HM Revenue and Customs has lost £47m through a phishing attack focused on pay-as-you-earn tax accounts, the department’s senior leadership has admitted to MPs.
Details of the incident only emerged during a Treasury Select Committee session yesterday afternoon, at which HMRC permanent secretary John-Paul Marks and second perm sec Angela MacDonald were among the witnesses.
While the long-scheduled Treasury Committee session was under way, HMRC announced on GOV.UK that its security systems had detected “unauthorised access” to some customers’ online accounts. It said letters would be sent to affected individuals over the coming weeks, but gave no details of the number of people affected or the overarching sum of money involved.
Committee chair Dame Meg Hillier was clearly annoyed that HMRC had chosen to make the announcement while the session was taking place, but had provided no advance information to MPs.
Marks, who became HMRC perm sec in April following the retirement of Sir Jim Harra, said the fraud was “historic” and had been identified by the department last year – with arrests made several months ago.
“This was organised crime, phishing for identity data outwith of HMRC systems – so stuff that banks and others will also, unfortunately, experience,” he said.
Marks said the criminals had sought to use data obtained to create new PAYE accounts, or access existing ones, to fraudulently request tax repayments.
The perm sec said that around 100,000 people were believed to be affected, representing around 0.2% of PAYE “customers”.
“To be clear, there’s no loss to those individuals,” he said.
Marks said that HMRC had deleted compromised accounts and locked down others when it was identified that fraudsters had sought to access them. He added that officials had also removed “incorrect information” from the records.
Marks said that the letters now being sent out to affected customers would alert them that their PAYE accounts have been suspended and advise them of appropriate action.
The perm sec acknowledged there was a “small loss” to the taxpayer, but did not elaborate on the figure.
HMRC second perm sec MacDonald was subsequently asked directly about the cost of the incident to the department and took a different view of the quantum.
“At the moment, they've managed to extract repayments to the tune of £47m,” she said. "That is a lot of money, and is very unacceptable.”
As a counterbalance, she added that the department had “protected £1.9bn worth of money” that was targeted by fraudsters over the 2024-25 tax year. The second perm sec was unable to give a figure for how much responding to the PAYE incident had cost.
MacDonald said the incident was “organised crime” but “not a cyber breach of HMRC”.
She said that despite details of the fraud only being made public yesterday, officials had been “clear with the information commissioner right from the beginning” and had taken their advice on handling the incident.
Hillier told Marks and MacDonald that she expected both her committee and the Public Accounts Committee to pursue the matter.
She had earlier told Marks that it would be “normal” to advise a select committee of issues such as the PAYE fraud in a timely way and not announce a relevant issue elsewhere during a committee session.
Hillier said that even announcing something during the lunchtime before a committee session was not enough notice.
“Let’s not have this happen again,” she said.