HMRC cock-up pt4; The Final Insult

A week ago I called HMRC up to check how the mess was progressing, and got some interesting feedback.

  • There’s no mention on my file about the incident OR there is and they’re not allowed to tell me because it would be an ongoing investigation; options that were both described to me over the telephone. and a spectacular exercise in fruitless paranoia generation.
  • The cover-letter I included is probably now in a waiting list. This waiting list is currently 8 weeks long. Only at that point will my letter even be read.
  • The person whose information I received would have been notified right away.

Tonight I finally got around to giving the person in question a quick phonecall to let them know the documents had been returned. They had NOT been informed. In fact they’d had to take it upon themselves to call HMRC to inform them.

Understandable since getting my call out of the blue, you’d want to be damn sure.

I mentioned the 8-week reply time, and they mentioned they’d been told the same thing. In other words HMRC wouldn’t have informed them about the mistake for over two months! Because they hadn’t gotten to it in their pile of post, despite being informed about it directly!

THIS is why you should have a separate department for security issues; because letting someone know their personal information has been leaked to the world requires a faster response than 1/6th of a year!

A dedicated address or department for urgent security issues is obvious for even small companies, yet somehow it seems to elude the management of Her Majesty’s Revenue & Customs who by law deal with the critical personal information of every single citizen of the UK!

So, presuming it’s not all an insane elaborate ruse and the department actually think the first act of someone actually out to misuse someones personal information would be to inform both that person and the department itself, then I can expect the next edition of this exciting and mind-bogglingly inept adventure to occur sometime around mid-to-late April.

Don’t hold your breath. I fully expect the attached documents to have gone “astray” in their to-do pile by then.

Taxing security? Very. HMRC have cocked up big-time!

I don’t like tax return time. The language used in these documents makes my brain spasm. For instance, their phrasing of declared losses comes up as self-contradicting to me; a loss is something I loose.. but claiming for it is something I get? How can I be loosing something I’m getting??

Maybe it’s a dyslexic thing.

Now I’ve got it done though I’m kinda wishing I could do it again, or that it had a practice-run function so I could really rip on the interface. Why did I have to click through 4 pages just to save a copy? Did I really need to be alerted what the file type was, that it would save on the next page after hitting continue, and get an approximation of download time all on separate pages?

But anyway, I had a week off from it while waiting for a copy of last years return. There was a single figure on it I claimed for last year that I needed for this year.

Now I can understand it not being given out over the phone; it’s relatively easy to pretend to be someone else there. However the HMRC website is a secure connection (in theory) which displays your current tax information. The previous return is automatically removed from it after a year apparently, which alone seems moronic; because surely one year on is exactly when you’re going to want to check it. But the information is given out through it, so how come you can’t get the details through there..?

So question-authenticated phone is insecure.

The HTTPS secure website is not considered secure for this information once it’s a year old.

But bog standard 1st Class by Royal Mail is fine.

No signature, no monitoring in transit, no tracking. It could be opened, read, photocopied & I’d never know. It could vanish into the system and all I’d be able to do is request another copy and hope no one’s preparing to rape my ghost in the government machine.

This I could visualise, this was a definite unnecessary risk I had to swallow to get the magic (and aside from this return, utterly irrelevant) number. But as they say; the problem with making something foolproof is how ingenious fools are.

I received two copies of last years return.

So assuming there were only 2 copies sent, then all is fine, right? Well no. Aside from it raising the worrying issue that if a random number of copies are being sent, you can never be sure they’ve all arrived. And aside from the matter that the “copy” is actually a bunch of printed screen-grabs (including program tool-bar!) of it on the data-entry system, one of the copies IS NOT WHOLLY MINE.

One set is fine in that it does technically have the info I need if I squint and don’t mind half the text being light grey on a slightly darker grey background. The other, which has some empty fields the other doesn’t (yet is apparently from the same screen-grabbed program), also starts with the 2nd page being from an advisor’s working form for someone else.

It doesn’t have a document number, so I presume it’s automatically generated and a printer has cocked up at their office; interleaving the first input page of someone elses claim/statement information into my own print-out.

I’m annoyed on a few levels here. Primarily it’s one of security; because my information is removed from the secure site just when I need it, it opens up the possibility of exactly these sort of mistakes occurring. They have a better system which they have elected to actively disable when required.

(The other level is typographic; their internal system prints out a visually clear and informative table of information in laser-crisp black & white, but we plebs have to deal with a printer-cropped all-grey rastered-down bitmap for our use, the likes of which a 7 year old would be embarrassed to produce for their school homework).

And because of this I now had the Name, DOB, address, NI number, telephone number, place of employment, partners name and partners DOB, of a 22 year-old woman living near Manchester who was letting them know of her partners change in employment status.

There is ample information here for someone to steal her identity, and I see that as a direct result of a poorly managed & designed government system.

Of course I’m fairly sure this incident is a breach of data-protection laws, and as such I’m intending to phone the lady in question tomorrow and let her know in case she wants to take action against them. As soon as I figure out how to phrase the conversation without sounding like a scam-artist myself.