Phishing scam costs HMRC £47 million

Up to 100,000 taxpayer accounts targeted

£47 million was stolen by cybercriminals in a series of phishing attacks on HMRC where cybercriminals posed as taxpayers to claim repayments. HMRC were slow to report the incident.

A Treasury Select Committee hearing yesterday heard how the accounts of an estimated 100,000 UK taxpayers were targeted in a series of phishing attacks last year.

The attacks have resulted in a loss of £47 million to date which HMRC’s deputy chief executive Angela MacDonald described during the hearing as “a lot of money.”

HMRC also issued guidance to taxpayers yesterday stating its security systems detected unauthorised access to some customers’ online accounts. It subsequently informs taxpayers that those affected will receive a letter from HMRC over the next three to four weeks.

John-Paul Marks, HMRC’s new chief executive, said at the hearing:

“This was organised-crime phishing for identity data out of HMRC systems,” highlighting the methods used by the criminals, which was to use identity data they had already stolen from HMRC systems to create PAYE accounts to pay themselves a repayment or to access an existing account.

Marks continued to explain that "a lot of work [was] then done to intercept this incident. We identified and locked down the compromised accounts.”

Ms. MacDonald added that, "the nature of the attack altered through the year, as we were closing it down, and closing accounts down."

"They were moving their MO [method] over… We took a lot of action to actually tackle the perpetrators," she added.

"What has been a challenge in terms of... cleaning the accounts up is being clear that we were then talking to the genuine customer and not in fact talking to the criminal who was on the other end of the account."

The Committee criticised HMRC officials for taking months to disclose the attack.

Chair Dame Meg Hillier said:

“A word to the wise… let me use my position as chair just to remind you, gently – well perhaps not so gently – that it would be normal to advise parliament of things if you are appearing in front of a committee. Not to have it announced during the committee hearing,” she added.

HMRC emphasised the fact that an investigation had already taken place and that some arrests had occurred. The officials also emphasised that this was not a cyberattack in the manner of recent high-profile attacks but a phishing incident.

Computing says:

The fact that HMRC made efforts to distinguish this phishing attack from other recent cybersecurity failures, and were at pains to point out that their internal systems had not been compromised is telling. The agency gave the impression that it has responded as well as can be expected.

However, phishing attacks like this are possible because of earlier security breaches, where data is exfiltrated. This data is then used either by the group that stole it, or whichever criminal group purchases it (or steals it from the original thieves) to impersonate users.

That neither HMRC nor the MPs in the committee made this connection is indicative of the shoulder shrugging attitude towards data breaches that UK public sector bodies consistently display.

Taxpayers affected by these attacks have been told that they will not be held liable for the losses. This is great for them at a personal level, but less for the UK taxpayer as a collective which will of course be liable for the full £47 million cost.