HMRC: Crooks broke into 100k accounts, stole £43M from British taxpayer in late 2024 The UK's tax collections agency says cyberbaddies defrauded it of £47 million ($63 million) late last year, but insists the criminal case was not a cyberattack. Representatives for His Majesty's Revenue and Customs (HMRC) disclosed the theft, which occurred in late 2024, to Parliament's Treasury Select Committee for the first …
'[...] The tax collector's assurance they have not suffered any financial loss as a result of the fraud case' is somewhat misleading.
Every tax payer has suffered financial loss!
BTW I would like to understand how MFA was circumvented - and what has been done to ensure that cannot happen again.
It's a little unclear, but from the general gist of the article it would appear that MFA wasn't bypassed, it wasn't set up in the first place because the 'victims' HMRC accounts were set up automatically as part of the PAYE process, but never activated by the end user because they didn't need to or know how to...
The HMRC account will have been activated by using personal details obtained illicitly from other sources - things such as address, date of birth, employment details and NI number associated with that name among other things, which the HMRC system will tally with the personal information they already hold for an individual.
Having successfully provided all the correct information for the individual they were trying to impersonate, the criminal would then be able to set up a password and direct MFA to their own device, so no need to find a way of bypassing MFA.
Clearly the initial checks to verify the identity of the person trying to activate an account were woefully insufficient. I would like to think this has now been sufficiently tightened up, but......
Junior Dev> Just checking - if someone has NI number, DOB, postcode... they could activate someone else’s account?
PM> Only if it all matches. That’s how ID works.
Security Lead> It’s the same info they’d give on the phone, so it’s consistent.
Junior Dev> Right… but if that info leaks
PM> That would be a them problem, not a us problem.
Product Owner> Most users won’t even know they have an account. We’re just offering access, not forcing it.
UX Designer> If we make it harder, people won’t complete setup. We’ll get hammered in the usability report.
Junior Dev> Okay. Just wondered if we'd looked at a second step - like, checking if the real person is already registered or...
PM> It’s already signed off. Let’s not go there.
Security Lead> We’ll monitor account activity. If anything weird happens, we’ll catch it.
Junior Dev> Got it. Cool.
* pause *
PM> Any more questions?... Great. Let’s move on - next item’s the banner text for the welcome screen.
Or write a program that will create a scan-like image containing the right information, at the right locations, with a photo that makes reasonable sense given the person's name (so no "Jane" with a full beard, or a pasty-white "Dikembe"). Likely the photo won't be compared to anything.
Maybe it was sifficient for the crooks to have enough personal information to do an initial forgotten password (or however else you would initially log on to an HMRC account) and then of course they would be prompted to set up the 2FA because the system thinks it's them.
That's my guess anyway. MFA was "on" but wasn't set up and the crooks set it up, so effectively useless.
My understanding that the access was through accounts for people who had never activated them; therefore there would be no prior password to forget. I think it appears to be a much more simple case of the criminals activating accounts for the first time by impersonating people whose personal identity and financial/workplace information they had obtained from elsewhere (the article infers phishing, which still seems to be a thing, despite repeated warning to the population at large about being very wary of entering such information on web pages that may be bogus - seems you can't educate pork!).
"The UK's tax collections agency says cyberbaddies defrauded it of £47 million ($63 million) late last year, but insists the criminal case was not a cyberattack."
For a moment there I thought HMRC was being honest about Politicians salaries, and how much they are costing us...
Although referring to Politicans as Cyberbaddies might be giving them too much credit. They're just regular baddies after all... And saying they defrauded the country, well... I mean there are some politicians it would be easy to claim were defrauding the country simply by breathing in the air which could be better used for well anything else...
When you call HMRC you are asked your NI number, name/username, address/post code, DOB, email address and contact cell/phone. Did they not know all of this and more can be stolen so they should never take any kind of instructions via a call, if indeed this was happening. Also, given that credentials can be easily stolen they should also not accept any log-in without MFA. All old hat now. They say they continuously enhance security measures to tackle evolving fraud tactics. They appear to be lagging a few evolutions.
So how much of the 47M was recovered?
<.......".... they should also not accept any log-in without MFA"......>
These were previously non-activated accounts - it appears that the criminals were able to provide sufficient identity information to be able to activate them, therefore any MFA would also be set up for the first time by the criminals and therefore directed to the criminal's device.
It seems therefore that it is the initial identity verification where there is a problem (as you infer - not being thorough enough in the range of identity information they ask for), not with any MFA once the account has been activated.
Every digital failure like this becomes a funding event. "We’ll invest more in IT security" means more contracts for the usual consultancy suspects.
There’s no sign of sackings, no clawbacks, no contract penalties. Just soft language, delayed disclosure, and a promise to spend more. Failure has no cost - it generates revenue.
At this rate, HMRC isn’t a tax authority, it’s a money piñata. The more it gets hit, the more cash spills out - not to the public, but to the firms circling overhead with ready-made PowerPoints and day rates.
The incentive isn’t to fix anything - it’s to manage the optics until the next breach justifies the next round of funding.
I wonder when they're going to go after the big US tech firms that make £billions here yet pay a pittance in UK corporation tax?
That's £2Bn of lost tax revenue a year. And that was the figure for 2021.
https://www.taxwatchuk.org/seven-large-tech-groups-estimated-to-have-dodged-2bn-in-uk-tax-in-2021/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
