more info Menu

Breach at IRS Exposes Tax Returns

The Internal Revenue Service said Tuesday that identity thieves used one of its online services to obtain prior-year tax return information for about 100,000 U.S. households, a major breach of the agency charged with safeguarding taxpayers’ privacy.

About 104,000 attempts successfully accessed earlier returns, an additional 100,000 attempts were unsuccessful, the agency said.

The incident, which echoes similar problems earlier this year in some states, highlights the growing risks from cybersecurity breaches to both individuals and the government. The agency believes fewer than 15,000 refunds were paid as a result of the frauds, and the total paid out was under $50 million.

The IRS said that to access the information, crooks had to clear a multistep authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The process also involved answering personal identity-verification questions, such as “What was your high school mascot?”

IRS Commissioner John Koskinen suggested that social media might have played a role to answer these so-called “out-of-wallet” questions.taxfraud_05272015

Thieves hope access to full tax returns could give them key information for future fraudulent efforts that wouldn’t be detected by IRS filters, he added. The information was obtained from an IRS application known as “Get Transcript” that allows taxpayers to access prior-year returns. The thieves then used the data to fashion a fake return for 2014, and requested the IRS send a tax refund to a hard-to-trace debit card.

Mr. Koskinen stressed that the penetration was the result of an organized crime, not “one-off” hacking. The agency said the matter is under review by the IRS inspector general as well as its Criminal Investigation unit. In addition, the Get Transcript application has been shut down temporarily.

The IRS said it would provide free credit-monitoring services for the approximately 100,000 taxpayers whose accounts were accessed, and it said it would notify the 100,000 or so other taxpayers about the unsuccessful attempts to access their data.

The agency’s top leaders sought to emphasize that the breach didn’t involve the IRS’s core accounts, such as its filing system, which remain secure.

The IRS has said in recent months that funding cuts have hampered its ability to improve fraud detection. Congress has cut the agency’s budget to under $11 billion for fiscal 2015 from more than $12 billion five years earlier. The Obama administration is seeking almost $13 billion for 2016.

Original Story at the Wall Street Journal