Over 100,000 UK taxpayers affected as cyber gangs trick HMRC Data Breach using stolen personal data
A major data breach has hit the UK’s tax authority, HMRC (Her Majesty’s Revenue and Customs). Criminal gangs used phishing scams to access the personal accounts of nearly 100,000 taxpayers. As a result, HMRC lost around £47 million in fake claims and tax refund fraud.
⚠️ What Actually Happened?
According to HMRC, this was not a traditional cyberattack. Instead, it was a series of phishing attacks carried out by organised criminal groups over several months.
Phishing is when scammers pretend to be trusted organisations (like HMRC) to trick people into sharing personal information such as usernames, passwords, or bank details.
In this case, criminals used stolen data and fake messages like “You have an outstanding tax refund” to trick people into giving access to their accounts.
🔍 Who Was Affected?
HMRC officials told MPs that around 0.2% of people with PAYE accounts were affected – which is about 100,000 individuals. The incident happened last year, but HMRC has only recently started sending letters to affected users, about HMRC Data breach which will continue until June 25.
Those impacted are being reassured that no personal financial loss occurred, and their accounts have now been locked and secured.
📞 Phone Line Issues and Delayed Response
On the same day the breach became public, HMRC’s phone helpline also went down, adding more frustration for affected users. Only those who received letters with a specific helpline number could contact the authority.
HMRC’s chief executive John-Paul Marks confirmed the phone outage and attack were not connected, and said some arrests were made last year in connection with the scams.
MPs criticised HMRC for not informing Parliament about the breach earlier. The news came out only when a news story broke during a committee hearing.
🧠 Lessons for Taxpayers
This incident highlights a key concern: shifting everything online without strong security can put users at risk. In fact, HMRC has already been criticised for closing phone services and pushing taxpayers to use digital platforms.
According to the National Audit Office, the average phone wait time jumped from 5 minutes in 2018 to 23 minutes in 2023-24 – a sign of how support has weakened.
To prevent fraud, HMRC has now stopped processing tax refund requests via phone and webchat.
🚨 What Should You Do?
If you receive a letter from HMRC about this HMRC Data breach:
- Don’t panic – your account has already been locked.
- No action is needed unless the letter instructs you otherwise.
- Stay alert – avoid clicking on links in suspicious emails or texts.
HMRC also confirmed that affected users haven’t lost any money, and they’re working with law enforcement to find those responsible.
📉 Past Issues and Staff Discipline
This isn’t the first time HMRC has faced data protection issues. In 2020-21, the authority fired 40 employees and gave warnings to 95 others for data security failures.
Related Post:
Cybercrime Is Booming: Are We Ready for This Digital Epidemic ?
