HMRC has lost £47 million after a phishing scam breached tens of thousands of tax accounts, a group of MPs has heard.
Two senior civil servants at HM Revenue and Customs (HMRC) told the Treasury Committee that 100,000 people have been contacted, or are in the process of being contacted, after their accounts were locked down in what they said was an “organised crime” incident which began last year.
Taxpayers who are being affected will suffer “no financial loss”, according to John-Paul Marks, the chief executive of HMRC, the UK’s tax authority.
Mr Marks told the Committee: “It’s about 0.2% of the PAYE population, around 100,000 people, who we have written to, are writing to, to notify them that we detected activity on their PAYE account.”
Asked if this applied to individual working people’s PAYE accounts, not companies, he replied: “That’s right, individuals. To be clear, no financial loss to those individuals.
Mr Marks added: “This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account.”
An investigation into the matter, which took place last year “including jurisdictions outside the UK”, led to “some arrests last year,” Mr Marks told MPs.
Angela MacDonald, HMRC’s deputy chief executive and second permanent secretary, added: “At the moment, they’ve managed to extract repayments to the tune of £47 million.
“Now that is a lot of money, and it’s very unacceptable. We have overall, in the last tax year, we actually protected £1.9 billion worth of money which sought to be taken from us by attacks.”
Ms MacDonald stressed the breach was “not a cyber attack, we have not been hacked, we have not had data extracted from us”.
She later added: “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber attack. That is not what has happened here.”
HMRC said it had locked down affected accounts and deleted log-in details to prevent future unauthorised access. Any incorrect information has been removed from tax records and officials have checked to ensure no other details have been changed.
People affected will receive a letter from HMRC over the next three weeks. Elsewhere, Mr Marks told MPs that HMRC phone lines were down on Wednesday afternoon, but said this was “coincidental”. They will be “back up and available in the morning”, he added.
An HMRC spokesperson said: “We’ve acted to protect customers after identifying attempts to access a very small minority of tax accounts, and we’re working with other law enforcement agencies both in the UK and overseas to bring those responsible to justice.
“This was not a cyber-attack – it involved criminals using personal information from phishing activity or data obtained elsewhere to try to claim money from HMRC.
“We’re writing to those customers affected to reassure them we’ve secured their accounts and that they haven’t lost any money.”
