The breach, which occurred last year, was not a direct cyber attack on HMRC’s systems but rather the result of multiple sophisticated phishing attacks targeting individuals’ online tax accounts. Officials informed the Treasury committee that these attacks were orchestrated by several organised crime gangs over an extended period and were “designed to extract money” from the tax authority.

This incident comes as HMRC has been actively encouraging millions of taxpayers to manage their affairs online through its Making Tax Digital initiative.

HMRC has stated it has now secured the affected accounts, deleted existing log-in credentials, and is in the process of contacting impacted individuals. Letters are expected to reach those affected by 25 June, assuring them they do not need to take any action and have not personally lost any money.

News of the breach emerged on the same day HMRC experienced significant disruptions to its phone lines, initially allowing only those with a specific number provided in the notification letters to contact them.

The handling of the situation drew criticism from Dame Meg Hillier, chair of the Public Accounts Committee. During a Treasury committee meeting, she questioned HMRC chief executive John-paul Marks about why UK Parliament had not been formally notified of the breach sooner, expressing that the committee should not have to learn such significant information from media reports. Mr Marks stated that HMRC had not yet formally written to the committee but was prepared to do so.

It is understood that criminals employed various tactics to obtain taxpayers’ log-in details, including phishing scams and leveraging data from previous, unrelated security leaks.

An HMRC spokesperson reiterated that they are writing to affected customers to provide reassurance that their accounts are secure and they have not incurred any financial loss.