HMRC fails to inform Parliament about major taxpayer data breach
- Approximately 100,000 taxpayers were affected by a phishing scam that resulted in a significant loss of funds.
- The Treasury Committee expressed alarm at not being notified about the data breach until it was revealed in a public forum.
- HMRC's inadequate communication has raised questions about its transparency and cybersecurity protocols.
In 2025, a significant data breach affecting 100,000 taxpayers was revealed in the UK. The incident was linked to a phishing scam that resulted in the loss of £49 million. This breach, which began a year earlier, came to light during a Treasury Committee hearing when members were alerted by a report published on the HM Revenue and Customs (HMRC) website. Alarmed by the lack of notification, the Committee expressed outrage that they were not informed before discovering the issue through press reports. The Treasury Committee's chairwoman, Dame Meg Hillier, criticized HMRC for its failure to communicate the breach in a timely manner. She articulated her concerns in a formal letter to HMRC’s chief executive, John-Paul Marks, emphasizing that Parliament should have been notified about such a critical issue affecting taxpayers. The letter also questioned why the update about the incident was released on the same day as the hearing, leaving the Committee unprepared for the discussion. In addition to the loss of funds, the scandal raised considerable concerns about the safety and security of taxpayers' personal information. HMRC acknowledged they were in the process of contacting the affected individuals, but this action was not enough to ease the frustration felt by various stakeholders, including the Association of Chartered Certified Accountants (ACCA). The ACCA expressed dissatisfaction with HMRC's communication and transparency regarding the breach. They voiced their frustrations in a letter published by the Treasury Committee, stating that they had not been informed about the incident until just before the Committee meeting. The fallout from this incident invokes broader questions about cybersecurity and the protocols in place for communication between government agencies and Parliament. Stakeholders expect clear timelines and detailed responses from HMRC about how the incident unfolded, what actions they have implemented to prevent future occurrences, and whether any other government officials were privy to information regarding the breach. The Committee is actively seeking answers to these pressing questions and has requested a formal response from HMRC by June 24, 2025, in hopes of preventing similar oversights in the future.