HMRC under fire for delayed disclosure of £47m phishing incident
Revised Article:
Hackers managed to snag roughly £47m from around 100,000 British taxpayers in a phishing attack on HMRC. Angela MacDonald, HMRC's deputy chief executive, didn't mince words when she addressed the Treasury Select Committee, describing the theft as "unacceptable."
On Wednesday, the tax agency issued a warning to taxpayers, letting them know that their security systems had detected unauthorized access to some customers' online accounts. Affected taxpayers can expect to receive a letter from HMRC between June 4, 2025, and June 25, 2025.
John-Paul Marks, HMRC's new chief executive, shared with MPs that the incident happened back in December 2024, affecting the accounts of approximately 100,000 pay-as-you-earn (PAYE) taxpayers. Marks clarified that this was an organized crime phishing attack, with criminals leveraging information they already had outside of HMRC.
Despite criticism for not announcing the phishing attack earlier, Marks informed the committee that an investigation took place last year, involving jurisdictions beyond the UK, and resulting in some arrests in 2024.
The tax agency made it clear that this wasn't a cyber or hacking attack but rather a phishing incident. Crooks often carry out phishing attacks by sending scam emails, text messages, or making phone calls, tricking people into dishing out their sensitive information. This differs from cyberattacks, which have recently made headlines after a string of attacks on businesses such as M&S, Co-op, and Coinbase.
Nevertheless, Will Richmond-Coggan, partner at law firm Freeths, cautioned that "while HMRC were at pains to stress that their own systems had not been compromised in a cyberattack, this incident nonetheless underscores how far-reaching the consequences of cyberattacks can be." In essence, previous data breaches and cyberattacks enabled these criminals to swipe taxpayer identities and use them to apply for and receive incorrect tax refunds.
Key Insights:
- This phishing attack on HMRC stole around £47m from approximately 100,000 UK taxpayers.
- The investigation into the matter involved jurisdictions outside the UK and led to multiple arrests last year.
- The attack wasn't a traditional cyberattack but rather a sophisticated phishing campaign using scam emails, texts, or calls to gather taxpayer information.
- Critics have pointed out HMRC's lack of transparency in disclosing the attack earlier and expressed concerns over the agency's overall security and customer service standards.
- The recent phishing attack on HMRC, which resulted in the theft of approximately £47m from around 100,000 UK taxpayers, highlights the importance of general-news like cybersecurity, especially in the context of technology and crime-and-justice.
- The sophisticated phishing campaign that targeted HMRC was powered by information obtained from previous data breaches and cyberattacks, emphasizing the far-reaching consequences of such incidents in the cybersecurity realm.
