TaxAdministrationTaxman’s cookie crumbles

Taxman's cookie crumbles

The Inland Revenue has admitted that the security flaw which led to its online tax-filing site exposing users' confidential details could affect other government services.

The initial problem with the online self-assessment site has now been fixed, after the service was withdrawn on 27 May.

But a Revenue spokesman told Accountancy Age that other departments using the government gateway may also be exposed.

‘We are in discussion with other government offices where we believe it could affect them, although it would not affect many,’ he said.

The exact cause of the problem is still unclear, although the Revenue is blaming a configuration problem with one unnamed internet service provider used by visitors to the site. ‘The way in which the session cookie identifying (an account-identifying device) the user was managed meant that it could, in certain rare circumstances, be presented to another user,’ the Revenue said in a statement last week.

Further details came from the government’s e-envoy, Andrew Pinder, who told the public accounts committee last month that an obscure ‘technical standard’ had been the culprit.

‘There were technical problems with the way the ISP interacted with the system run by the Inland Revenue,’ Pinder told the committee.

‘It was a technical standard we were not aware of. The Inland Revenue will be making other government departments aware of the quirk.’

It is not clear whether the problem is a peculiar combination of the ISP’s configuration and Government Gateway security, as the Revenue said it was unable to make any more details public.

The Revenue did confirm that its own IT supplier EDS and EzGov, which produced the online tax form, are not in any way responsible for the security flaw.

Only 13 people have so far confirmed seeing other users’ details on the self-assessment online site, but an examination of the site’s logs revealed that up to 665 users could have been compromised.

‘Although it is unlikely that their information was seen by anyone else, we cannot completely eliminate the possibility,’ said the statement.

‘We are writing to all those who may have been affected to apologise and explain what we are doing. We very much regret this incident.’

The site has now been checked by independent internet security experts, according to the Revenue.

Related Articles

HMRC appeal rejected in Tottenham Hotspur case

Administration HMRC appeal rejected in Tottenham Hotspur case

2w Emma Smith, Managing Editor
HMRC issues updated Trusts Registration Service guidance

Administration HMRC issues updated Trusts Registration Service guidance

2w Emma Smith, Managing Editor
New trading allowance: simplicity, but not as we know it

Administration New trading allowance: simplicity, but not as we know it

2m Emma Rawson, ATT Technical Officer
‘Improve rather than lose’ disincorporation relief, tax body urges

Administration ‘Improve rather than lose’ disincorporation relief, tax body urges

2m Austin Clark, Reporter
Are you ready for the Trusts Registration Service?

Administration Are you ready for the Trusts Registration Service?

3m Helen Thornley, ATT Technical Officer
Advisers bullish despite Brexit concerns

Accounting Standards Advisers bullish despite Brexit concerns

1y Fraser Simpson, Reporter
Brexit: Five questions accountants should be asking

Accounting Firms Brexit: Five questions accountants should be asking

1y Fraser Simpson, Reporter
UK votes to leave EU – accountancy profession reacts

Accounting Firms UK votes to leave EU – accountancy profession reacts

1y Fraser Simpson, Reporter