Committee publication · Correspondence · 1 July 2025

Correspondence from HM Revenue and Customs on security and customer service, dated 24 June 2025

From: Treasury Committee

Inquiry: Work of HM Revenue and Customs

Summary

John-Paul Marks, HMRC's Chief Executive, responds to the Treasury Committee's 10 June letter following oral evidence on HMRC's work. The letter addresses a £49 million PAYE fraud incident involving unauthorised access to Personal Tax Accounts through phishing and data breaches, confirms four customer helpline outages in the past year, and outlines HMRC's security and modernisation investments totalling £1.6 billion through 2028-29.

Key findings

  • A series of serious PAYE fraud incidents resulted in £49 million Exchequer loss and unauthorised access to customer data; HMRC is investigating criminal gangs with law enforcement partners and suspects have been detained.
  • Four phone line outages occurred in the past year: July 2024 (1.5 hours), September 2024 (7 hours), December 2024 (2.5 hours), and 4 June 2025 (3 hours), caused by supplier issues with telephony and Adviser User Interface systems.
  • Customer service adviser attempt handling improved from baseline to 83.6% in April 2025 and 84.6% in May 2025; Agent Dedicated Line performance improved from 58% in April 2024 to 86% in April 2025.
  • Government committed £1.6 billion additional investment in HMRC IT modernisation from 2026-27 to 2028-29, plus £36 million for tax adviser registration service modernisation announced at Autumn Budget 2024.
  • HMRC notified the Information Commissioner's Office within 72 hours of identifying unauthorised data access; during 2023-24, 29 data incidents were reported affecting 35,645 people; security measures prevented £1.9 billion revenue loss.

Tone

Procedural

Topics

cybersecuritytax-fraudpublic-service-deliverycustomer-serviceit-modernisation

Key actors

John-Paul Marks, Dame Meg Hillier, HM Revenue and Customs, Information Commissioner's Office, Government Cyber Coordination Centre, Committee of Public Accounts, Cabinet Office

Notable line

We take these responsibilities very seriously. As I said at the Committee of Public Accounts (PAC) during the 12 June hearing …

Key Quotes

The PAYE fraud referred to was a series of serious incidents, highlighting the real and persistent threat to the UK tax system from criminal gangs.
John-Paul Marks · Describing the nature of the security breaches
In this instance, there was a loss to the Exchequer and customer data was accessed, both of which are unacceptable.
John-Paul Marks · Acknowledging the impact of the fraud incidents
… we estimate the loss to the Exchequer to be £49 million. We will continue to keep that figure under review, as of course the security threat to our systems is persistent and ever-evolving.
John-Paul Marks · Providing quantified loss assessment
The unauthorised access to Personal Tax Accounts (PTAs) was a consequence of criminals harvesting personal data from external sources, including through exploiting phishing campaigns, third-party data breaches, and material obtained from the dark web.
John-Paul Marks · Explaining the attack vector
We have experienced four phone line outages in the year since 10 June 2024. Two outages affected the Odigo telephony platform: on 17 July, lines were closed for 1.5 hours and on 10 September 2024, lines were closed for 7 hours.
John-Paul Marks · Documenting customer service disruptions
At the recent Spending Review, the Government announced further investment in the modernisation of HMRC's IT estate totaling an additional £1.6 billion TDEL from 2026-27 to 2028-29.
John-Paul Marks · Outlining investment in IT infrastructure
View original document →

Source · parliament.uk record ↗