The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems.
It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.
Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.
It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?