Overview

• Organised crime groups carried out a phishing operation in December 2024 using personal data obtained outside HMRC to access and create around 100,000 PAYE accounts.
• Criminals successfully extracted approximately £47 million in fraudulent repayments from HMRC’s systems.
• HMRC has locked down affected accounts, deleted login credentials and removed false entries while assuring no customer lost personal funds.
• A UK and overseas investigation last year led to several arrests and prompted HMRC to fortify its account security measures.
• Treasury Committee chair Dame Meg Hillier criticised HMRC for only revealing the breach during Wednesday’s hearing instead of notifying Parliament earlier.