Organised criminals accessed the records of up to 100,000 taxpayers in a breach at HMRC, leading to an estimated £47 million loss for the tax authority.
Officials told MPs that around 0.2% of PAYE taxpayers with personal HMRC accounts were affected. The breach occurred last year as part of a broader effort by HMRC to encourage online tax return submissions under its Making Tax Digital initiative.
Speaking to the Treasury Committee, HMRC clarified that the incident was not a traditional cyber attack but a series of phishing scams carried out by multiple organised crime groups over a prolonged period, with the intent of extracting funds from the department.
HMRC has confirmed on its website that it has only recently begun notifying affected taxpayers, with letters due to be delivered between now and June 25.
The breach was revealed on the same day HMRC experienced a phone system outage, restricting access to only those using the dedicated number included in the letters sent to phishing victims.
Affected individuals have been told they do not need to take any action. HMRC stated it has secured compromised accounts by locking them and deleting their login credentials.
During a Treasury Committee hearing, Dame Meg Hillier, the committee’s chair, questioned HMRC chief executive John-Paul Marks about the incident, after reportedly learning about it through media coverage. Marks said he believed the phone outage was unrelated to the breach and confirmed that some arrests had been made last year.
Dame Meg also pressed Mr Marks on whether HMRC had informed the chair of the Public Accounts Committee, as would typically be expected in cases involving potential risks to taxpayer funds.
Mr Marks responded, “No, we have not done that yet. But if the committee would like us to write to you, we are happy to do that.”
Dame Meg Hillier interrupted, expressing her frustration: “I think it’s perhaps a responsibility that you report to us in the House in parliamentary terms. We would expect to be informed about this—not to discover it via a news story while you’re sitting in a committee room. It hasn’t been mentioned until we picked it up from the press.”
She later added: “I probably don’t need to teach you, Mr Marks—because you are a permanent secretary—but let me nevertheless use my position as chair just to remind you, gently or perhaps not so gently, that it would be normal to inform Parliament of such matters, especially if you’re appearing before a committee. It should not be revealed during the course of the hearing itself.”
HMRC has faced ongoing criticism for its rapid push to move taxpayers online. In January, the Public Accounts Committee accused the department of having “willingly allowed its phone services to fail” in an effort to force people onto digital platforms.
According to the National Audit Office, average wait times for the HMRC helpline rose to 23 minutes in the first 11 months of 2023–24, a sharp increase from just five minutes in 2018–19.
Last month, HMRC announced it would stop processing self-assessment refund requests by phone or webchat due to a spike in suspected fraud.
