Leaders provide MPs with details of losses, including clarification that incident is not a cyber breach of the department, but rather a widespread phishing exercise perpetrated on thousands of individuals
HM Revenue and Customs incurred losses of £47m as a result of cybercriminals gaining access to the online PAYE accounts of about 100,000 taxpayers.
The tax department revealed this week that it has “written to affected customers and taken action to protect these accounts”. This includes locking down access to the accounts, deleting user IDs and passwords, and checking information and removing incorrect details.
The total of around100,000 individuals impacted by the incident equates to “about 0.2% of the PAYE population”, according to HMRC chief executive John-Paul Marks, in oral evidence given to the Treasury select committee this week.
“To be clear, there was no financial loss to those individuals,” he told MPs. “This was organised crime phishing for identity data – outwith of HMRC systems, [and] which is stuff that banks and others will also, unfortunately, experience – and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account.”
Deputy chief executive Angela MacDonald revealed that “at the moment, they’ve managed to extract repayments to the tune of £47m”.
“Now that is a lot of money and is very unacceptable,” she added. “We have, overall, in the last tax year, actually protected £1.9bn worth of money which [criminals] sought to take from us.”
The department’s deputy chief executive, Angela MacDonald, said that the incident was not considered to be a cyber breach because no access was gained nor data taken from HMRC systems – but rather information had been obtained from individuals.
Related content
- HMRC plans security upgrades to ‘safeguard against sophisticated cyberthreats’
- HMRC records 60% rise in serious personal data incidents in FY24
- NHS and HMRC among most-impersonated agencies by cyber-scammers
“This is an organised crime, she said. “It is not a cyber breach of HMRC – it is phishing activity taking customer credentials, and then the criminals masquerading as the customer to then get into the HMRC account. The nature of the attack altered through the year because, as we were closing it down and closing accounts down, they were moving their MO over… We took a lot of action to actually tackle the perpetrators, but what has been a challenge – in terms of being clear and cleaning the accounts up – is being clear that we were then talking to the genuine customer and not, in fact, talking to the criminal who was on the other end of the account. So, it has taken us some time to do all of the analysis necessary and to make sure we were clear.”
Another challenge was that many citizens – whose only income is from a PAYE-taxed job – had not set up an online account with HMRC, or otherwise rarely used it, so in “many instances, were not realising that actually somebody else was in their account”, according to MacDonald.
The deputy CEO told MPs that the department was very quick to alert the Information Commissioner’s Office and was intent on “taking their advice on the handling of this” throughout its response.
Marks added that, following a criminal investigation – which encompassed enquiries in overseas jurisdictions – “some arrests were made last year”.
MPs asked HMRC leaders about the criminal incident after having been alerted to the department’s public statement on the matter on the same day. Committee chair Meg Hillier firmly advised the chief executive that she and her colleagues would expect “a little bit more notice” in future.
“Just to remind you, gently – and, perhaps, not so gently – that it would be normal to advise parliament of things and, if you’re appearing in front of a committee, not to have it announced during the committee hearing,” she said.
