Tag Archives: HMRC

Cybercriminals are increasingly impersonating WHO and the UN

Research by British security software and hardware company Sophos found that coronavirus email scams tripled in the last week of March, and we can expect the volume to be increasing. Over 3% of global spam is related to coronavirus, with many of these fraudulent emails impersonating the World Health Organisation or even the United Nations.

Chester Wisniewski, Principal Research Scientist at Sophos, said:

“Cybercriminals are wasting no time in shifting their dirty, tried-and-true attack campaigns towards advantageous lures that prey on mounting virus fears. Criminals often dip a toe in the water when there is a new or sensational topic in the news.”

He detailed a case in which his company tracked an email pretending to come from a WHO address, purportedly giving health advice in an attachment. But after inspection, the text matched a previous spam campaign from “a familiar criminal.”

While most of these spam operations are used to get information from people, there are even more aggressive cybercriminals out there.

Threatening extortion campaigns are also being pursued. In these, messages over social media or email threaten to give the victim or the victim’s family coronavirus unless they pay up. With the amount of information online, and the procedures used to construct holistic user profiles based on miscellaneous knowledge, attackers can make it seem like they know everything about a victim just by giving a few details. This makes the attacker seem like they have the capacity to execute their threats, and inevitably, people end up being exploited.

Other more sophisticated scammers use HMRC or departmental logos and graphics to get information from consumers, offering spurious sums of money under the guise of lockdown or furlough relief. In the United States, there has been evidence of insurance scams, such as fake COVID-19 health insurance offered at competitive rates.

Scammers and con-artists are sensitive to the news cycle, trends and the current political or economic climate. They will often seem persuasive because what they claim will seem salient, despite the content having most likely been tweaked from a previous scam based on a different news item or trending phenomenon.

Do not let criminals make you take rash decisions over fear of current market turmoil.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Harry Smithson, 10th April 2020

HMRC’s 28 days to delete unlawfully obtained biometric data

In a statement released on 3rd May, the Information Commissioner’s Office reiterated their decision to issue HMRC a preliminary enforcement notice in early April. This initial notice was based on an investigation conducted by the ICO after a complaint from Big Brother Watch concerning HMRC’s Voice ID service on a number of the department’s helplines since January 2017.

HMRC did not give customers sufficient information

The voice authentication for customer verification uses a type of biometric data considered special category information under the GDPR, and is therefore subject to stricter conditions. ICO’s investigation found that HMRC did “not give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.” HMRC was therefore in breach of GDPR.

The preliminary enforcement notice issued by the ICO on April 4th stated that HMRC must delete all data within the Voice ID system for which the department was never given explicit consent to have or use. According to Big Brother Watch, this data amounted to approximately five million records of customers’ voices. These records would have been obtained on HMRC’s helplines, but due to poor data security policy for the Voice ID system, the customers had no means of explicitly consenting to HMRC’s processing of this data.

Steve Wood, Deputy Commissioner at the ICO, stated, “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.”

The final enforcement notice is expected 10th May. This will give HMRC a twenty-eight-day timeframe to complete the deletion of this large compilation of biometric data.

The director of Big Brother Watch, Silkie Carlo, was encouraged by the ICO’s actions:

“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”

 Harry Smithson, May 2019. 

HMRC’s 28 days to delete unlawfully obtained biometric data

Leave a reply

In a statement released on 3rd May, the Information Commissioner’s Office reiterated their decision to issue HMRC a preliminary enforcement notice in early April. This initial notice was based on an investigation conducted by the ICO after a complaint from Big Brother Watch concerning HMRC’s Voice ID service on a number of the department’s helplines since January 2017.

blurred-background-cellphone-cellular-1426939

The voice authentication for customer verification uses a type of biometric data considered special category information under the GDPR, and is therefore subject to stricter conditions. ICO’s investigation found that HMRC did “not give customers sufficient information about how their biometric data would be processed and failed to give them the chance to give or withhold consent.” HMRC was therefore in breach of GDPR.

The preliminary enforcement notice issued by the ICO on April 4th stated that HMRC must delete all data within the Voice ID system for which the department was never given explicit consent to have or use. According to Big Brother Watch, this data amounted to approximately five million records of customers’ voices. These records would have been obtained on HMRC’s helplines, but due to poor data security policy for the Voice ID system, the customers had no means of explicitly consenting to HMRC’s processing of this data.

Steve Wood, Deputy Commissioner at the ICO, stated, “We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service.”

The final enforcement notice is expected 10th May. This will give HMRC a twenty-eight-day timeframe to complete the deletion of this large compilation of biometric data.

The director of Big Brother Watch, Silkie Carlo, was encouraged by the ICO’s actions:

“To our knowledge, this is the biggest ever deletion of biometric IDs from a state-held database. This sets a vital precedent for biometrics collection and the database state, showing that campaigners and the ICO have real teeth and no government department is above the law.”

 Harry Smithson, May 2019.