PAC Urges HMRC Transparency After Major Phishing Attack

PAC Puts Spotlight on HMRC After Major Phishing Scandal

The chair of the Public Accounts Committee (PAC) has pressed the new CEO of HMRC, John-Paul Marks, on the tax authority’s recent £49 million phishing scandal, demanding greater openness and accountability in its response to cyber threats.

A Rapidly Escalating Incident

The hearing, initially focused on tax collection from the UK’s wealthiest, started with tough questions after last week’s revelation that hackers had targeted 100,000 HMRC online accounts in a sophisticated phishing attack. The breach, which saw scammers fraudulently claim around £49 million, has prompted immediate concern about both the scale of the attack and HMRC’s subsequent handling of the incident.

Chair Geoffrey Clifton-Brown opened proceedings, referencing a letter from Marks dated 10 June—publicly released just two days later—detailing HMRC’s efforts to contain the breach, alert affected taxpayers, and strengthen its defences. However, MPs voiced concerns that communication with the public and Parliament was neither timely nor sufficiently thorough.

Core Issues Raised in Committee

The PAC directed a number of probing questions at HMRC’s leadership, focusing on:

• Notification delays: Why did HMRC take several days to inform Parliament and the wider public about the breach?
• Incident response protocol: What immediate steps were taken following the discovery of the phishing activity?
• Cybersecurity preparedness: How is HMRC updating its cyber defences to prevent similar breaches in the future?

The Conversation in Westminster

Geoffrey Clifton-Brown underscored the gravity of the situation:

“Transparency from government agencies is vital in maintaining public trust, especially when millions of pounds and taxpayer data are at risk.”

John-Paul Marks offered reassurances regarding the measures put in place. He committed to:

• Enhancing early-warning systems for future attacks
• Strengthening cooperation with law enforcement and cyber experts
• Providing regular updates to Parliament and the public on mitigation measures

Wider Implications and Sector Response

The breach comes amid wider criticism, with MPs labelling HMRC’s digital infrastructure as outdated. Stakeholders—including tax professionals and accountancy bodies—have called for:
• Increased investment in cyber resilience
• Transparent reporting of incidents
• Accelerated modernisation of key HMRC systems

What Happens Next?

HMRC insists that no further taxpayer funds are at direct risk, and affected individuals are being contacted about additional protections. The PAC has requested a full timeline of the authority’s response actions and is expected to hold further hearings to monitor progress.

For taxpayers and businesses: Remain vigilant for suspicious communications purportedly from HMRC. Those potentially affected will receive official contact, with guidance on protecting accounts and identifying phishing attempts.

Key Resources and Further Reading

Topic	Resource Link
HMRC online account security	[View Guidance](https://www.gov.uk/guidance/sign-in-to-your-hmrc-account)
Latest on the PAC hearing	[UK Parliament Committees](https://committees.parliament.uk/committee/127/public-accounts-committee/)
Tips for avoiding phishing scams	[National Cyber Security Centre](https://www.ncsc.gov.uk/collection/phishing-scams)

A Critical Moment for HMRC

The PAC’s intervention sends a clear signal: as digital threats evolve, public sector bodies like HMRC must prioritise transparency, rapid communication, and robust technological defence. Building and maintaining taxpayer trust depends on it.

Next Steps for Readers:

• Monitor official HMRC communications for updates
• Review internal cybersecurity practices in light of recent events
• Stay alert to further developments from the PAC and HMRC

The way HMRC addresses this incident will be a key test of its commitment to both public accountability and digital security.