HM Revenue and Customs (HMRC) has been warned by a committee of MPs that its failure to report details of a breach affecting around 100,000 taxpayers is “unacceptable”.
The Treasury Committee said it was only alerted to the information when a notification was published on the HMRC website on the same day as a live session.
On June 4, it emerged that HMRC had lost £47 million after a phishing scam breached tens of thousands of tax accounts.
Following updated information published by the HMRC on Tuesday, that figure has now been revised to £49 million.
Senior civil servants at HMRC told the Treasury Committee that 100,000 people have been contacted, or are in the process of being contacted, after their accounts were locked down in what they said was an “organised crime” incident which started last year.
On Tuesday, the committee published a letter from the Association of Chartered Certified Accountants (ACCA) stipulating that it had not discussed the phishing incident with HMRC and was not aware of it prior to the hearing on June 4.
The committee also published a letter sent via email from its chairwoman Dame Meg Hillier to John-Paul Marks, chief executive, HMRC.
The letter said: “I am alarmed that it was never deemed necessary to inform Parliament about an issue which affected such a vast number of taxpayers and led to the loss of £47 million of public money.
“To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.”
The letter said the committee is seeking responses from HMRC as to “why was Parliament not notified earlier about the loss of £47 million of taxpayers’ money, whether through a written ministerial statement and/or public or confidential letters to the Treasury Committee and the Public Accounts Committee?”
The committee is also seeking responses over why the update was published on the day of the committee hearing on the work of HMRC and who else in Government was told about the incident and when.
It also wants to receive a timeline of how the incident unfolded and find out what measures HMRC has put in place to ensure that such incidents do not happen in future.
The letter asked for a reply by June 24 2025.
Meanwhile, the letter from Glenn Collins, head of technical and strategic engagement, ACCA, to Dame Meg, dated June 5, said: “While we regularly engage with HMRC, including earlier in the year about issues relating to agent account access, we have not received any communication from HMRC on the issue of taxpayer account breaches until yesterday.
“We have highlighted to HMRC our frustration that HMRC has not been transparent or timely in its communication over this important issue.”
An HMRC spokesperson said: “We faced a series of evolving and complex criminal attempts to access online tax accounts and our priority has been to protect customers and their accounts.
“Our customers suffered no financial loss as a result.
“Thorough investigation has been necessary to understand the extent of this activity and pursue the criminals responsible.
“We’ve worked closely with the Information Commissioner’s Office throughout to ensure we met our obligations.”
