HMRC cock-up pt4; The Final Insult

A week ago I called HMRC up to check how the mess was progressing, and got some interesting feedback.

  • There’s no mention on my file about the incident OR there is and they’re not allowed to tell me because it would be an ongoing investigation; options that were both described to me over the telephone. and a spectacular exercise in fruitless paranoia generation.
  • The cover-letter I included is probably now in a waiting list. This waiting list is currently 8 weeks long. Only at that point will my letter even be read.
  • The person whose information I received would have been notified right away.

Tonight I finally got around to giving the person in question a quick phonecall to let them know the documents had been returned. They had NOT been informed. In fact they’d had to take it upon themselves to call HMRC to inform them.

Understandable since getting my call out of the blue, you’d want to be damn sure.

I mentioned the 8-week reply time, and they mentioned they’d been told the same thing. In other words HMRC wouldn’t have informed them about the mistake for over two months! Because they hadn’t gotten to it in their pile of post, despite being informed about it directly!

THIS is why you should have a separate department for security issues; because letting someone know their personal information has been leaked to the world requires a faster response than 1/6th of a year!

A dedicated address or department for urgent security issues is obvious for even small companies, yet somehow it seems to elude the management of Her Majesty’s Revenue & Customs who by law deal with the critical personal information of every single citizen of the UK!

So, presuming it’s not all an insane elaborate ruse and the department actually think the first act of someone actually out to misuse someones personal information would be to inform both that person and the department itself, then I can expect the next edition of this exciting and mind-bogglingly inept adventure to occur sometime around mid-to-late April.

Don’t hold your breath. I fully expect the attached documents to have gone “astray” in their to-do pile by then.

HMRC Cock-up Pt3.

Docs went off by signed-for post as intended today, recorded photographically at every step. Thought I’d share the cover-letter I included..

Dear Sir or Madam,

Further to my phone call on January 24th, please find enclosed the offending documents as requested, including original cover-letter.

Note that interleaved as page 2 of the copy of the 2008/09 Tax Return is the page of personal information belonging to XXXXXXXX of XXXXXX, and not myself.

I am aware that this is a serious issue and breaks the UK’s data protection laws, and I am fittingly disturbed that enough information to readily steal someone’s identity could be accidentally released to a 3rd party in such a way.

I am also likewise disturbed that this extra page of information was included in a second needless copy of my requested 2008/09 Self Assessment Tax Return.

When a single figure from it was requested, I understand that information could not be divulged by telephone, but it is incomprehensible to me that it could not be provided through the secure website where it is apparently located for exactly one year after it’s submission before being removed. As the tax returns occur at the same time every year, removing it exactly when it is most likely to require checking seems at best spectacularly unhelpful.

This was thrown further into stark contrast to the actual method by which I could receive it; unregistered and untracked 1st class post, in a poorly sealed budget envelope that arrived with holes already torn from its travels.

You might argue that if it were to be intercepted I would know something had happened to it since it did not arrive and could thus take precautions. But even if that faint shadow of security is acceptable, the logic only works if a known number of the documents are being sent. IE; If I request one copy and five are sent, I do not know anything is wrong if only the single copy I actually requested arrives in my hands.

Can you guarantee to me that these two copies were the only two copies dispatched? Or have more copies I do not know about perhaps been lost in the post? Has my own information been handed over to a 3rd party as XXXXXXXX’s has been to me?

Furthermore I am concerned with the instructions I was given on relaying this leak to the telephone advisor; Simply placing the information back into the same envelope in which it was sent to me and re-posting it back to HMRC. This seems a poor option for several reasons;

  1. The envelope is already used, damaged, post-marked and labelled with an existing post-routing sticker. All these I suspect would conspire to reduce it’s chances of correctly making it back through the postal system to you.
  2. Without a covering letter and addressed to HMRC as a whole, it occurs that it could be easily overlooked in postal-sorting, and simply trigger yet another copy to be dispatched to me under the impression it was a failed delivery and possibly lead to the destruction of the evidence. And additionally it could imply that my address was no longer correct.
  3. The documents enclosed as I understand it are evidence of a crime, and to further suggest that it simply be dropped back into the post under the same conditions in which it arrived seems bordering on negligent.
  4. Though I suspect a note has been made on my file, I was not given any form of call or reference number. Though I will admit I did not ask about one, again it seems odd one was not offered.

I am taking it upon myself to include this covering-letter to explain both the situation and the number of incidents that have occurred along the path to resolving it. It is my hope that this will expedite the investigation and lead in some small way to improving the handling of our citizens information, as well as make plain my own displeasure at the actions and reaction of HMRC so far.

Additionally I hope you will note that this has been sent via 1st Class Signed-For, to ensure its receipt.

As a less important but still irritating side-note, I would recommend you consult an IT professional. Either for additional training or additional features in your data-entry software, as I do not know if it is because of a feature your software currently lacks, or that your staff simply do not use it correctly, but the copies I received were of terribly unprofessional quality.

Speaking as someone with some history in graphic-design and IT, it distresses me that only the document pages I was not meant to receive were printed in perfectly clear black and white (showing the information in an explicitly legible font, arranged in efficiently used tables) whereas the information I actually requested was in the form of a series of bitmap screen-grabs (images not only including the programs tool-bar, but wasting several pages on blank space and unused tables, as well as poorly legible mono-space fonts that were sometimes further compounded by being light-grey on a white background). You patently have the capacity for legible print-copies, but it implies they are only considered necessary for internal use.

To someone with worse reading difficulties than mine, I expect these prints would be near-illegible.

From the layout of the images sent, you seem to be using Microsoft Access (in itself, implicitly revealing the software, and suggesting additional modes of attack to those looking for security holes).

It would not take a database professional more than three days, working with the limited set of data found in a tax return, to produce a query table which would omit unfilled entries from a print-out and arrange them in a clear and concise form which would produce a visually clear and source-anonymised document.

The amount of information in my copy could have been reduced to a single double-sided sheet of A4 rather than the fourteen single-sided sheets I was sent, eight of which contained no information.

It is also worth noting that perhaps if this was done it would be vastly less likely that a page of someone’s information would be lost within the many surplus pages of another’s.

I eagerly look forward to your reply on all matters addressed, as well as the future results of the investigation I have unwillingly been made a part of.

Most sincerely,

Peter William Turpin

HMRC Security cock-up Pt2

Today I finally got around to calling HMRC back. It’s been a frustrating and rushed week with my insurance renewel and some family matters that’s put it off ’til now.

At the suggestion of several friends I called up HMRC rather than the lady whose details they’ve sent me. After 10-15 minutes on hold I got to speak to an advisor, who rapidly put me on hold again when I told them what the problem was. They came back on sounding scared, like they didn’t want to get any more of this on themselves than they could avoid. Perhaps it was my mention that I knew this violated data-protection laws?

They took some of my details, and the details on the incorrect paperwork. Then I was told I had to send it back to them so there could be an investigation.

All well and good? Well, no. The next bit went something like;

Them: “Do you still have the envelope it came in?”

Me: “Yes?”

Them: “Okay, just put it back in there and post it back to us.”

First, the envelope in question is a generic brown windowed envelope, which if I simply replace the documents in will display my address, and possibly be returned back to me again. It is also a used budget-end envelope, with the associated creases and tears from one trip, as well as an existing electronic routing stamp which I worry might furthur confuse it’s transit through the postal system.

Most importantly though, the address I was told to send it to was simply “HMRC” at The Triad in Bootle. No cover-letter, no special department. Just mine and someone elses information being tossed back to them with no reference or alert that it is actually the solitary evidence of their criminal cock-up.

Don’t letters returned to sender as-is usually get binned, or get marked as having been sent to invalid addresses? And with no tracking there’s nothing to stop this sole evidence simply disappearing the moment it’s in the post box.

They assured me the lady in question would be notified of the cock-up, they said, since her information is at risk here. Well let’s be sure of that.

Underwhelmed by their reaction, I called the lady concerned myself anyway to let her know. She fortunately seemed pretty up to speed on these sort of things, and I left her my email and mobile number to contact me on if they do or don’t contact her themselves. I also explained what my own course of action will be;

1) I will photograph the evidence

2) I will photograph my placing it in a new envelope with cover-letter

3) I will send it back to HMRC tomorrow by 1st Class Signed for so I can be sure of it’s receipt.

I will document it at each of these stages, and hopefully this will go a long way to preventing it from being conveniently lost or overlooked.

Will HMRC do things by the book when the proof is most definitely back in their hands? Stay tuned to find out!

Taxing security? Very. HMRC have cocked up big-time!

I don’t like tax return time. The language used in these documents makes my brain spasm. For instance, their phrasing of declared losses comes up as self-contradicting to me; a loss is something I loose.. but claiming for it is something I get? How can I be loosing something I’m getting??

Maybe it’s a dyslexic thing.

Now I’ve got it done though I’m kinda wishing I could do it again, or that it had a practice-run function so I could really rip on the interface. Why did I have to click through 4 pages just to save a copy? Did I really need to be alerted what the file type was, that it would save on the next page after hitting continue, and get an approximation of download time all on separate pages?

But anyway, I had a week off from it while waiting for a copy of last years return. There was a single figure on it I claimed for last year that I needed for this year.

Now I can understand it not being given out over the phone; it’s relatively easy to pretend to be someone else there. However the HMRC website is a secure connection (in theory) which displays your current tax information. The previous return is automatically removed from it after a year apparently, which alone seems moronic; because surely one year on is exactly when you’re going to want to check it. But the information is given out through it, so how come you can’t get the details through there..?

So question-authenticated phone is insecure.

The HTTPS secure website is not considered secure for this information once it’s a year old.

But bog standard 1st Class by Royal Mail is fine.

No signature, no monitoring in transit, no tracking. It could be opened, read, photocopied & I’d never know. It could vanish into the system and all I’d be able to do is request another copy and hope no one’s preparing to rape my ghost in the government machine.

This I could visualise, this was a definite unnecessary risk I had to swallow to get the magic (and aside from this return, utterly irrelevant) number. But as they say; the problem with making something foolproof is how ingenious fools are.

I received two copies of last years return.

So assuming there were only 2 copies sent, then all is fine, right? Well no. Aside from it raising the worrying issue that if a random number of copies are being sent, you can never be sure they’ve all arrived. And aside from the matter that the “copy” is actually a bunch of printed screen-grabs (including program tool-bar!) of it on the data-entry system, one of the copies IS NOT WHOLLY MINE.

One set is fine in that it does technically have the info I need if I squint and don’t mind half the text being light grey on a slightly darker grey background. The other, which has some empty fields the other doesn’t (yet is apparently from the same screen-grabbed program), also starts with the 2nd page being from an advisor’s working form for someone else.

It doesn’t have a document number, so I presume it’s automatically generated and a printer has cocked up at their office; interleaving the first input page of someone elses claim/statement information into my own print-out.

I’m annoyed on a few levels here. Primarily it’s one of security; because my information is removed from the secure site just when I need it, it opens up the possibility of exactly these sort of mistakes occurring. They have a better system which they have elected to actively disable when required.

(The other level is typographic; their internal system prints out a visually clear and informative table of information in laser-crisp black & white, but we plebs have to deal with a printer-cropped all-grey rastered-down bitmap for our use, the likes of which a 7 year old would be embarrassed to produce for their school homework).

And because of this I now had the Name, DOB, address, NI number, telephone number, place of employment, partners name and partners DOB, of a 22 year-old woman living near Manchester who was letting them know of her partners change in employment status.

There is ample information here for someone to steal her identity, and I see that as a direct result of a poorly managed & designed government system.

Of course I’m fairly sure this incident is a breach of data-protection laws, and as such I’m intending to phone the lady in question tomorrow and let her know in case she wants to take action against them. As soon as I figure out how to phrase the conversation without sounding like a scam-artist myself.