The head of HM Revenue and Customs (HMRC) has issued a stark warning that the UK's tax authority faces a significant and evolving threat from a potential malicious cyber attack.
Security Concerns Raised at Treasury Committee
Appearing before the influential Treasury Committee on January 13, HMRC's first permanent secretary and chief executive, John-Paul Marks, highlighted his deep concerns about system resilience. When asked about the issues that keep him awake at night, he pointed directly to the "underlying resilience and the security threat" facing the department.
Mr Marks explained that the threat environment is constantly changing and remains high, referencing previous discussions about organised crime targeting the PAYE system. He stated that while HMRC is actively working to bolster its defences, its operational plans could be seriously disrupted by a major security incident.
Building Resilience Amid Growing Workload
"Our plans could always be disrupted by some sort of malicious attack that we have to handle," Marks told MPs. "We are improving our underlying resilience to respond to those, but it is always a concern."
The warning comes as HMRC prepares for a surge in its workload. The chief executive noted that major tax changes on the horizon will likely increase demands on the service in the coming years. Despite these pressures, he reported some service improvements, with the authority now answering more phone calls more quickly than it did at the same time last year.
Digital Transformation and Revenue Protection
Mr Marks also provided an update on key initiatives designed to modernise the tax system and protect revenue. He highlighted that, according to Office for Budget Responsibility (OBR) forecasts, the tax gap—the difference between tax owed and tax collected—is projected to fall. A series of compliance packages are expected to secure an additional £10 billion in tax revenue.
A central part of this modernisation drive is the continued rollout of Making Tax Digital (MTD). This system requires certain taxpayers to maintain digital records and submit regular updates to HMRC. A significant milestone is approaching: from April 6, 2026, all businesses, self-employed individuals, and landlords with an annual income over £50,000 will be mandated to comply with these digital record-keeping rules.
The juxtaposition of a pressing cyber threat with an ambitious digital transformation underscores the critical balancing act HMRC faces in securing vital national systems while pushing forward with technological change.
