Thieves stole 220,000 more individual tax records from IRS computer system than feds first thought
Image from Shutterstock.
Add another 220,000 individuals to the list of those who face potential identity-theft issues due to a breach of online tax return records maintained by the Internal Revenue Service.
Now shut down, the IRS Get Transcript page was intended to make it easy for people to access their own tax records. But thieves who were able to plug in information such as the individual’s date of birth, social security number and street address were able to get detailed financial information for a total of about 334,000 taxpayers, officials announced this week. Earlier, the IRS said only around 100,000 were affected by the security breach.
Additional news that the breach began months before the IRS at first said it did “is not confidence-inspiring,” said Rep. Peter Roskam, a Republican from Illinois. He chairs the House Ways and Means subcommittee that is in charge of the IRS, reports the Wall Street Journal (sub. req.).
“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” said the IRS said in a written statement. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to ‘Get Transcript’ taxpayer account information.”
In May, when the breach was first announced, the IRS said it would provide free monitoring and special passwords to those affected. The IRS will also enhance its taxpayer-identity authentication protocols, the most recent announcement promises.
However, authentication-based systems are problematic because they permit anyone with the right personal information to gain access, says Jeff Hill of STEALTHbits Technologies, a cybersecurity firm.
“Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach’s damage months later,” he told USA Today. “Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?”
Although there have been relatively few reports, so far, of tax-refund fraud attempts based on the breached records, IRS officials say the information obtained is more likely to be used to try to obtain refunds fraudulently in 2016, Reuters reports.
Related coverage:
ABAJournal.com: “IRS tax records for 100,000 people accessed by third parties who knew what personal info to plug in”
