A serious cyber breach at His Majesty’s Revenue and Customs (HMRC) has left security experts alarmed. Scammers managed to swindle around £47 million from taxpayers through simple account takeover attempts.
This week, HMRC revealed to the Treasury Select Committee that hackers accessed online accounts of about 100,000 individuals via phishing attacks. They successfully claimed substantial tax rebates before the fraud was discovered. Fortunately, those affected by the breach haven’t lost any money and are not in trouble. Some arrests have already been made related to this case.
During the discussion, Meg Hillier, chair of the committee, criticized HMRC for taking too long to disclose the breach, noting she only learned about it from the news.
The initial phishing emails targeted unsuspecting taxpayers, so while HMRC may feel some relief at not being fully responsible, experts point out the broader implications. Will Richmond-Coggan from law firm Freeths emphasizes that the crime was possible because of prior data breaches. “These earlier attacks put personal data in the hands of criminals, enabling them to impersonate taxpayers,” he explained.
Phishing tactics have evolved, according to Gerasim Hovhannisyan, CEO of EasyDMARC. He noted that phishing against individuals and organizations has become far more sophisticated. The recent breach at HMRC appears to have involved targeted emails designed to mimic official communications, tricking self-assessment taxpayers into revealing their login details. Hovhannisyan warns that generative AI is making phishing scams even more refined and deceptive.
“Email remains the most exploited attack vector,” he said. “These scams leverage human trust and often look completely legitimate. If HMRC can be phished, so can anyone.”
He expressed concern that the Treasury Select Committee only learned of the breach through media reports. “When £47 million is stolen, institutions must be transparent. Delaying disclosure harms trust and slows down the response.”
End-users often become the weak link in defending against cyber attacks. In HMRC’s case, daily interactions with the public complicate security education efforts. The UK’s National Cyber Security Centre (NCSC) offers plenty of resources on identifying phishing emails but cannot ensure everyone has access to that information.
Mike Britton, CIO at Abnormal AI, argues HMRC could have done more on the technical side. Governments are prime targets for cyber criminals because of the valuable data they hold, and attacks in this sector are increasing. “In this case, criminals used account takeover to commit fraud. Multi-factor authentication (MFA) is crucial, but we need more comprehensive security measures,” Britton stated.
He recommends that agencies like HMRC adopt layered security strategies to include MFA and maintain greater visibility across their IT systems. Account takeovers can happen quickly, so organizations must have robust tools in place to identify and address compromised accounts swiftly.
