Tax fraud in XXL format: systematic identity theft
It's a case that makes even hardened IT forensic experts wince: Over 56 million euros have gone straight from the British tax budget into the hands of criminals. The trick? Simple - but highly effective: phishing, i.e. digital identity theft.
The attackers gained access to around 100,000 user accounts - either through forged emails or by creating new fake accounts. They then used the online portal of the British tax authority HMRC to apply for tax refunds in the name of unsuspecting citizens that would never have been due - but were paid out anyway.
"Only" 0.2 percent - but 100,000 people affected
John-Paul Marks, the new head of the UK tax authority, had to justify this massive misuse of data to Parliament's Finance Committee. His message: it's all half as bad - after all, "only a small proportion" of the population is affected, just 0.2 percent. What goes a little under the radar is that that is around 100,000 people - and 47 million pounds that are now missing.
At least the taxpayers in whose name the fraud was committed are not liable themselves. However, the lost sum is not without consequences - it will be reimbursed from the general tax revenue. In other words: everyone pays for the mistake.
How could this happen?
This is exactly what the whole of the UK is currently asking itself - and so far it is not getting any real answers. The tax authorities are keeping quiet about technical details:
- How did the phishers get the access data?
- How could the payments go through unnoticed?
- And how can something like this be prevented in future?
One thing is certain: HMRC's internal systems were not hacked directly. The data theft apparently took place beforehand - probably via phishing emails that intercepted personal information and thus made the fraud possible. The authorities speak of "organized crime", which is also said to have operated internationally. The first arrests have apparently already been made.
Communication? Rather absent
Particularly piquant: while the attacks were going on, the authority's telephone system also failed. Taxpayers who needed help could not get through. And the members of the British parliament only found out about the wave of fraud after a delay. The reaction: anger, bewilderment - and the impression that digitalization is faster than the authorities.
Deputy Chief Executive Angela MacDonald put it in a nutshell:
"That's a lot of money, and it's completely unacceptable."
What does legal data say about this?
Sorry, but this is more than just an IT glitch - this is a revelation of digital administration. If criminals can use hundreds of thousands of accounts unnoticed to make millions, then the basic system is not right.
And: the fact that the authority is referring to the fact that "its own databases were not hacked" is little consolation. Rather, it shows how easily digital services can be exploited through social engineering and a lack of security controls.
Our conclusion: digitalization yes - but with a security update, please. Because at the end of the day, it's not just about data, but about trust in the state. And that can be ruined at the click of a mouse.
