HM Revenue and Customs has lost £47 million following a phishing attack that began in December 2024 targeting thousands of PAYE tax accounts.

The incident came to light during a House of Commons Treasury select committee hearing this week on HMRC’s performance. Senior civil servants said around 100,000 individuals are now being contacted about the breach.

According to a notice on HMRC’s website, its systems detected “unauthorised access to some customers’ online accounts”. The authority said it had locked affected accounts, deleted login credentials to block further access, removed incorrect information from tax records, and verified that no other data had been altered.

“This was an attempt to claim money from HMRC, not an attempt to take any money from you,” the notice read.

HMRC has faced mounting criticism over performance, with the National Audit Office describing customer service levels as being in a “declining spiral”.

A separate Freedom of Information request revealed that HMRC was responsible for more than 800 of the 1,200 public sector device losses reported between January and December 2024 – adding to mounting evidence of systemic security weaknesses at the tax authority.

In another setback, HMRC’s customer service phone lines went down on Wednesday due to a system outage.

---