Committee publication · Correspondence · 10 June 2025

Letter to the Chair from the First Permanent Secretary relating to Unauthorised Access to HMRC Online Tax Accounts, dated 10 June 2025

From: Treasury Committee

Inquiry: Work of HM Revenue and Customs

Summary

HMRC's First Permanent Secretary provides follow-up detail on a PAYE fraud security incident involving unauthorised access to online tax accounts. Approximately 100,000 customers (0.22% of the customer base) were potentially impacted; HMRC has locked affected accounts, notified customers, and estimates £49 million in revenue losses. No financial loss has occurred to individual customers, and HMRC is developing a Fraud Prevention Centre to strengthen defences.

Key findings

  • Approximately 100,000 customers (0.22% of total customer base) potentially affected by unauthorised account access; criminal investigations commenced last year.
  • HMRC took immediate protective action: locked compromised accounts, deleted login credentials, removed incorrect tax record information, and verified no other customer details were altered.
  • Estimated PAYE revenue losses corrected to £49 million (not £47 million as initially stated); no individual customers experienced financial loss to their tax affairs.
  • HMRC blocked approximately 1.5 billion suspicious activities monthly and prevented £1.9 billion in revenue loss during 2023–24 through fraud detection and prevention.
  • HMRC is developing a Fraud Prevention Centre (FPC) as a multi-functional team to strengthen resilience against identity-related fraud and deliver enhanced customer support.

Tone

Procedural

Topics

cybersecuritypublic-financefraud-preventiontax-administrationdata-protection

Key actors

John-Paul Marks, Dame Meg Hillier, HMRC, Information Commissioner's Office, Committee of Public Accounts

Notable line

… no customers have experienced, or will experience, any financial loss in respect of their tax affairs as a result of this incident.

Key Quotes

… approximately 100,000 customers (around 0.22% of our total customer base) had potentially been impacted.
John-Paul Marks · Scale of PAYE fraud incident
HMRC analyses approximately 200 billion events across systems monthly, proactively blocking around 1.5 billion suspicious activities.
John-Paul Marks · HMRC's defensive capability and scale of threat
… the estimated PAYE revenue losses are £49 million, not £47 million as we stated during the hearing.
John-Paul Marks · Correction to oral evidence figures
We take the security of our customers' data extremely seriously and HMRC will continue to enhance our security measures and capabilities to tackle the continuous …
John-Paul Marks · HMRC's commitment to data security
View original document →

Source · parliament.uk record ↗