Committee publication · Correspondence · 1 July 2025
Correspondence from HM Revenue and Customs on security and customer service, dated 24 June 2025
From: Treasury Committee
Inquiry: Work of HM Revenue and Customs
Summary
John-Paul Marks, HMRC's Chief Executive, responds to the Treasury Committee's 10 June letter following oral evidence on HMRC's work. The letter addresses a £49 million PAYE fraud incident involving unauthorised access to Personal Tax Accounts through phishing and data breaches, confirms four customer helpline outages in the past year, and outlines HMRC's security and modernisation investments totalling £1.6 billion through 2028-29.
Key findings
- A series of serious PAYE fraud incidents resulted in £49 million Exchequer loss and unauthorised access to customer data; HMRC is investigating criminal gangs with law enforcement partners and suspects have been detained.
- Four phone line outages occurred in the past year: July 2024 (1.5 hours), September 2024 (7 hours), December 2024 (2.5 hours), and 4 June 2025 (3 hours), caused by supplier issues with telephony and Adviser User Interface systems.
- Customer service adviser attempt handling improved from baseline to 83.6% in April 2025 and 84.6% in May 2025; Agent Dedicated Line performance improved from 58% in April 2024 to 86% in April 2025.
- Government committed £1.6 billion additional investment in HMRC IT modernisation from 2026-27 to 2028-29, plus £36 million for tax adviser registration service modernisation announced at Autumn Budget 2024.
- HMRC notified the Information Commissioner's Office within 72 hours of identifying unauthorised data access; during 2023-24, 29 data incidents were reported affecting 35,645 people; security measures prevented £1.9 billion revenue loss.
Tone
ProceduralTopics
Key actors
John-Paul Marks, Dame Meg Hillier, HM Revenue and Customs, Information Commissioner's Office, Government Cyber Coordination Centre, Committee of Public Accounts, Cabinet Office
Notable line
“We take these responsibilities very seriously. As I said at the Committee of Public Accounts (PAC) during the 12 June hearing …”
Key Quotes
“The PAYE fraud referred to was a series of serious incidents, highlighting the real and persistent threat to the UK tax system from criminal gangs.”
“In this instance, there was a loss to the Exchequer and customer data was accessed, both of which are unacceptable.”
“… we estimate the loss to the Exchequer to be £49 million. We will continue to keep that figure under review, as of course the security threat to our systems is persistent and ever-evolving.”
“The unauthorised access to Personal Tax Accounts (PTAs) was a consequence of criminals harvesting personal data from external sources, including through exploiting phishing campaigns, third-party data breaches, and material obtained from the dark web.”
“We have experienced four phone line outages in the year since 10 June 2024. Two outages affected the Odigo telephony platform: on 17 July, lines were closed for 1.5 hours and on 10 September 2024, lines were closed for 7 hours.”
“At the recent Spending Review, the Government announced further investment in the modernisation of HMRC's IT estate totaling an additional £1.6 billion TDEL from 2026-27 to 2028-29.”
Source · parliament.uk record ↗