Where was the breach?

The UK is pretty bad at the notion of secure email. In Sweden there was a service which provided encryption - though I don't know how well or how much it was used. At least it was an option.

In the UK I believe government departments, such as HMRC, do have secure email facilities to communicate with the public. Also, hopefully they use secure interdepartmental procedures. I specifically asked the organisation referred to in msg 19 whether even if I sent the documents to them by a secure route, whether they would keep them secure - bearing in mind that many of the staff are now working remotely from home - and was told that they use a secure VPN.

Let's hope that's correct.

That's good - up to a point.

A major issue is that many people in the UK are reluctant to use encrypted email, or find it difficult, and just can't cope with passwords.
I know that some of these systems make these things easier, but humans are often the barrier to use, or the weak link, when they are used.

I think HMRC expect you to log into your account online - or you get (eventually) a hard copy letter. They say loud and clear they don't text or email - so that people know an email or text has to be a scam.
Teachers Pension communicates via access to one's online account, but you get an email indicating you need to log in to access the account.

This way, with information held in their secure sites, any leakage, they will say, happens with the user.

Except that during the pandemic they HAVE been communicating by email, regardless of what they had said previously!

That I didn't know - though they were not always following their own rules before.

There have been a few times when a bank agent has phoned, and suggested something, then been surprised when we asked for verification. Usually they offer a phone number to call - but we never do that, because a criminal would be able to set up a number. Then when we ring up the bank they ask why we didn't use the number they gave us in their phone call.

I had a very recent conversation with an orgnanisation I'm having a conversation with at present, including discussion about whether to send encrypted documents - since I have refused to send any documents withot encryption. The "amusing" part was this.

Me: My reference number is A1234556
Agent: Oh - I'll just get your application up on my screen. We're all working from home, and the computer is a bit slow today. O.K - here we go.
David - isn't it. Application for XYZ.

Me: Yes that's right.

A: I'll just have to ask you some security questions..
Me: OK

A: Your full name ....... David BPQRST.
Me: Yes
A: Your address ....... RPQ Street, Postcode AH12 9VQ
Me: Yes - that's right.
A; Now I have to ask your date of birth. 31/5/53
Me: Yes - OK!
A: That's fine.



Ouch!

I was very proud of Mrs CS a few days ago. She got a phishing phone call "£600 to be debited from your Mastercard for a foreign payee, press #2 to be put through to....".

She found the security phone number from the statement and called it from a different 'phone line. My campaign over years now (sometimes unkindly called "Mansplaining" by the 20 somethings) - has been taken on board!.

I think if HMRC emailed me, if posible I'd send them a hard copy letter and email them back saying my response was in the post (Its what they do, isn't it......).