HMRC warning as 100,000 taxpayers locked out of accounts after criminals steal £47m in phishing attack

The tax authority revealed the breach on Wednesday whilst its chief executive, John-Paul Marks appeared before the House of Commons Treasury select committee.

HMRC confirmed it had locked down the affected accounts and removed incorrect information from tax records.

Angela McDonald, deputy chief executive of HMRC, told MPs: "At the moment, they've managed to extract repayments to the tune of £47 million. Now that is a lot of money and it's very unacceptable."

The disclosure came six months after the incident occurred, prompting criticism from MPs about the delayed notification to the public.

The attack involved criminals using phishing campaigns to obtain identity data from outside HMRC's systems, which they then used to create fraudulent PAYE accounts or access existing ones to claim illegitimate repayments.

Marks told the Treasury Committee: "This was organised crime fishing for identity data, outwith of HMRC systems, stuff that banks and other people will unfortunately experience, and then using that data to try to create PAYE accounts to pay themselves a repayment and or access an existing account."

Officials confirmed the threat was not classified as a cyber attack but rather an extended operation carried out by multiple crime syndicates throughout last year.

The criminals specifically targeted the pay-as-you-earn system, affecting approximately 0.2 per cent of the PAYE population.

HMRC responded swiftly to the breach, with Marks confirming: "There has been a criminal investigation, some arrests were made last year and a lot of work then done to intercept this incident."

The tax authority has launched an international investigation into the organised crime groups responsible. HMRC sent notifications to affected customers, reassuring them that no action was required on their part.

Marks emphasised that whilst there had been "a small loss to the taxpayer" from the fraudulent repayments, individual taxpayers had not suffered financial losses.

He told MPs: "To be clear there has been no financial loss to those individuals."

The chief executive, who has been in post since April, assured the Treasury Committee that "the situation was under control" and that HMRC had successfully locked down all compromised accounts.

MPs on the Treasury select committee criticised HMRC for waiting six months to disclose the December incident to the public, questioning why taxpayers were only notified during Wednesday's committee appearance.

The delay in public notification raised concerns amongst committee members about transparency, particularly given the scale of the breach and the significant sum extracted by criminals.

Marks defended HMRC's response during his appearance, stating that the authority had written to affected individuals: "It's about 0.2 per cent of the PAYE population so around 100,000 people who we have written to or are writing to, to notify them that we detected activity on their PAYE account."

Despite the criticism, HMRC maintained that its fraud team had successfully detected the attempted fake PAYE rebate claims and taken appropriate action to protect taxpayers.