The UK’s tax collections agency says cyberbaddies defrauded it of £47 million ($63 million) late last year, but insists the criminal case was not a cyberattack.

Representatives for His Majesty’s Revenue and Customs (HMRC) disclosed the theft, which occurred in late 2024, to Parliament’s Treasury Select Committee for the first time on Wednesday.

HMRC’s chief executive John-Paul Marks explained that 0.22 percent of the UK population who are paid via the Pay As You Earn (PAYE) automatic income tax collection system, which applies to most employed people in the UK, were being contacted about unauthorized access to their accounts.

This equates to around 100,000 people who will receive the tax collector’s assurance they have not suffered any financial loss as a result of the fraud case.

Their online tax record accounts were accessed using genuine credentials which HMRC says were taken “from phishing activity or data obtained elsewhere.”

The individuals behind the mega-fraud used this account access to file phony claims with HMRC, many of which appear to have succeeded given the £47 million total loss, which Marks described as a “small loss to the taxpayer.”

Because PAYE is an automatic scheme – employees are automatically enrolled by their employer and HMRC automatically collects income tax from thereonin – many people don’t ever access their online tax accounts, which are also created automatically, because there is no need for manual oversight. It’s there if people want to gather their tax records, but few ever need to.

That is why so many people affected by this fraud campaign will be none the wiser that this ever happened, and the thrust of HMRC’s letters to those affected will be to reassure them that there is no risk of financial loss.

Marks went on to confirm that the criminal investigation, which spanned multiple, unspecified, jurisdictions, concluded last year and resulted in a number of arrests.

The letters will also inform them that as a result of the action taken following the investigation, their online tax accounts have been suspended, but they don’t need to take any action.

HMRC’s deputy chief executive, Angela MacDonald, said the £47 million loss “is a lot of money, and it’s very unacceptable,” but highlighted that the department stymied fraud attempts worth £1.9 billion ($2.5 billion) in the previous tax year using similar tactics.

MacDonald went on to say “this is not a breach of HMRC, it is phishing activity – taking customer credentials and criminals masquerading as the customer to then get into the HMRC account.

“The nature of the attack altered through the year because as we were closing accounts down, they were moving their MO over.

“We took a lot of action to tackle the perpetrators. What has been a challenge in terms of cleaning the accounts up is being clear that we were talking to the genuine customer and not, in fact, talking to the criminal who was on the other end of the account. So, it has taken us some time to do all the analysis necessary.

“We were clear with the Information Commissioner right from the very beginning about what had been happening and taking their advice on the handling of this, and our real priority was to close the customer accounts so the criminals were not able to get in.”

Quizzed on how the attackers got into the accounts given the need for two-factor authentication, HMRC’s representatives nodded their heads and gave their murmurs of approval to the idea that those conversations happen in private.

MacDoanld’s full explanation of how the attack was handled came after committee chair Dame Meg Hillier admonished Marks, who only took on the head of tax role in April – long after the incident transpired, for HMRC’s delayed disclosure of the fraud case.

“Let me use my position as chair just to remind you, gently – or perhaps not so gently – that it would be normal to advise Parliament of things, and if you’re appearing in front of a committee, not to have it announced during the committee hearing.

“I have a rule: never to have something announced the lunchtime before a committee hearing either, so a little more notice… we’re quite regularly used to getting things the night before, at least, that’s mildly more acceptable than just finding it out this way.”

Hillier later used the fraud case as a launchpad to fact-check other statements made by HMRC, such as its claim made to the committee in a November 2024 hearing that it had never experienced a cyberattack that successfully led to fraud.

“Was that a true statement at the time?” she asked.

“Yes because this is not a cyberattack,” MacDonald explained, noting that there was no compromise of HMRC’s systems, nor was data extracted or a ransom demanded, but she acknowledged it might sound like she was “splitting hairs” over the definition since money was extracted via HMRC’s digital systems.

In a statement to The Register following the committee hearing, HMRC reaffirmed its position.

A spokesperson said: “This was not a cyberattack. This involved criminals using personal information from various sources elsewhere – for example, phishing activity or data obtained through other organizations to access HMRC services.   

“These are attempts to claim money fraudulently from HMRC, not from customers – nevertheless, we have taken action to protect customer data and secure affected accounts as soon as possible. No customers have experienced, or will experience, financial loss in respect of their tax affairs.  

“We continuously enhance our security measures to tackle evolving fraud tactics. 

“At the spending review on 11 June, the government will be making further investments in the security of HMRC’s IT systems.” ®