The Internal Revenue Service said Tuesday that identity
thieves used one of its online services to obtain prior-year tax return
information for about 100,000 U.S. households, a major breach of the agency
charged with safeguarding taxpayers’ privacy. The agency said cybercrooks used
stolen Social Security numbers and other specific data acquired from elsewhere
to gain unauthorized access to the tax-agency accounts, beginning in February
and continuing through mid-May.
About 104,000 attempts successfully accessed earlier
returns, IRS Commissioner John Koskinen said. An additional 100,000
attempts were unsuccessful. The incident, which echoes similar problems earlier
this year in some states, highlights the growing risks from cybersecurity
breaches to both individuals and the government. It particularly reflects
crooks’ ability to carefully aggregate vast amounts of personal data from
multiple sources, and plan and execute highly sophisticated schemes.
The agency believes fewer than 15,000 refunds were paid as a
result of the frauds, and the total paid out was under $50 million. But in a
statement, the IRS said it is possible that some of the stolen tax transcripts
were being stockpiled, “with an eye toward using them for identity theft for
next year’s tax season.” The IRS said that to access the information, crooks
had to clear a multistep authentication process that required prior personal
knowledge about the taxpayer, including Social Security information, date of
birth, tax filing status and street address before accessing IRS systems.
The information was obtained from an IRS application known
as “Get Transcript” that allows taxpayers to access prior-year returns. The
thieves then used the data to fashion a fake return for 2014, and requested the
IRS send a tax refund to a hard-to-trace debit card. Mr. Koskinen stressed that
the penetration was the result of an organized crime, not “one-off” hacking.
The agency said the matter is under review by the IRS inspector general as well
as its Criminal Investigation unit. In addition, the Get Transcript application
has been shut down temporarily.
The IRS said it would provide free credit-monitoring
services for the approximately 100,000 taxpayers whose accounts were accessed,
and it said it would notify the 100,000 or so other taxpayers about the
unsuccessful attempts to access their data. The agency’s top leaders sought to
emphasize that the breach didn’t involve the IRS’s core accounts, such as its
filing system, which remain secure. But some lawmakers were irate, and the
long-term impact of the incident on the tax agency—already under fire from
Republicans for alleged targeting of tea-party and other conservative
groups—could be significant. IRS officials have denied any political
motivations behind scrutiny of groups seeking tax-exempt status.
The IRS has said in recent months that funding cuts have
hampered its ability to improve fraud detection. Congress has cut the agency’s
budget to under $11 billion for fiscal 2015 from more than $12 billion five
years earlier. The Obama administration is seeking almost $13 billion for 2016.
The troubles with the Get Transcript application echo problems that surfaced
this year with some state tax systems. In February, Utah state tax officials found
that a few fraudulent 2014 state returns closely resembled 2013 returns. The
similarities made the fraud harder to detect and suggested that scammers had
access to the taxpayers’ 2013 returns.
Click here to access the full
article on The Wall Street Journal.