The UK's tax revenue service has lost £47 million in a breach that started last year and impacted 100,000 people.
The HMRC told the treasury select committee yesterday that the account scam was the result of "organized crime" that set up PAYE, or ‘Pay As You Earn’, accounts for individual taxpayers and used them to claim refunds.
"This was organized crime phishing for identity data out of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account," HMRC CEO John-Paul Marks said, according to media reports.
The total amount stolen was £47 million, though Marks said that no individual would face any financial loss from the incident. HMRC said that individuals' own money wasn't targeted..
"This was an attempt to claim money from HMRC, not an attempt to take any money from you," it said on the HMRC website.
What happened?
The incident appeared to have happened last year, with a subsequent investigation resulting in arrests. It was unclear why the incident is only now being revealed — a point raised by the treasury select committee itself, with Chair Dame Meg Hillier offering "a word to the wise" to advise parliament of such matters rather than let the committee hear about it from the news.
HMRC officials stressed that its systems weren't directly attacked nor breached, but instead involved criminals setting up new accounts in the name of people who didn't need a tax account and didn't have one already set up. The criminals did so using information from phishing attacks or elsewhere, according to HMRC.
However, as the incident was being investigated and addressed, the "nature of the attack altered", said Angela MacDonald, HMRC’s deputy CEO, with the methods used by the attackers evolving throughout time.
"What has been a challenge in terms of... cleaning the accounts up is being clear that we were then talking to the genuine customer and not in fact talking to the criminal who was on the other end of the account," she added, according to the BBC.
Was HMRC hacked?
MacDonald said that the incident was "not a cyber attack, we have not been hacked, we have not had data extracted from us."
She later clarified: "The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here."
The clarification seems designed to make clear this incident isn't akin to the recent round of cyber attacks against retailers, which has left M&S struggling to recover — though it may also be a reaction to accusations from five years ago that the HMRC was "incompetent" following 11 serious data breaches.
However, treasury select committee Chair Dame Meg Hillier didn't seem to accept the distinction: "Money was got. By criminals. By penetrating the digital system. A lot of people would consider that a cyber crime, however you define it."
Will Richmond-Coggan, a partner specializing in data and cyber disputes at Freeths LLP, suggested the incident showed the impact of previous attacks.
“While HMRC were at pains to stress that their own systems had not been compromised in a cyber attack, this incident nonetheless underscores how widespread the consequences of cyber incidents can be," he noted.
"It is clear from HMRC's explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks. Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax."
What next?
In a statement given to the press, HMRC said it has “acted to protect customers identifying attempts to access a very small minority of tax accounts”.
The tax office added that it’s currently working with law enforcement agencies in “both the UK and overseas” to find those responsible.
HMRC said on its website that it had locked down all affected accounts, deleted impacted login credentials, removed any incorrect information from tax records, and checked that no other details were changed. It has also written to affected users to let them know. Letters should arrive over the next three weeks.
Any individuals seeking to check their account themselves could sign in, head to Settings in their Profile, and view the sign-in history to look for suspicious activity.
MORE FROM ITPRO
-
Enterprise AI adoption is about to get the Big Brother treatmentOpinion Worried your staff aren’t using those shiny AI tools you petitioned for? Big tech has you covered
-
Dreamforce 2025: What's an agentic OS?ITPro Podcast NPUs, e-ink, and immersive headsets are the latest hardware innovations for business devices
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victims
News Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizations
News A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
