Cyber criminals gained access to 300 myIR accounts over two weeks but no financial losses were reported, Inland Revenue says.

The tax agency said it noticed a significant increase in malicious logon attempts last month, with more than 500,000 such efforts.

“Inland Revenue believes two-step verification, rolled out last year to give an added layer of protection, prevented access to most accounts. However, around 300 myIR accounts which did not have 2SV set up were accessed,” Inland Revenue said.

“Those 300 accounts have been closed, and we are monitoring up to 900 accounts where a correct password was entered, but two-factor authentication prevented access.”

Inland Revenue said it is contacting the 300 affected customers to let them know unusual activity on their account was detected.

“That will be followed up with a letter letting them know what has happened and how to get support from us if needed.

“We believe people had used the same credentials [username and password] on their myIR account as they use on other, less secure, sites,” Inland Revenue said.

“Username and password combinations from less secure systems are frequently distributed and sold online, highlighting the importance of using unique passwords for every site.”

Inland Revenue urged people not to use the same password on multiple sites and to set up two-step verification for myIR.