The UK’s HM Revenue and Customs (HMRC) has revealed that organised crime groups stole £47m ($63.7m) through a phishing attack that compromised approximately 100,000 taxpayer accounts last year.

The breach, disclosed during a Treasury Select Committee hearing on 4 June, prompted HMRC to lock down affected accounts and launch an international criminal investigation.

The scam involved criminals using phishing campaigns to obtain personal information externally, which was then used to create fraudulent pay-as-you-earn (PAYE) accounts or access existing ones to claim illegitimate repayments.

HMRC’s chief executive, John-Paul Marks, told the committee, “This was organised crime phishing for identity data outwith of HMRC systems, so stuff that banks and others will also unfortunately experience, and then trying to use that data to create PAYE accounts to pay themselves a repayment and/or access an existing account.”

The attack, which affected 0.2% of the PAYE population, was not classified as a cyber-attack but rather an extended operation by multiple crime syndicates, according to HMRC officials.

Angela MacDonald, HMRC’s deputy chief executive, described the loss as significant, stating, “At the moment, they’ve managed to extract repayments to the tune of £47m. Now that is a lot of money, and it’s very unacceptable.”

However, she clarified that the breach did not involve data extraction or ransomware.

 “The ability for somebody to breach your systems and to extract data, to hold you to ransomware and all of those things, that is a cyber-attack. That is not what has happened here” The Guardian quoted MacDonald as saying.

HMRC confirmed that individual taxpayers suffered no financial loss, with Marks assuring MPs, “To be clear there has been no financial loss to those individuals”.

The £47m loss was borne by HMRC, representing a loss to public funds rather than to individual taxpayers.

HMRC responded by locking down compromised accounts, removing incorrect information from tax records, and deleting login details to prevent further unauthorised access, The Guardian’s report added.

The authority has notified or is in the process of notifying the 100,000 affected individuals, with letters to be sent over the next three weeks.

A criminal investigation led to arrests last year, and HMRC is collaborating with law enforcement agencies in the UK and overseas to pursue those responsible.

MacDonald told the committee that HMRC’s fraud team had protected £1.9bn from similar attacks in the last tax year.

MacDonald acknowledged the ongoing challenge, stating, “We are living in an environment where every single organisation was facing some kind of cyber threat”

HMRC assured customers that the situation is under control and that no action is required from those affected.