After posing as taxpayers, fraudsters managed to steal £47 million from HMRC in a phishing attack last year.
Whilst HMRC is reassuring customers that their accounts are secure and they have not lost any money, MPs have criticised the agency for not disclosing the attack sooner. An investigation was quietly opened last year into the cyber security risks and arrests were made. Amid a string of recent cyberattacks, HMRC’s notice about the breach has emerged without directly informing the House of Commons Treasury select committee, as the agency’s new Chief Executive, John-Paul Marks submitted evidence on their work and customer service.
Phishing allowed scammers to access customer details, obtained externally to pretend to be taxpayers and claim rebates.
The tax authority insisted this was not a hacking or cyber breach, of the kind which has affected scores of retailers in recent weeks.
Angela MacDonald, HMRC’s deputy chief executive, admitted that a significant amount of money was lost from HMRC, which is “unacceptable” whilst they scramble to protect customer’s trust and lock down the compromised accounts in question. HMRC leaders were reprimanded by the committee for not writing to inform them about this major incident at the time.
New tax accounts were set up using the phished information of individuals who did not have a need for an online tax account and therefore would have been unaware that their personal identity had been stolen in this way. The agency’s action to intercept the attack after it was detected intensified during the last year, Ms MacDonald told the committee.
She was adamant that she was “clear with the information commissioner” and had been taking its advice on the handling of the incident.
The government will be increasing funds for HMRC’s digital systems in next week’s Spending Review in light of events.
