Overview

• FOI data show 96 employees were disciplined and 50 dismissed for data breaches in 2024-25, bringing the total to 354 disciplinary cases and 186 firings since 2022.
• HMRC maintains that improper access is extremely rare and counters risks with mandatory training, strict access limits and continuous system monitoring.
• An HMRC manager has linked the rise in breaches and device-handling incidents to increased remote working since the pandemic.
• A criminal phishing campaign disclosed in June used stolen credentials to access about 100,000 PAYE accounts and fraudulently claimed £47m in rebates, though no individual taxpayers lost money.
• The Treasury Committee chair and the Information Commissioner’s Office have urged HMRC to strengthen its data controls and accelerate reporting of serious breaches.