[IMGCAP(1)]The unthinkable happened to me. My office was burglarized and a computer stolen containing all of my clients’ personal information! This is my cautionary tale for my colleagues—we have become targets in the IRS identity theft epidemic.
On Saturday, Dec. 1 2012, I worked in my office that day catching up on work. I left the office around 6 pm. At around 10:32 pm my security company called to alert me that my alarm had tripped, and there was someone in the office.
I was frantic and rushed to my office. Upon my arrival, there were no police in sight yet (they were changing shifts at 10:30 pm). Not thinking clearly, my son and I entered the office and looked around. We walked back to my desk, and my heart sank to see that my computer was gone! I was devastated and could not fathom what was happening.
Finally, 10 minutes later the police arrived, and we ascertained the thieves came through a window. A statement was given and fingerprints were taken. Were the crooks after the data or hardware? I wanted desperately to believe the latter. I was conflicted as to the next steps to take.
It became apparent to me as the investigation progressed and the detective informed me the crook’s email address contained “taxman.” My heart sank! I knew deep inside that I must write that dreaded letter to inform my clients of the data breach because the crooks appeared to be professionals. As a result, the detectives continued to hit roadblocks.
I know my clients so intimately, and I could just imagine the looks on each of their faces when they learned of the data breach. Some were my neighbors and friends. How could I begin to reveal this misdeed and prepare for the impending questions? How was my data protected? How did this happen? What information was on my computer? I knew these questions deserved answers.
My fear intensified, feeling those 14 years of hard work were threatened by a security breach. Would my clients suffer financial losses? How would this affect my business? Finally, I became resigned to the fact that it must be done. I would woman up and take on the heat. I would listen to their concerns, stick to the facts, and provide whatever assistance I could.
My worst fears became a reality in February when my returns were being rejected, because someone had already used the Social Security numbers, and then I learned the crooks were using the same software (ATX) as I was using!
My clients gave me power of attorney, and I started pulling tax return transcripts on e-services, which showed the PTIN of the criminals. I quickly called the IRS identity theft unit and provided them with the number, hoping the IRS could shut it down. Despite all my efforts, the IRS continued to issue refunds to the crooks.
During this time, I contacted the Treasury Inspector General for Tax Administration, the IRS’s Criminal Investigation Division and the IRS identity theft unit, to no avail. I learned my case was not significant enough yet. TIGTA stated that they only handle crimes against IRS employees, and CID only looks at a case over $150,000.
I honestly felt I was adrift in an ocean without the possibility of rescue. Out of desperation, I wrote a letter to my congressman to bring attention to the unfolding events. His office initiated contact with the Georgia Department of Revenue’s Special Investigative Unit, which started the wheels turning. GDOR assigned my case to a special agent, an effort that allowed collaboration with a specific person to better assist my clients on the state ID theft aspect.
For the IRS, ID theft really is a conundrum. The taxpayers’ estimated tax payments get refunded to the criminals, while notices are sent to clients asking them to repay the money refunded to criminals or they receive a request for additional information to process the fraudulent tax returns. Further, tax balances are wiped out due to the erroneous refunds applied.
I thought this was an isolated case for two months. I wondered who could have done this to me. Did I have an angry client? The breakthrough came in February when another accountant was on the local news because her office had also been burglarized and many of her tax returns were being rejected too. Hearing there was another accountant, I could see the $150,000 level needed for IRS CID to investigate would quickly become a reality.
The ongoing investigation has revealed that three suburban Atlanta tax offices were burglarized in December, which ironically is too late for potential victims to receive an IRS identity theft PIN number. Were the criminals aware of IRS procedures and carefully planned the break-ins? As a result of the break-ins, there are currently over 600 victims and $3 million in fraudulent refunds have been issued. Local and national news covered the story. Some authorities say the figures are much higher.
I think the IRS and local law enforcement should implement the following practices:
• Local law enforcement should be mandated to report such crimes to IRS CID; because this was not done, local law enforcement believed each break-in was an isolated case as the thefts occurred in different municipalities.
• Create a special IRS unit or hotline for tax professionals to report data-breach crimes, and assign the cases to an IRS ID theft representative.
• Immediately flag those potentially vulnerable accounts.
Going forward, I have greatly improved my security. Moreover, I have learned the majority of my clients are compassionate and understanding people. Further, building a business based on integrity, hard work, professionalism and dedication really does matter in the end. No matter the ultimate fate of my business, I can feel confident knowing I did my best.
Although IRS sources confirm other accountants have experienced a similar situation, I only learned of one prosecuted criminal case on the IRS Web site regarding a tax office break-in. Are they suffering in silence? Therefore, I would be remiss if I did not warn my colleagues to step up their efforts to protect their clients’ data.
Priscilla Diggs-Costen, EA, MBA, is president of Costen Tax Group Inc., in Kennesaw, Ga.