A phishing attack on the UK’s tax department, HM Revenue and Customs, has affected 100,000 UK taxpayer accounts at the cost of £47 million. The tax agency has issued guidance to taxpayers, stating that it has locked the affected accounts, deleted login credentials, and removed incorrect information from tax records. Those whose accounts were targeted […]
A phishing attack on the UK’s tax department, HM Revenue and Customs, has affected 100,000 UK taxpayer accounts at the cost of £47 million.
The tax agency has issued guidance to taxpayers, stating that it has locked the affected accounts, deleted login credentials, and removed incorrect information from tax records.
Those whose accounts were targeted will receive a letter in June, HMRC said, and no money was taken directly from taxpayers themselves.
At a Treasury Select Committee hearing, Angela MacDonald, HMRC’s deputy chief executive, told MPs that a “lot of money” was stolen.
The incident occurred in December 2024, added John-Paul Marks, the department’s new chief executive.
“This was organised-crime phishing for identity data out of HMRC systems,” he said.
Criminals used identity data from HMRC systems to create PAYE accounts and claim repayments, or to access existing accounts.
Marks said that “a lot of work” had been done to “intercept this incident. We identified and locked down the compromised accounts.”
MPs criticised HMRC officials for failing to notify the committee at the time of the breach, stating they only became aware of it through media reports.
“It would be normal to advise Parliament of things if you’re appearing in front of a committee. Not to have it announced during the committee hearing,” said Treasury Select Committee Chair Meg Hillier.
“Money was got. By criminals. By penetrating the digital system. A lot of people would consider that a cybercrime,” she said.
Was HMRC hacked?
HMRC stressed the incident was not a cyber or hacking attack but rather a phishing scheme, where criminals used personal data obtained elsewhere to attempt to claim money.
MacDonald said, “This was not a cyber-attack, we have not been hacked, we have not had data extracted from us.”
“The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things — that is a cyberattack. That is not what has happened here.”
Phishing attacks typically involve criminals using fake emails, texts, or phone calls to trick individuals into disclosing sensitive information.
“While HMRC was at pains to stress that its own systems had not been compromised in a cyberattack, this incident nonetheless underscores how widespread the consequences of cyber incidents can be,” said Will Richmond-Coggan, partner specialising in data and cyber disputes at legal services firm Freeths LLP.
Richmond-Coggan added that HMRC’s explanation that the crime was only possible because of earlier data breaches and cyberattacks stresses the importance of protecting customer data.
“Those earlier attacks put personal data in the hands of the criminals, which enabled them to impersonate taxpayers and apply successfully to claim back tax.”
