Committee publication · Correspondence · 10 June 2025
Letter to the Chair from the First Permanent Secretary relating to Unauthorised Access to HMRC Online Tax Accounts, dated 10 June 2025
From: Treasury Committee
Inquiry: Work of HM Revenue and Customs
Summary
HMRC's First Permanent Secretary provides follow-up detail on a PAYE fraud security incident involving unauthorised access to online tax accounts. Approximately 100,000 customers (0.22% of the customer base) were potentially impacted; HMRC has locked affected accounts, notified customers, and estimates £49 million in revenue losses. No financial loss has occurred to individual customers, and HMRC is developing a Fraud Prevention Centre to strengthen defences.
Key findings
- Approximately 100,000 customers (0.22% of total customer base) potentially affected by unauthorised account access; criminal investigations commenced last year.
- HMRC took immediate protective action: locked compromised accounts, deleted login credentials, removed incorrect tax record information, and verified no other customer details were altered.
- Estimated PAYE revenue losses corrected to £49 million (not £47 million as initially stated); no individual customers experienced financial loss to their tax affairs.
- HMRC blocked approximately 1.5 billion suspicious activities monthly and prevented £1.9 billion in revenue loss during 2023–24 through fraud detection and prevention.
- HMRC is developing a Fraud Prevention Centre (FPC) as a multi-functional team to strengthen resilience against identity-related fraud and deliver enhanced customer support.
Tone
ProceduralTopics
Key actors
John-Paul Marks, Dame Meg Hillier, HMRC, Information Commissioner's Office, Committee of Public Accounts
Notable line
“… no customers have experienced, or will experience, any financial loss in respect of their tax affairs as a result of this incident.”
Key Quotes
“… approximately 100,000 customers (around 0.22% of our total customer base) had potentially been impacted.”
“HMRC analyses approximately 200 billion events across systems monthly, proactively blocking around 1.5 billion suspicious activities.”
“… the estimated PAYE revenue losses are £49 million, not £47 million as we stated during the hearing.”
“We take the security of our customers' data extremely seriously and HMRC will continue to enhance our security measures and capabilities to tackle the continuous …”
Source · parliament.uk record ↗