Security Breach Reporting
HMRC MTD compliance requirement — report security incidents affecting HMRC data.
What Constitutes a Security Breach
A security breach in the context of HMRC MTD includes any incident where HMRC-related data or systems are compromised. Examples include:
- Unauthorised access to HMRC tokens, credentials, or taxpayer data
- Data leaks exposing National Insurance numbers, UTRs, or tax return data
- Compromise of OAuth access or refresh tokens
- System vulnerabilities that could allow access to HMRC-connected accounts
- Any incident that may affect the confidentiality, integrity, or availability of HMRC data
Reporting Obligations
1
HMRC — within 72 hours
Report to the HMRC Software Developer Support Team at sdst@hmrc.gov.uk
2
ICO — within 72 hours (if personal data involved)
Report to the Information Commissioner's Office at ico.org.uk
3
Internal — immediately
Use the form below to notify the GetSorted security team.