HMRC: Crooks broke into 100k accounts, stole £43M from British taxpayer in late 2024
- Reference: 1749119682
- News link: https://www.theregister.co.uk/2025/06/05/hmrc_fraudsters_broke_into_100k/
- Source link:
Representatives for His Majesty's Revenue and Customs (HMRC) disclosed the theft, which occurred in late 2024, to Parliament's Treasury Select Committee for the first time on Wednesday.
HMRC's chief executive John-Paul Marks explained that 0.22 percent of the UK population who are paid via the Pay As You Earn (PAYE) automatic income tax collection system, which applies to most employed people in the UK, were being contacted about unauthorized access to their accounts.
[1]
This equates to around 100,000 people who will receive the tax collector's assurance they have not suffered any financial loss as a result of the fraud case.
[2]
[3]
Their online tax record accounts were accessed using genuine credentials which HMRC says were taken "from [4]phishing activity or data obtained elsewhere."
The individuals behind the mega-fraud used this account access to file phony claims with HMRC, many of which appear to have succeeded given the £47 million total loss, which Marks described as a "small loss to the taxpayer."
[5]
Because [6]PAYE is an automatic scheme – employees are automatically enrolled by their employer and HMRC automatically collects income tax from thereonin – many people don't ever access their online tax accounts, which are also created automatically, because there is no need for manual oversight. It's there if people want to gather their tax records, but few ever need to.
That is why so many people affected by this fraud campaign will be none the wiser that this ever happened, and the thrust of HMRC's letters to those affected will be to reassure them that there is no risk of financial loss.
Marks went on to confirm that the criminal investigation, which spanned multiple, unspecified, jurisdictions, concluded last year and resulted in a number of arrests.
[7]
The letters will also inform them that as a result of the action taken following the investigation, their online tax accounts have been suspended, but they don't need to take any action.
HMRC's deputy chief executive, Angela MacDonald, said the £47 million loss "is a lot of money, and it's very unacceptable," but highlighted that the department stymied fraud attempts worth £1.9 billion ($2.5 billion) in the previous tax year using similar tactics.
MacDonald went on to say "this is not a breach of HMRC, it is phishing activity – taking customer credentials and criminals masquerading as the customer to then get into the HMRC account.
"The nature of the attack altered through the year because as we were closing accounts down, they were moving their MO over.
"We took a lot of action to tackle the perpetrators. What has been a challenge in terms of cleaning the accounts up is being clear that we were talking to the genuine customer and not, in fact, talking to the criminal who was on the other end of the account. So, it has taken us some time to do all the analysis necessary.
"We were clear with the [8]Information Commissioner right from the very beginning about what had been happening and taking their advice on the handling of this, and our real priority was to close the customer accounts so the criminals were not able to get in."
Quizzed on how the attackers got into the accounts given the need for [9]two-factor authentication , HMRC's representatives nodded their heads and gave their murmurs of approval to the idea that those conversations happen in private.
MacDonald's full explanation of how the attack was handled came after committee chair Dame Meg Hillier admonished Marks, who only took on the head of tax role in April – long after the incident transpired, for HMRC's delayed disclosure of the fraud case.
"Let me use my position as chair just to remind you, gently – or perhaps not so gently – that it would be normal to advise Parliament of things, and if you're appearing in front of a committee, not to have it announced during the committee hearing.
"I have a rule: never to have something announced the lunchtime before a committee hearing either, so a little more notice… we're quite regularly used to getting things the night before, at least, that's mildly more acceptable than just finding it out this way."
Hillier later used the fraud case as a launchpad to fact-check other statements made by HMRC, such as its claim made to the committee in a November 2024 hearing that it had never experienced a cyberattack that successfully led to fraud.
"Was that a true statement at the time?" she asked.
"Yes because this is not a cyberattack," MacDonald explained, noting that there was no compromise of HMRC's systems, nor was data extracted or a [10]ransom demanded , but she acknowledged it might sound like she was "splitting hairs" over the definition since money was extracted via HMRC's digital systems.
In a statement to The Register following the committee hearing, HMRC reaffirmed its position.
[11]HMRC's Making Tax Digital scheme also made tax more expensive – by £300M
[12]Millions at risk after attackers steal UK legal aid data dating back 15 years
[13]UK tax collector puts half a billion on table for call center services
[14]IT chiefs of UK's massive health service urge vendors to make public security pledge
[15]Ransomware crims hammering UK more than ever as British techies complain the board just doesn't get it
A spokesperson said: "This was not a cyberattack. This involved criminals using personal information from various sources elsewhere – for example, phishing activity or data obtained through other organizations to access HMRC services.
"These are attempts to claim money fraudulently from HMRC, not from customers – nevertheless, we have taken action to protect customer data and secure affected accounts as soon as possible. No customers have experienced, or will experience, financial loss in respect of their tax affairs.
"We continuously enhance our security measures to tackle evolving fraud tactics.
"At the spending review on 11 June, the government will be making further investments in the security of HMRC's IT systems." ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aEG_CoOb-PiwZXnJL86gFgAAAFQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEG_CoOb-PiwZXnJL86gFgAAAFQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEG_CoOb-PiwZXnJL86gFgAAAFQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aEG_CoOb-PiwZXnJL86gFgAAAFQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/03/26/hmrc_linux_paye_tools/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aEG_CoOb-PiwZXnJL86gFgAAAFQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/04/08/ico_recruitment_drive/
[9] https://www.theregister.com/2025/03/26/ncsc_influencers_2fa/
[10] https://www.theregister.com/2025/01/14/uk_ransomware_payout_ban/
[11] https://www.theregister.com/2025/05/01/hmrc_making_tax_digital/
[12] https://www.theregister.com/2025/05/19/legal_aid_agency_data_theft/
[13] https://www.theregister.com/2025/05/27/uk_tax_collector_puts_500m/
[14] https://www.theregister.com/2025/05/19/nhs_it_chiefs_urge_vendors/
[15] https://www.theregister.com/2025/04/11/uk_cyberattacks/
[16] https://whitepapers.theregister.com/
Frankly that sounds sort of optimal - assuming your old passwd is locked as soon as they get the address.
It's presumably a lot harder for hoodie wearing North Korean cyber-ninjas to intercept millions of brown envelopes
No financial loss?
'[...] The tax collector's assurance they have not suffered any financial loss as a result of the fraud case' is somewhat misleading.
Every tax payer has suffered financial loss!
BTW I would like to understand how MFA was circumvented - and what has been done to ensure that cannot happen again.
Re: No financial loss?
It's a little unclear, but from the general gist of the article it would appear that MFA wasn't bypassed, it wasn't set up in the first place because the 'victims' HMRC accounts were set up automatically as part of the PAYE process, but never activated by the end user because they didn't need to or know how to...
Re: No financial loss?
That can't be right if this was indeed a credential stuffing attack (and cyberattack it was, whatever HMRC may claim) which depends on a user setting the same password on at least two different systems - so the accounts must have been activated by the users.
Re: No financial loss?
The HMRC account will have been activated by using personal details obtained illicitly from other sources - things such as address, date of birth, employment details and NI number associated with that name among other things, which the HMRC system will tally with the personal information they already hold for an individual.
Having successfully provided all the correct information for the individual they were trying to impersonate, the criminal would then be able to set up a password and direct MFA to their own device, so no need to find a way of bypassing MFA.
Clearly the initial checks to verify the identity of the person trying to activate an account were woefully insufficient. I would like to think this has now been sufficiently tightened up, but......
Re: No financial loss?
Junior Dev> Just checking - if someone has NI number, DOB, postcode... they could activate someone else’s account?
PM> Only if it all matches. That’s how ID works.
Security Lead> It’s the same info they’d give on the phone, so it’s consistent.
Junior Dev> Right… but if that info leaks
PM> That would be a them problem, not a us problem.
Product Owner> Most users won’t even know they have an account. We’re just offering access, not forcing it.
UX Designer> If we make it harder, people won’t complete setup. We’ll get hammered in the usability report.
Junior Dev> Okay. Just wondered if we'd looked at a second step - like, checking if the real person is already registered or...
PM> It’s already signed off. Let’s not go there.
Security Lead> We’ll monitor account activity. If anything weird happens, we’ll catch it.
Junior Dev> Got it. Cool.
* pause *
PM> Any more questions?... Great. Let’s move on - next item’s the banner text for the welcome screen.
Re: No financial loss?
Probably would spend more time discussing the banner and welcome screen design/colours/emoji etc than on above discussion
Re: No financial loss?
Major retailer here got hacked
They created a free credit-check account for every victim and posted that the default passwd was the last 4 digits of the credit card number that had been stolen.........
Re: No financial loss?
Maybe it was sifficient for the crooks to have enough personal information to do an initial forgotten password (or however else you would initially log on to an HMRC account) and then of course they would be prompted to set up the 2FA because the system thinks it's them.
That's my guess anyway. MFA was "on" but wasn't set up and the crooks set it up, so effectively useless.
"The UK's tax collections agency says cyberbaddies defrauded it of £47 million ($63 million) late last year, but insists the criminal case was not a cyberattack."
For a moment there I thought HMRC was being honest about Politicians salaries, and how much they are costing us...
Although referring to Politicans as Cyberbaddies might be giving them too much credit. They're just regular baddies after all... And saying they defrauded the country, well... I mean there are some politicians it would be easy to claim were defrauding the country simply by breathing in the air which could be better used for well anything else...
Verfying true callers
When you call HMRC you are asked your NI number, name/username, address/post code, DOB, email address and contact cell/phone. Did they not know all of this and more can be stolen so they should never take any kind of instructions via a call, if indeed this was happening. Also, given that credentials can be easily stolen they should also not accept any log-in without MFA. All old hat now. They say they continuously enhance security measures to tackle evolving fraud tactics. They appear to be lagging a few evolutions.
So how much of the 47M was recovered?
Piñata
Every digital failure like this becomes a funding event. "We’ll invest more in IT security" means more contracts for the usual consultancy suspects.
There’s no sign of sackings, no clawbacks, no contract penalties. Just soft language, delayed disclosure, and a promise to spend more. Failure has no cost - it generates revenue.
At this rate, HMRC isn’t a tax authority, it’s a money piñata. The more it gets hit, the more cash spills out - not to the public, but to the firms circling overhead with ready-made PowerPoints and day rates.
The incentive isn’t to fix anything - it’s to manage the optics until the next breach justifies the next round of funding.
Cyber attack
If it wasn't a "cyber attack", what was it? Isn't phishing a cyberattack?
"This was not a cyberattack"
No, it was just our normal incompetence and lack of oversight, plus some outsiders being more intelligent about our systems than we are.
Everything is fine, move along, citizen. Move along.
It wasn't too long ago that the only way to change your password for your HMRC website was to submit a request and then wait up to ten days for a letter in the post with a code to let you change it.