking and mobile provider call centers in India are anything to go by
No criminal charges?
Double standards, I guess.
If I was to illegally help myself to somebody else's private data, the fuzz would bust down the door.
The software is older than the staff and they are leaderless
This all shows symptoms of the same thing that comes up on stories about HMRC technology or information handling (cyber security, invasive policies, retention, processing times...) all the time. HMRC lacks a clear grasp of its own processes, data ownership, and lifecycle management. Without fixing these fundamentals, they are stuck in a cycle of failures and incidents. This one is more about Data Governance and culture than strategy but still a symptom of the rudderless approach to information handling which has led to Fujitsu continuing to support code older than many of the staff.
Re: The software is older than the staff and they are leaderless
* Fushitesu
" Managers have blamed the rise of home working for the jump in incidents. Since the pandemic, staff have been more likely to blur the lines between official data and personal devices. "
So that is a failure of:
1) IT Policy
2) Staff Management
3) HR
That has nothing to do with the concept of working from home. I don't know a company who give staff permission, or even the ability, to access work items from a personal device.
What's more, if we remember back to M&S in April, they felt it was fine to tell their staff to use personal devices to do work when they had no real idea how widespread their hack was.
I'm sure I'm preaching to the choir here, but IT has never been the problem. Piss poor management and HR have always been the issue, and the one issue that is never ever tackled.
Blurring the lines
Since the pandemic, staff have been more likely to blur the lines between official data and personal devices.
They are only following the example set by those at the top of government!
Blame
HMRC blaming home working for data breaches is gaslighting. Snooping can happen anywhere - in fact hot-desking in the office makes it easier for the wrong eyes to see data. The real push is about forcing staff back onto overpriced trains, into chain cafés, and into offices leased from private landlords. Government is using the public sector as ballast to prop up the high street and boost the profits of tax-shy multinationals.