Cybersecurity

IRS tax records for 100,000 people accessed by third parties who knew what personal info to plug in

  •  
  •  
  •  
  •  
  • Print.

IRS

Image from Shutterstock.

The Internal Revenue Service has temporarily shut down a service that allowed individuals to access their own tax-return information for former years online. That’s because third parties who knew what personal information to plug in used the IRS webpage to access tax records for over 100,000 people between February and May.

By entering information such as the taxpayer’s name, street address, Social Security number, date of birth and tax filing status onto the IRS Get Transcript page, third parties were able to access the tax records of others, the Associated Press reports.

IRS Commissioner John Koskinen said during a Tuesday press conference that the information obtained was used by identity thieves to file fraudulent tax returns. Only about 15,000 were actually processed, the Washington Post (reg. req.) reports.

A note on the Get Transcript page says taxpayers must now write to get tax information. Formerly, the page could be used to view “line-by-line tax return information or wage and income reported to us for a specific tax year,” the Get Transcript page says.

The IRS will notify those whose information was accessed by others. The website that handles the filing of tax returns was not affected.

Some 200,000 attempts accessed over 100,000 individuals’ tax information before information technology personnel at the IRS noticed unusual activity and shut off access via Get Transcript, the IRS said. Meanwhile, some 23 million Get Transcript records were downloaded without incident by those who were supposed to get them.

A 2013 report by the Treasury Inspector General for Tax Administration discusses e-verification security issues the IRS was then facing.

“The IRS should develop better procedures to provide taxpayers with secure online access to their tax account information,” says a press release by the inspector general’s office summarizing the report.

The Risk Assessment/Security & Hactivism page of Ars Technica and the Washington Times also have stories.

Give us feedback, share a story tip or update, or report an error.