Breach at IRS Exposes Tax Returns 

IRS-building

Thieves used agency’s online services to get information for about 100,000 households

The Internal Revenue Service said Tuesday that identity thieves used one of its online services to obtain prior-year tax return information for about 100,000 U.S. households, a major breach of the agency charged with safeguarding taxpayers’ privacy.

The agency said cybercrooks used stolen Social Security numbers and other specific data acquired from elsewhere to gain unauthorized access to the tax-agency accounts, beginning in February and continuing through mid-May.

About 104,000 attempts successfully accessed earlier returns, IRS Commissioner John Koskinen said. An additional 100,000 attempts were unsuccessful, the agency said.

The incident, which echoes similar problems earlier this year in some states, highlights the growing risks from cybersecurity breaches to both individuals and the government. It particularly reflects crooks’ ability to carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.

The agency believes fewer than 15,000 refunds were paid as a result of the frauds, and the total paid out was under $50 million, Mr. Koskinen said. But in a statement, the IRS said it is possible that some of the stolen tax transcripts were being stockpiled, “with an eye toward using them for identity theft for next year’s tax season.”

The IRS said that to access the information, crooks had to clear a multistep authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The process also involved answering personal identity-verification questions, such as “What was your high school mascot?”

Mr. Koskinen, when asked how impostors obtained answers to these so-called “out-of-wallet” questions, suggested social media might have played a role.

“This is not a hack or data breach. These are impostors pretending to be someone who has enough information” to get more, said Mr. Koskinen, who said thieves might be using sophisticated programs to aggregate and mine data.

Thieves hope access to full tax returns could give them key information for future fraudulent efforts that wouldn’t be detected by IRS filters, he added.

“Five years of all kinds of data breaches are coming home to roost,” said Neal O’Farrell, founder of the Identity Theft Council in Walnut Creek, Calif., who has been involved in cybersecurity for more than 30 years. “Thieves have so much data about so many consumers that they are now able to join the dots and fill in the blanks. They have big, undetectable malware that breaks in, finds the best information, analyzes and bypasses security.”

The information was obtained from an IRS application known as “Get Transcript” that allows taxpayers to access prior-year returns. The thieves then used the data to fashion a fake return for 2014, and requested the IRS send a tax refund to a hard-to-trace debit card.

Vicki Niesen, a resident of Houston, said she and her husband learned last week that they had been victims of fraudsters using Get Transcript when an IRS check for $26,424 arrived at their home—even though the couple paid tax due on April 15.

“When we tried to get a transcript, my husband was blocked, but I could see the fraudulent return,” Ms. Niesen said. “At least the IRS refused to do direct deposit and sent us the check instead.” She said she returned the check, as instructed by the IRS.

Mr. Koskinen stressed that the penetration was the result of an organized crime, not “one-off” hacking. The agency said the matter is under review by the IRS inspector general as well as its Criminal Investigation unit. In addition, the Get Transcript application has been shut down temporarily.

The IRS said it would provide free credit-monitoring services for the approximately 100,000 taxpayers whose accounts were accessed, and it said it would notify the 100,000 or so other taxpayers about the unsuccessful attempts to access their data.

The agency’s top leaders sought to emphasize that the breach didn’t involve the IRS’s core accounts, such as its filing system, which remain secure. They said that the incident wasn’t technically a data breach but instead represented a successful exploitation of an IRS application.

But some lawmakers were irate, and the long-term impact of the incident on the tax agency—already under fire from Republicans for alleged targeting of tea-party and other conservative groups—could be significant. IRS officials have denied any political motivations behind scrutiny of groups seeking tax-exempt status.

Sen. Orrin Hatch (R., Utah), chairman of the Senate Finance Committee, termed the breach “devastating” in a statement.

“That the IRS—home to highly sensitive information on every single American and every single company doing business here at home—was vulnerable to this attack is simply unacceptable,” Mr. Hatch said. “What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

Rep. Paul Ryan (R., Wis.), the House Ways and Means Committee chairman, added that the incident was “deeply concerning.”

The IRS has said in recent months that funding cuts have hampered its ability to improve fraud detection. Congress has cut the agency’s budget to under $11 billion for fiscal 2015 from more than $12 billion five years earlier. The Obama administration is seeking almost $13 billion for 2016.

The troubles with the Get Transcript application echo problems that surfaced this year with some state tax systems. In February, Utah state tax officials found that a few fraudulent 2014 state returns closely resembled 2013 returns. The similarities made the fraud harder to detect and suggested that scammers had access to the taxpayers’ 2013 returns.

The newly disclosed IRS incident shows that refund fraud “is a challenge shared by the federal government, state governments and tax preparation professionals,” said Verenda Smith, a spokeswoman for the Federation of Tax Administrators. “The good news here is that we already recognized that our individual efforts to combat refund fraud can’t be as good as our combined efforts.”

Source: WSJ – Breach at IRS Exposes Tax Returns

Leave a Comment


Broker Cyprus TopFX