Tax office shuts credits site after identity theft

Criminals used stolen details of civil servants to make false claims via site

The government has shut down the tax credits web site after discovering it has been targeted by online fraudsters.

HM Revenue & Customs (HMRC) took the decision last week to close the site, which processes tax credit claims, after discovering that civil servants’ personal identities had been stolen and were being used to try to steal money from the department through false online applications.

Criminals are believed to have stolen the personal details of more than 1,500 employees at the Department for Work and Pensions (DWP). The information was subsequently used to make fraudulent claims.

HMRC and the DWP are working with law enforcement agencies to carry out a criminal investigation, but say that public records have been unaffected by the security breach.

A spokeswoman for HMRC told Computing that the fraud attempts were discovered during compliance work.

The department has subsequently identified and stopped attempts to defraud the tax credit system using its online portal.

‘In light of this, HMRC has closed the e-portal while it develops new checks to ensure that the system remains secure,’ said HMRC in a statement.

The DWP declined to comment on how hundreds of employee records had fallen into the hands of internet criminals, but says it is working quickly to identify which records have been stolen.

‘At the moment it appears that 1,500 DWP staff have been affected by this,’ said a spokeswoman for the DWP. ‘But we are conducting a criminal investigation and cannot comment on how this has happened.’

HMRC was unable to confirm when the tax credits e-portal would be available for public use again, but says that customers can still process applications via its telephone helpline, post, or in person at Inland Revenue enquiry centres.

In June, the UK’s National Infrastructure Security Co-ordination Centre warned that public sector employees were being targeted by sophisticated Trojan email attacks, which had been designed to trick them into giving out commercially and economically sensitive data (Computing, 23 June).

But sources told Computing the DWP identity theft is not related to this warning.