The chair of the Treasury committee has sent a scathing letter to the newly appointed CEO of HMRC after he failed to tell MPs about a large-scale phishing attack affecting 100,000 taxpayers.

Dame Meg Hillier and the rest of the Treasury Committee were shocked to be made aware of a phishing attack that impacted up to 100,000 taxpayers and stole at least £47m, only finding out about the incident midway through the committee hearing on 4 June.

In a tetchy hearing with HMRC officials, Hillier’s closed the committee hearing, criticising the lack of transparency from the tax authority.

Hiller said: ‘Clarity of communication is important, and I would just stress again your accountability, Mr Marks and HMRC’s, to parliament and through us to taxpayers is not an optional extra. It is something which should be absolutely fundamental.’

On 10 June a follow up letter was sent directly to HMRC’s newly appointed CEO, John Paul-Marks (JP), expressing disappointment from the Treasury Committee after it found out about the phishing attack through a press report, and not directly from HMRC.

Committee chair, Dame Meg Hillier said: ‘I am alarmed that it was never deemed necessary to inform parliament about an issue which affected such a vast number of taxpayers and led to the loss of £47m of public money.

‘To discover this information during a session from press reports and without adequate time for the Committee to review the information in detail is unacceptable.’

The MP for Hackney South and Shoreditch also wanted reassurance from HMRC that the decision not to notify the Committee was an ‘accidental oversight’ and not a ‘deliberate action’.

The committee were informed of the breach while the meeting was ongoing from a series of tweets and emails from Business & Accountancy Daily after it was spotted at the bottom of a document published the same day on HMRC’s website.

Along with sharing her disappointment with HMRC and Marks, Hillier asked 12 questions regarding the phishing attack, insisting to be informed of every detail around it.

She firstly asked why parliament as a whole was not notified when the phishing attack took place, as it had taken place throughout 2024.

Then, the MP asked why no press release was published to notify the public, and also why the guidance was published on the same day as the Committee meeting.

Hillier asked if anyone else in the government had been told about the incident, asking if anyone in the Treasury had been told and also when.

Additionally, Hillier demanded to know when the board of HMRC was made aware of the incident, as this includes minister James Murray MP, who is chair of HMRC alongside his role as exchequer secretary to the Treasury with responsibility for tax in the government.

The exact timeline of the incident has been asked to be set out, such as how and when HMRC were made aware of the incident, how it responded, and how it intends to protect further losses of the public’s money and confidential information on the public held by HMRC.

The chair of the Treasury committee also wanted to know if the National Crime Agency (NCA) had been notified, and whether there have been similar instances of this before that led to financial loss.

During the committee hearing, HMRC told MPs that it had been working with accountancy and regulatory bodies about the incident, but correspondence between ACCA and the committee confirmed that ACCA was never notified of the incident. Hillier has asked for clarification on what bodies had been worked with.

Hillier has demanded an answer by 24 June at the latest, asking Marks, the new HMRC boss, to include Geoffery Clifton Brown, chair of the Public Accounts Committee in the response.

ICAEW has confirmed to Business & Accountancy Daily it has had no discussions with HMRC about the phishing incident.

A CIOT spokesperson has now told Business & Accountancy Daily: 'We were told in August last year (in confidence at a stakeholder forum) that there was an issue relating to the security of some personal tax accounts. We had not initially connected last week’s announcement to that but we now understand from HMRC that this is the same issue.

'Additionally CIOT and ATT have both been involved in discussions with HMRC about some agent accounts being compromised for some time.

'In August last year we became aware as a result of a LinkedIn post (and people contacting Tax Aid) of letters going out claiming to be from HMRC as part of a scam. CIOT posted a warning at Warning of tax scams | Chartered Institute of Taxation. LITRG and ATT posted similarly. We are not sure whether this is related to the scam highlighted last week.

'In any case we weren’t aware of the widespread compromising of taxpayer accounts in the manner described until 4 June but we were briefed by HMRC that afternoon.'