On 4 June, HMRC shared that they had detected unauthorised access to the online accounts of around 100,000 taxpayers, with a resultant loss to the Exchequer of £47 million (subsequently updated to £49 million). Using personal information gained in a variety of ways, criminals were able to pretend to be genuine taxpayers and access taxpayers’ accounts to make fraudulent refund claims.
At first sight this is not obviously, an ‘employer’ issue, as the attacks reported concerned individuals’ tax accounts. However, it does act as a reminder of the importance of keeping personal details safe. Employers hold a lot of sensitive, personal data about their employees - and employers also have their own online accounts with HMRC. While the attacks to date mainly concern unrepresented individuals who have not usually accessed their HMRC online accounts, with HMRC unable to say where how the information was obtained, everyone needs to be vigilant.
Background
HMRC online accounts for individuals are also known as Personal Tax Accounts (PTAs). All taxpayers have a PTA, regardless of whether or not the individual has set up the necessary login details to access their account online. The incidents involved criminals gaining and using personal information to impersonate genuine taxpayers in order to claim money fraudulently from HMRC.
When HMRC identify that an account has been accessed fraudulently, they will take action to shut the account down. This includes not just locking down the affected account, but also removing any incorrect information and checking no other details were changed. Any existing credentials used to access the account will be deleted, so anyone affected who wants to access their PTA in future will need to recreate login details.
HMRC have stated that no one who has been affected should experience any personal financial loss in respect of their tax affairs as a result of their account being targeted - this a fraud against HMRC, rather than the individual directly.
HMRC advice
HMRC are writing to affected taxpayers between 4 June 2025 and 25 June 2025 to explain the steps that have been taken. If recipients have any doubts about any HMRC letter, they can check a list of genuine contacts on GOV.UK.
HMRC have published details of the actions they have taken and what to do if you receive a letter. HMRC say that if a taxpayer does not receive a letter, it is unlikely that their account has been affected, but the page also includes guidance on how to check any recent account activity for suspicious logins.
HMRC have advised us that letters to impacted taxpayers will make clear that the data used to access an online account may have included their name, date of birth, address or National Insurance number. It may also have included information from passport or driving licence documents or credit reference data. HMRC do not know where or how this information has been obtained, only that it has been used to access the taxpayer's online account. HMRC have told us that there is no evidence that data has been shared.
Resources
Individuals and businesses looking for more information on protecting themselves or their business from cyber attacks can find more details from the National Cyber Security Centre.
This article reflects the position at the date of publication shown above. If you are reading this at a later date you are advised to check that that position has not changed in the time since.
We regularly publish articles on a range of tax and wider topical issues which affect employers. If you wish to subscribe to our monthly Employer Focus e-newsletter, please contact us.