HMRC criticised for not reporting £47m phishing attack sooner
Information from approximately 100,000 British taxpayers was targeted by criminals who committed a phishing attack on HMRC, resulting in a loss of around £47m.
Speaking at a Treasury Select Committee on Wednesday, HMRC’s deputy chief executive Angela MacDonald told MPs that a “lot of money” was taken and “it’s very unacceptable”.
On the same day, the tax agency issued guidance to taxpayers stating its security systems detected unauthorised access to some customers’ online accounts. As such, it informed taxpayers that those affected will receive a letter from HMRC between 4 June 2025 and 25 June 2025.
John-Paul Marks, HMRC’s new chief executive, told MPs that the incident occurred in December 2024 and had affected the accounts of approximately 100,000 pay-as-you-earn (PAYE) taxpayers.
He added: “This was organised-crime phishing for identity data outwith of HMRC systems”, pointing out the criminals used information they had already obtained outside of HMRC.
Chair criticises HMRC
However, the Committee MPs criticised the officials for not disclosing the phishing attack earlier.
Chair Dame Meg Hillier said the committee “would expect to get information about this — not have it emerge because of an announcement while you’re in the committee room”.
“A word to the wise… let me use my position as chair just to remind you, gently – well perhaps not so gently – that it would be normal to advise parliament of things if you are appearing in front of a committee. Not to have it announced during the committee hearing,” the MP for Hackney South and Shoreditch added.
Marks told the Committee that an investigation into the matter took place last year “including jurisdictions outside the UK” and led to “some arrests last year”.
The tax agency emphasised that this was not a cyber or hacking attack but rather a phishing incident.
Criminals use scam emails, text messages, or phone calls to trick people into providing sensitive information. This is in contrast to cyberattacks, which have been making headlines in recent weeks after a series of attacks were undertaken against businesses, including M&S, Co-op, and Coinbase.
However, as Will Richmond-Coggan, partner at law firm Freeths, said: “While HMRC were at pains to stress that their own systems had not been compromised in a cyber attack, this incident nonetheless underscores how widespread the consequences of cyber incidents can be.”
“It is clear from HMRC’s explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks. Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax,” he explained.