Asked by: Roz Savage (Liberal Democrat - South Cotswolds)
Question to the HM Treasury:
To ask the Chancellor of the Exchequer, how many HMRC online accounts were reported as (a) compromised or (b) subject to unauthorised access in each of the last three financial years.
Answered by Dan Tomlinson - Exchequer Secretary (HM Treasury)
Information relating to suspected or confirmed account compromise is recorded across different systems and teams, reflecting variation in how fraud presents across HMRC services and channels. As a result, HMRC is unable to provide a comprehensive breakdown of the number of accounts reported as compromised or subject to unauthorised access for each of the last three financial years in the format requested.
HMRC continues to strengthen its capability to identify, respond to and manage compromised accounts, including improving incident management processes and developing more joined‑up approaches to monitoring and response across services.
Asked by: Roz Savage (Liberal Democrat - South Cotswolds)
Question to the HM Treasury:
To ask the Chancellor of the Exchequer, what policy HMRC follows on suspending automated penalty notices and enforcement action in cases where a taxpayer's account has been compromised by a third party.
Answered by Dan Tomlinson - Exchequer Secretary (HM Treasury)
Since May 2025, HMRC has seen a significant increase in VAT fraud attempts relating to criminals compromising legitimate customer accounts. HMRC security teams actively investigate these incidents and work with experts across the department to continually strengthen the security of online services.
HMRC’s approach is to identify and prevent fraud upstream by strengthening perimeter controls to prevent fraudulent access to systems, applying effective risk‑based controls at the point of registration and repayment, and targeting the organised criminal groups behind these attacks. HMRC’s Cybercrime team works proactively to understand these threats and identify those responsible.
Where HMRC identifies that a taxpayer’s VAT account has been compromised by a third party, the department takes action to lock the digital account to prevent further unauthorised access and to mitigate any adverse impact on the customer.
HMRC contacts the customer to explain what has occurred, the action taken to correct their account, and any steps the customer needs to take. Until recently, customers were asked to appeal any penalties or interest incurred. However, the process has been adjusted so that any incorrect penalties are now inhibited and removed.
Once the customer regains access to their account, HMRC provides appropriate support and allows additional time for the customer to submit updates and returns without accruing penalties.
Asked by: Roz Savage (Liberal Democrat - South Cotswolds)
Question to the HM Treasury:
To ask the Chancellor of the Exchequer, what steps HMRC is taking to improve information-sharing between its fraud investigation and customer service functions in cases involving compromised taxpayer accounts.
Answered by Dan Tomlinson - Exchequer Secretary (HM Treasury)
HMRC is establishing the Fraud Prevention Centre (FPC), a multifunctional capability led by HMRC’s Security directorate, to improve coordination between customer service, fraud investigation and security teams when taxpayer accounts are compromised. Through the FPC, HMRC is improving customer reporting routes, strengthening incident management processes across teams, and deploying targeted technical enhancements to support more joined-up handling of cases and enhanced support for affected customers.