Latest news with #DameMegHillier
Telegraph
2 days ago
- Business
- Telegraph
HMRC reprimanded for not revealing phishing attack earlier
HMRC has been reprimanded for not telling MPs for a year about a phishing attack that cost it up to £49 million. The chairman of the Commons Treasury select committee said it was 'unacceptable' that MPs had not been told of the breach until a year after it had happened. The records of up to 100,000 taxpayers were accessed by organised criminals following the attack. Officials only admitted to the breach on the day of a Treasury committee hearing last week, when details were published on a page. On Tuesday, Dame Meg Hillier wrote to John-Paul Marks, the HMRC chief executive, demanding answers and clarifications to more than a dozen questions – including why HMRC had not informed Parliament beforehand about the attacks and whether the tax authority expected to recover any of the missing taxpayers' money. HMRC previously said around £47 million had been lost, but in response to Dame Meg's letter on Tuesday, it revised this total to £49 million. She also asked when ministers and the HMRC board were first made aware of the attack. In a strongly worded four-page letter, the senior Labour MP wrote: 'I am alarmed that it was never deemed necessary to inform Parliament about an issue which affected such a vast number of taxpayers and led to the loss of £47 million of public money. 'To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.' Dame Meg has also asked Mr Marks how 'confident' HMRC is that it has identified all customer accounts targeted affected, whether there have been any convictions and prosecutions in relation to the incident and what the 'implications' are for HMRC's Making Tax Digital programme, which has seen the tax authority push millions of workers to file their tax returns online. The attack came to light on the same day that HMRC's phone lines were hit by a system outage, which meant only those using the specific phone number in the letters to phishing victims were able to call the organisation. Mr Marks told the committee that he believed the phone outage was 'not connected' to the attack and that some arrests had been made last year. In a letter provided in response to Dame Meg's correspondence, Mr Marks offered a 'private briefing' with the committee to 'explore the issue further'. Advising Dame Meg of the new higher total loss, he said: 'Regarding losses to the Exchequer, I would like to correct the oral evidence, as the estimated PAYE revenue losses are £49 million, not £47 million as we stated during the hearing. 'The normal route for notifying losses to Parliament is through the annual report and accounts where HMRC includes individual incidents exceeding £10 million in the trust statement and exceeding £300,000 in the resource accounts in line with managing public money requirements.' Concluding his letter, Mr Marks said: 'I welcome the committee's interest in matters related to security and would like to be clear this is the very highest priority for HMRC. 'We take the security of our customers' data extremely seriously and HMRC will continue to enhance our security measures and capabilities to tackle the continuous, evolving security challenges faced by all large institutions.' Meanwhile, the Association of Chartered Certified Accountants has written to the Treasury committee chairman claiming that it had not received any information from HMRC about the breaches until the issue was raised at the meeting. Glenn Collins, head of technical and strategic engagement at the accountancy trade body, also included survey results which showed just 1 per cent of its members felt HMRC's service levels impacted their organisation and clients' 'productivity and efficiency' positively. Mr Collins wrote: 'We have highlighted to HMRC our frustration that HMRC has not been transparent or timely in its communication over this important issue. 'This disappointing failure to communicate in a timely manner is unfortunately representative of the poor levels of customer service received by agents and taxpayers.' The Telegraph understands that criminals used a variety of methods to obtain login details for taxpayers – including phishing scams and obtaining data stolen from previous leaks. Criminals then posed as legitimate taxpayers to apply for money such as taxpayer rebates Officials told the Treasury committee last Tuesday that the incident was 'not a cyber attack' but instead took the form of multiple phishing attacks 'designed to extract money' from the tax authority, carried out by several organised crime gangs over an extended period last year. Addressing Mr Marks directly at the time, Dame Meg said: 'I think it's perhaps a responsibility that you report to us in the House in parliamentary terms, that we would expect to get information about this and not have it emerge because of an announcement while you're in the committee room – it hasn't been mentioned until we picked up the news story.' A HMRC spokesman said: 'We faced a series of evolving and complex criminal attempts to access online tax accounts and our priority has been to protect customers and their accounts. Our customers suffered no financial loss as a result. 'Thorough investigation has been necessary to understand the extent of this activity and pursue the criminals responsible. 'We've worked closely with the Information Commissioner's Office throughout to ensure we met our obligations.'
The Independent
2 days ago
- Business
- The Independent
HMRC slammed for ‘unacceptable' delay in reporting £49m phishing scam
A committee of MPs has criticised HM Revenue and Customs (HMRC) for failing to promptly report a data breach affecting approximately 100,000 taxpayers. The Treasury Committee said it only learned of the incident through a notification published on the HMRC website, coinciding with a live session on June 4. The breach, a phishing scam, resulted in the loss of £47 million, a figure recently revised to £49 million. HMRC officials informed the Treasury Committee that they have contacted, or are in the process of contacting, 100,000 individuals whose accounts were locked down following what they described as an "organised crime" incident that began last year. Adding to the controversy, the Association of Chartered Certified Accountants (ACCA) stated in a letter published by the committee on Tuesday that it had not discussed the phishing incident with HMRC and was unaware of it before the June 4 hearing. The committee also published a letter sent via email from its chairwoman Dame Meg Hillier to John-Paul Marks, chief executive, HMRC. The letter said: 'I am alarmed that it was never deemed necessary to inform Parliament about an issue which affected such a vast number of taxpayers and led to the loss of £47 million of public money. 'To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.' The letter said the committee is seeking responses from HMRC as to 'why was Parliament not notified earlier about the loss of £47 million of taxpayers' money, whether through a written ministerial statement and/or public or confidential letters to the Treasury Committee and the Public Accounts Committee?' The committee is also seeking responses on why the update was published on the day of the committee hearing on the work of HMRC and who else in Government was told about the incident and when. It also wants to receive a timeline of how the incident unfolded and find out what measures HMRC has put in place to ensure that such incidents do not happen in future. The letter asked for a reply by June 24, 2025. Meanwhile, the letter from Glenn Collins, head of technical and strategic engagement, ACCA, to Dame Meg, dated June 5, said: 'While we regularly engage with HMRC, including earlier in the year about issues relating to agent account access, we have not received any communication from HMRC on the issue of taxpayer account breaches until yesterday. 'We have highlighted to HMRC our frustration that HMRC has not been transparent or timely in its communication over this important issue.'
The Independent
2 days ago
- Business
- The Independent
HMRC failure to notify MPs sooner about £47m phishing scam ‘unacceptable'
HM Revenue and Customs (HMRC) has been warned by a committee of MPs that its failure to report details of a breach affecting around 100,000 taxpayers is 'unacceptable'. The Treasury Committee said it was only alerted to the information when a notification was published on the HMRC website on the same day as a live session. On June 4, it emerged that HMRC had lost £47 million after a phishing scam breached tens of thousands of tax accounts. Senior civil servants at HMRC told the Treasury Committee that 100,000 people have been contacted, or are in the process of being contacted, after their accounts were locked down in what they said was an 'organised crime' incident which started last year. On Tuesday, the committee published a letter from the Association of Chartered Certified Accountants (ACCA) stipulating that it had not discussed the phishing incident with HMRC and was not aware of it prior to the hearing on June 4. The committee also published a letter sent via email from its chairwoman Dame Meg Hillier to John-Paul Marks, chief executive, HMRC. The letter said: 'I am alarmed that it was never deemed necessary to inform Parliament about an issue which affected such a vast number of taxpayers and led to the loss of £47 million of public money. 'To discover this information during a session from press reports and without adequate time for the committee to review the information in detail is unacceptable.' The letter said the committee is seeking responses from HMRC as to 'why was Parliament not notified earlier about the loss of £47 million of taxpayers' money, whether through a written ministerial statement and/or public or confidential letters to the Treasury Committee and the Public Accounts Committee?' The committee is also seeking responses over why the update was published on the day of the committee hearing on the work of HMRC and who else in Government was told about the incident and when. It also wants to receive a timeline of how the incident unfolded and find out what measures HMRC has put in place to ensure that such incidents do not happen in future. The letter asked for a reply by June 24 2025. Meanwhile, the letter from Glenn Collins, head of technical and strategic engagement, ACCA, to Dame Meg, dated June 5, said: 'While we regularly engage with HMRC, including earlier in the year about issues relating to agent account access, we have not received any communication from HMRC on the issue of taxpayer account breaches until yesterday. 'We have highlighted to HMRC our frustration that HMRC has not been transparent or timely in its communication over this important issue.'
