UK Two-Tier Tax Security System

Poor security for everyone except the rich and powerful:

The security of the online computer system used by more than three million people to file tax returns is in doubt after HM Revenue and Customs admitted it was not secure enough to be used by MPs, celebrities and the Royal Family.

Thousands of “high profile” people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.

Posted on February 5, 2008 at 2:38 PM32 Comments


Someone February 5, 2008 3:25 PM

It’s common practice in IT to flag “sensitive persons”, such that access to their records is not available to the junior civil servants (read: call centre operators) who deal with everybody else.

This is not daft.

I believe it is also common practice to block or limit electronic interchange of records with third parties they normally deal with, such as local councils and so forth, said organisations having to fall back to phone, fax and postal routes.

I strongly suspect that all we are seeing is another application of the same.

Mike Scott February 5, 2008 4:27 PM

Yes, “Someone” is quite correct. The problem is not with the security of the online systems, but that they’ve not been interfaced with the “restricted” section of the main database where particularly sensitive records are held to stop junior employees from leaking them to the press, or whatever. It actually seems perfectly reasonable.

Frank Ch. Eigler February 5, 2008 4:38 PM

Poor security for everyone except the rich and powerful

For a second there, I thought you were going to talk about how anti-gun celebrities often have armed bodyguards.

Andy Dingley February 5, 2008 5:30 PM

According to recent reports (BBC radio) there’s no security aspect to this at all. Some records are sensitive, and have distinctive numbers to indicate this(sic). The on-line system simply doesn’t handle these other accounts, nor is there sufficient reason to immediately extend it to do so. Neither does the system allow people with complex tax affairs (for several forms of “complex”) to file on-line. It’s just a question of features not being implemented, not a deliberate exclusion because_of security.

dragonfrog February 5, 2008 5:57 PM

@ Frank Ch. Eigler

I’m kind of curious how much more or less secure it makes a person to have armed bodyguards around them – how likely are they to be shot by their bodyguards, accidentally or on purpose, vs. how much the bodyguards reduce their risk of being shot by someone else.

This is by logical analogy with having guns in the house for self-defense (i.e. not stored as one stores hunting or target guns, with trigger locks and ammunition kept separately). My impression has been, that increases the likelihood of someone in the household being shot, whether in passion or just being mistaken for an intruder.

Joe Buck February 5, 2008 5:59 PM

I had a friend who worked for a credit card company in the late 80s; she and her colleagues had access to the details of customers’ accounts, since it was their job to take customer queries about bills and such. She was disgusted by the behavior of some of her colleagues, who seemed to spend every spare minute looking up celebrities and gossiping about the results (internal security’s been improved since those days).

But the right approach is not to put “sensitive persons” in a special category, but tracking every lookup by who did it and what the justification is for doing the search.

Mike Laird February 5, 2008 6:27 PM

Its interesting that 3 of the first 5 postings reacted with the notion “of course, the rich and famous should get special treatment” If it is illegal to divulge information about one person’s tax status, they should all be treated the same. Isn’t that equal protection, and equal application of the law? A need to know system among the customer service staff and tracking of every look up is the way to provide better security, and it provides equal protection to all citizens.

gopi February 5, 2008 6:39 PM

@Mike Laird:

I think the argument is not that that the rich and famous deserve special treatment automatically, but rather that they face risks that non-famous people do not face.

The big problem I see with this situation is that there are many reasons that non-famous people’s details could be pulled up inappropriately. Legal disputes come to mind, as well as nosy neighbors or acquaintances.

The reason that they are securing these details, IMHO, is because it’s more likely to get them an embarrassing news story when a famous person’s tax details get leaked than when a tax office person looks up their neighbor’s income. Also, keeping high profile details off the main list is much easier to do than actually setting up proper audit trails for accesses.

marek February 5, 2008 6:50 PM

@Mike Laird
No, it’s not because they are rich and famous, it is because the risk model is different. There are two factors which need to be balanced:

  • some people’s records are more attractive to illicit snoopers, and that correlates strongly with fame (but may also include, for example, people in witness protection schemes). Being rich is not, in itself, a relevant factor.
  • there is a cost in providing greater protection to an individuals’ record experienced by the individual concerned as inconvenience.

For somebody at high risk of attracting snoopers and finding their personal information widely published, it makes sense to accept the inconvenience of the greater protection. For the rest of us, where the risk is lower, it makes sense to prefer the relative ease of access.

Take an analogy. The police provide armed protection at public expense to public figures judged to be at particular risk of attack by lunatics and terrorists. Their risk of attack drops to almost zero. But their normal lives are constrained – they can’t casually move around, they can’t decide what to do on a whim, and so on.

I not only have no need of that protection, I don’t want it – the personal convenience is of greater value to me than any marginal improvement in personal security. And for society – and taxpayers – at large, it certainly does not follow that just because it makes sense to offer protection to some people, it makes sense to offer equal protection to everybody.

So, no scandal, no underlying unfairness, but a very sensible application of risk management.

Fuzzy February 5, 2008 10:57 PM

Either the civil servants are trustworthy or they are not. If they are not trustworthy, they should not be provided access to any individuals records. If they are trustworthy, they can handle “sensitive records”.

@Andy Dingley
I consider my records to be sensitive. In fact, I consider every individual’s records to be sensitive. The lack of understanding of this basic concept is what leads to things like the loss of compact disks or laptops with tax records or national insurance numbers for thousands or millions. Every record should be treated as sensitive.

A particularly dangerous category of legal dispute is the battered spouse who is seeking to escape their abuser. I believe this is a likely to be a much larger percentage of the population than celebrities.

I agree with Mike Laird and Joe Buck that the answer is not special service for a few but better security for all.

Fuzzy February 5, 2008 11:00 PM

People in witness protection are exactly the people who should not be given special service. Special services makes people stand out. People who stand out will be noticed and people in witness protection should be trying to avoid notice.

Guy February 6, 2008 2:19 AM

HMRC have always treated some ‘special’ people differently, even in the old paper system. The indication seems to be that it’s not the bit between you and the online front end that is insecure, but the whole system used to handle stanard returns behind it.

supersnail February 6, 2008 4:55 AM

I have often wondered how easy it would be to file a false tax return for someone you dislike.

I mean just log into the IR website fill in name address national security number of your ex-Boss then
tick all the boxes for “do you have a bank account held abroad” and fill in big numbers for assets held etc.

This would have the added benefit of wasting a lot of tax inspectors time too.

Dave February 6, 2008 7:58 AM


“a UK citizen has already died as a result of the UK government’s abysmal privacy policies”

No it’s not because of “abysmal privacy policies” but the actions of an individual abusing their position of trust to provide information to another party.

Supersnail: it’s a bit harder than that to file a tax return electronically in the UK – you need their UTR number (Unique Taxpayer Reference), their User ID and password for the Self assessment site – none of these are public knowledge (unless of course they were part of the records lost last year….)


Anonymous February 6, 2008 8:07 AM

Whenever I’ve worked for an insurance company or bank, we’ve had this extra layer of protection on the records of people who might be looked up out of idle curiousity (celebrities and other employees). Regular call center employees just can’t look at those records; you had to get a supervisor. This applied to both computer and hardcopy records. This is reasonable.

However, the article seems to describe something different. Instead of extra protection because of the different risk model, it seems to be saying that average people do not get reasonable basic security. This seems unacceptable to me.

paul February 6, 2008 9:00 AM

Fuzzy has an important point here. Unless there’s adequate (read “bulletproof”) security in general, the restricted accounts stand out like sore thumbs. And if there isn’t good auditing, anyone can do a series of probes to find out whose accounts are restricted. Which is pretty much an ideal target list.

wm February 6, 2008 10:25 AM

The UK government had the same sort of idea for their national child database a year or so ago, IIRC.

I don’t know what the status of that project is now, but they were planning a database containing everything about every child in the country — health records, police records, school records, all in one universal database. And the way I read it, the police would be able to see the health records, etc…

When asked about the security of such a scary database, government ministers assured us it would be completely secure… except that of course “important” people’s children (like, um, their own) would get a higher-security version of the database than everyone else…

Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

wm February 6, 2008 10:39 AM

@dragonfrog: “I’m kind of curious how much more or less secure it makes a person to have armed bodyguards around them – how likely are they to be shot by their bodyguards, accidentally or on purpose, vs. how much the bodyguards reduce their risk of being shot by someone else.”

There was a New Scientist article about this subject a while ago…–for-sites-where-safety-is-critical-.html

In summary (it’s a fairly long article), there’s an optimum number of bodyguards, which (depending on what assumptions you make) could be as little as two or three.

It also suggests you get even better protection by having a large number of unarmed (and hence not dangerous if they go bad) bodyguards controlling the perimeter, with a small number of well-armed guards in close to take out anyone making it through the perimeter guards (or the perimeter guards themselves, if necessary).

Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

bob February 6, 2008 11:28 AM

In a legitimate government everyone would be treated as equal just because its the right thing to do; stated right there in the US Declaration of Independence/treasure map (for those people who get their science from TV).

It seems to me that my little unimportant life would be just as devasted by someone stealing $50,000 from me in the form of fraud (called “ID theft”) as Bruce Willlis (just picking a famous person at random) would be if someone stole $5,000,000 (or whatever would be a big number to him).

Furthermore its going to be pretty easy for a bank teller to determine that you are NOT Bruce Willis than it would be for them to determine that you are not bob.

Finally it will be easier for Bruce Willis to get this fixed than it will be for me, banks will cut him slack and hop when he calls and says “I didnt buy this yacht” than when I call and say “I didnt buy that Honda Accord”.

These things would make me MORE in need of the protection of the government (which gets to feed in the trough of my money even before I do) not less.

dragonfrog February 6, 2008 1:28 PM

@ wm – thanks for posting that link, I’ll be reading that when I have some time in the next evening or two.

Normal Stranger February 6, 2008 4:17 PM

The risk pattern of celebrities and other famous individuals isn’t different than the risk pattern of your common citizen. It’s just that their names are more well known. Because you happen to know their names you think their lives are more fraught with danger. If you actually sat down and abstracted away specific names you would build a model that would fit for any individual you cared to apply it.

The privacy of a commoner is just as interesting to a particular set of people who know that commoner as the private life of some famous person.

Fundamentally the privacy/information problem is being viewed from the wrong end. It shouldn’t be examined from the perspective of the victims but from the perspective of probable perpetrators. For any given perpetrator you can make a list of potential victims and it will include the famous (rock-stars, politicians, playboy playmates) and the non-famous (neighbors, coworkers, ex-girlfriends/ex-boyfriends.) Ninety-nine percent of the probable perps will of course be employees of the tax gathering institution. So the problem should be solved from the perspective of controlling those 99% and you’ve eliminated the problem for all intents and purposes.

Creating a protected version of the tax system doesn’t solve the privacy problem because you’re only eliminating the violation of a few hundred or thousand people, while letting the violations continue against millions.

wm February 7, 2008 10:16 AM

@those commenters saying that famous people have a greater risk, and so greater protection for such people is correct:

I’m not sure I agree with that argument.

It seems to be saying that the security system on the database storing “ordinary” people’s records is inadequate to prevent even the most casual unauthorised access — namely, employees looking for a bit of gossip.

If the system isn’t up to stopping such minimally-motivated attacks, it certainly isn’t going to be capable of stopping an attack motivated by real financial gain, which is what access to these sort of details permits (via identity-based fraud). (An employee might access the details to use fraudulently themselves, or because they’re being bribed to get details for someone else — either way, there is a clear financial motive for unauthorised access by employees.)

Conversely, if the system is capable of stopping such financially-motivated unauthorised access, it will also be more than adequate to stop nosiness-motivated unauthorised access, and the “ordinary” level of security will sufficient even for famous people.

Required disclaimer:
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.

past hmrc employee February 7, 2008 10:33 AM

There is security in place at HMRC to prevent employees accessing their own records and those of closely related individuals – and it’s enforced quite strikingly. There are also protocols in place with regards to employees dealing with cases where there is or could be perceived to be a personal connection. But none of that is related to online filing, which is an automated process not involving processing clerks.

As other people have said above, it’s not that the online process is insecure, only that high-risk records are kept separate from the others.

The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of HMRC or anyone else

JohnJ February 8, 2008 7:51 AM

I think bob has the right idea, which wm also expressed in his/her Feb 7 post. Essentially all people share the same risk: Exposure of PII and reputation/credit/legal abuse based on fraudulent use of the information.

The motivation behind the risk is different but the risk itself is the the same.

For celebrities, their PII can be used for reputation harm. The potential fraudsters include tabloid journalists and people with a grudge against the celebrity. For the ‘commoners’, the main use of PII would be fraud/ID theft/spying on the neighbors.

Fuzzy put it best: “the answer is not special service for a few but better security for all.”

Watching Them, Watching Us February 10, 2008 10:10 AM

The internet front end Government Gateway, used by HMRC to file tax returns over the web, is adequately secure for both the VIPs and the rest of the public – there is even the option of a web browser client side Digital Certificate for SSLv3 / TLS v1 mutual authentication.

It is the HMRC back end systems which are the problem.

The mechanism for flagging the supposed VIPs’ tax returns is flawed – they have an extra digit on their tax code, which is what makes them unable to file online at the moment, and which alerts internal attackers to something potentially juicy, when they spot the paperwork or the electronic records bumbling around the HMRC back office and internal postal and courier systems or electronic networks.

Nocturn February 11, 2008 4:32 AM

“It’s common practice in IT to flag “sensitive persons”, such that access to their records is not available to the junior civil servants (read: call centre operators) who deal with everybody else.

This is not daft.”

Yes it is! I see no reason why ordinary citizens should not get the same amount of security and privacy that those celeberties do… If they need to limit access to records, why not limit it for everyone?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.