100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn’t hacked – here’s why

The UK’s tax revenue service has lost £47 million in a breach that started last year and impacted 100,000 people.
The HMRC told the treasury select committee yesterday that the account scam was the result of “organized crime” that set up PAYE, or ‘Pay As You Earn’, accounts for individual taxpayers and used them to claim refunds.
“This was organized crime phishing for identity data out of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account,” HMRC CEO John-Paul Marks said, according to media reports.
The total amount stolen was £47 million, though Marks said that no individual would face any financial loss from the incident. HMRC said that individuals’ own money wasn’t targeted..
“This was an attempt to claim money from HMRC, not an attempt to take any money from you,” it said on the HMRC website.
What happened?
The incident appeared to have happened last year, with a subsequent investigation resulting in arrests. It was unclear why the incident is only now being revealed — a point raised by the treasury select committee itself, with Chair Dame Meg Hillier offering “a word to the wise” to advise parliament of such matters rather than let the committee hear about it from the news.
HMRC officials stressed that its systems weren’t directly attacked nor breached, but instead involved criminals setting up new accounts in the name of people who didn’t need a tax account and didn’t have one already set up. The criminals did so using information from phishing attacks or elsewhere, according to HMRC.
However, as the incident was being investigated and addressed, the “nature of the attack altered”, said Angela MacDonald, HMRC’s deputy CEO, with the methods used by the attackers evolving throughout time.
“What has been a challenge in terms of… cleaning the accounts up is being clear that we were then talking to the genuine customer and not in fact talking to the criminal who was on the other end of the account,” she added, according to the BBC.
Was HMRC hacked?
MacDonald said that the incident was “not a cyber attack, we have not been hacked, we have not had data extracted from us.”
She later clarified: “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here.”
The clarification seems designed to make clear this incident isn’t akin to the recent round of cyber attacks against retailers, which has left M&S struggling to recover — though it may also be a reaction to accusations from five years ago that the HMRC was “incompetent” following 11 serious data breaches.
However, treasury select committee Chair Dame Meg Hillier didn’t seem to accept the distinction: “Money was got. By criminals. By penetrating the digital system. A lot of people would consider that a cyber crime, however you define it.”
Will Richmond-Coggan, a partner specializing in data and cyber disputes at Freeths LLP, suggested the incident showed the impact of previous attacks.
“While HMRC were at pains to stress that their own systems had not been compromised in a cyber attack, this incident nonetheless underscores how widespread the consequences of cyber incidents can be,” he noted.
“It is clear from HMRC’s explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks. Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax.”
What next?
In a statement given to the press, HMRC said it has “acted to protect customers identifying attempts to access a very small minority of tax accounts”.
The tax office added that it’s currently working with law enforcement agencies in “both the UK and overseas” to find those responsible.
HMRC said on its website that it had locked down all affected accounts, deleted impacted login credentials, removed any incorrect information from tax records, and checked that no other details were changed. It has also written to affected users to let them know. Letters should arrive over the next three weeks.
Any individuals seeking to check their account themselves could sign in, head to Settings in their Profile, and view the sign-in history to look for suspicious activity.
MORE FROM ITPRO
Source link