The Mail on Sunday reported :
Hackers steal £1m in online tax scam
By Stephen Condron and Christopher Leake
Last updated at 9:11 AM on 13th September 2009Police are investigating how criminals managed to steal £1million from the taxman by accessing a Government computer system and granting themselves rebates.
The thieves filed returns online using the passwords of genuine self-assessment taxpayers - then diverted the money to bogus accounts.
The sting prompted concern yesterday that the fraudsters may have obtained the passwords from one of the many Whitehall laptops stolen over the past few years.
And it is expected to lead to renewed criticism of the Government for making it difficult for people to make their tax returns on paper. So far, six million people have been persuaded to switch to filing them online.
Except, of course for the secret categories of people, whose Tax Returns are singled out
for "special" handling.
See our long running Freedom of Information Act request: HMRC tax record special categories
The system penetrated by the thieves, the Government Gateway, was set up at a cost of £18million as part of Tony Blair's vision for services to be administered electronically. It allows users to fill in forms online for anything from paying parking tickets to claiming child tax credit.
The thieves are understood to have diverted the money to bank accounts set up fraudulently using the names of the password holders.
Scotland Yard's specialist e-crime unit, which arrested a man last week in connection with the case, is investigating whether the fraudsters used sophisticated software to find a weakness in Gateway or whether they targeted the computers of the people whose identities they stole.
The Police, not HMRC, should also be investigating possible HMRC insider staff collusion or corruption.
The Government Gateway also prints out authentication credentials, on special "security" stationary, which is supposed to make it difficult to read the contents without opening the envelope, like that used for credit card PINs, and sends them to your registered address via conventional paper postal mail.
Has this aspect of this massive security breach been investigated ?
Last November, The Mail on Sunday revealed how Ministers were forced to order an emergency shutdown of Gateway after a computer memory stick was found in a pub car park.
Officers are investigating whether this could have played a part in the latest breach, as the computer stick contained passcodes to the system.
[...]
Last October, the Information Commissioner revealed there had been 277 data breaches since the loss of 25million child benefit records was disclosed in November 2007.
HMRC has taken the attack on its system so seriously that it has provided a template for a letter accountants can send to clients to apologise and reassure them that their tax affairs will not be affected.
A 32-year-old man was arrested on September 3 and bailed to return to Bethnal Green police station in East London on December 3.
A Scotland Yard spokesman said last night: 'The investigation into what is suspected to be more than £1million of fraud began in June after HMRC detected an e-crime attack on their system.'
An HMRC spokesman refused to comment on the case but said: 'In common with all commercial financial organisations, criminals try to steal from us. HMRC is determined to bring to justice anyone responsible for trying to obtain fraudulent self-assessment repayments.'
That HMRC statement does not appear on their public website - www.hmrc.gov.uk
Where is the assurance that it is now safe and secure to file your income tax self assessment forms online ?
There needs to be a public statement by the Minister responsible, i.e. by Chancellor of the Exchequer Alistair Darling,
It is no good making the usual sort of meaningless "we are taking this Extremely Seriously" type of statement, given the department's appalling record of data security mismanagement, and the suspicion bordering on hatred, which many people now have for this Government.
If the security vulnerabilities have not already been dealt with, and independently tested, then Alistair Darling should resign, and the senior civil servants at Her Majesty's Revenue and Customs. should be sacked.
If everything has been sorted out properly, then why not say so immediately, with proof that the appropriate actions have been taken ?
As you rightly imply, we can have absolutely no trust in this bunch of incompetents. Nevertheless they have the power to force us to use their leaky system. I will be waiting until the last possible moment.
Reminder to self, get paper tax return done very soon!
Alan Mather has some insights into this possible fraud - he used to be in charge of the Government Gateway project
http://blog.diverdiver.com/2009/09/hackers-steal-1m-in-online-tax-scam.html
see also
Ken Frost
http://hmrcisshite.blogspot.com/2009/09/hackers-steal-1m-from-hmrc.html