IRS Detects Massive Data Breach in 'Get Transcript' Application

The Internal Revenue Service warned of a huge data breach of its online Get Transcript application that allowed the tax returns of approximately 104,000 taxpayers to be accessed by identity thieves.

The IRS said Tuesday that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on the tax accounts through the Get Transcript application. The data included Social Security information, birth dates and street addresses.

Third parties gained enough information from outside sources before trying to access the IRS site, allowing them to clear a multi-step authentication process, including several personal verification questions that typically are only known by taxpayers themselves.

The matter is under review by the Treasury Inspector General for Tax Administration, along with the IRS’s Criminal Investigation unit, and the Get Transcript application has been shut down temporarily. The IRS said it would provide free credit monitoring services for the approximately 104,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.

“What we have is the latest more sophisticated manifestation of a form of identity theft in the sense that we’ve detected and determined that there was unauthorized access to our Get Transcript application,” IRS Commissioner John Koskinen said during a conference call with reporters Tuesday. “That unauthorized access ran from February to May. The Get Transcript application gets you previous filings of tax returns. To try to get through to get that transcript, the criminals had to already have stolen Social Security numbers, names, addresses, and other personal identifiers available and then they had to have enough personal information for each taxpayer to be able to get through the personal-related questions, the so-called ‘out of wallet questions.’”

Koskinen noted that the IRS had about 23 million successful downloads of the Get Transcript application during the filing season, and has identified that there were attempts by identity thieves to get access to the prior tax returns of about 200,000 taxpayers.

“About 100,000 were unsuccessful,” he added. “They could not work through the barriers that we had established, but unfortunately about 104,000 did get through and were able to access earlier tax returns. Those tax returns have basic tax information on them and are mostly used to file a better fraudulent tax return for a refund.”

Koskinen pointed out that the IRS’s filters have gotten increasingly sophisticated, and this year the IRS stopped nearly 3 million suspicious returns “at the door” rather than accepting them for filing and then followed up with taxpayers to authenticate them.

“But those filters depend upon anomalies, and so to the extent that a fraudulent return can look closely like a previously filed tax return, you have a better chance of getting through the filters,” he said. “We think—and we have a lot more analysis that we have to do—that a relatively small number of these incidents, where the 104,000 transcripts were available, turned themselves into refund frauds that were paid out this year, but our real concern is the 200,000 taxpayers. We think that all of them, even those where no-one accessed their earlier returns, need to receive a notice from us advising them of the fact that their Social Security numbers and personal information is in the hands of criminals. All of them will get that notice.”

With the 104,000 where access was gained to their returns, the IRS will provide them with credit-monitoring as well, he added, and for all 200,000 the IRS will mark them in its system to protect the taxpayers against anyone subsequently filing a false return, either this summer or next filing season before they file.

“We greatly regret that this additional information is available to criminals, although as I say it’s primarily attractive for them to file fraudulent refunds going forward,” said Koskinen. “We’ve taken the Get Transcript application down late last week and we won’t put it back up until we’re satisfied that we’ve improved the security.”

He pointed out that the IRS faces the challenge of making the security questions stringent enough so that fraudsters won’t get through, while still enabling legitimate taxpayers to be able to get the tax transcripts when they need them for mortgage applications and the like.

“For the 23 million people who successfully downloaded their transcripts, we have a balance there of making sure they can continue, properly authenticated, to have access to those transcripts without having to either get them in person or call us and have them mailed to them,” said Koskinen. “That’s the situation we are facing. It is clear, as our criminal investigators note, their estimate is 80 percent of the identity theft and refund fraud we’re dealing with is related to organized crime here and around the world, and this is just another example. These are extremely sophisticated criminals with access to a tremendous amount of data. I would stress that this in no way has anything to do with our basic tax-filing system, the data that we have that we collected from 150 million people this year. All of that is secure. This is a single application that you have to have a lot of information to be able to try to access.”

He pointed out that this is not technically a security breach, since the IRS’s basic information is still secured, but it’s a modified form of identity theft, giving the criminals enough data to impersonate the taxpayer.

Senate Finance Committee Chairman Orrin Hatch, R-Utah, said his committee has been working with the IRS since hearing about the data breach late last week from Koskinen.

“Since learning of the breach, the committee has been working with the IRS to better understand the nature of the attack, what information was compromised, and how such a devastating breach could occur,” Hatch said in a statement Tuesday. “That the IRS—home to highly sensitive information on every single American and every single company doing business here at home—was vulnerable to this attack is simply unacceptable. What’s more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves. The first order of business is for the federal government to determine who was behind the attack and take aggressive action against them. Secondly, we must determine what information was stolen and how it will affect taxpayers. Finally, the Congress and the administration must work together to better protect taxpayer information from cyber threats. Taxpayers must know that the information they send to the IRS is secure. And hackers who would steal that information must know that they will suffer severe consequences for their crimes.”

Koskinen notified Hatch of the data breach late last week by phone, Hatch’s office noted, but as with other law enforcement sensitive matters, the committee did not disclose the breach because it relates to an ongoing investigation.

House Ways and Means Chairman Paul Ryan, R-Wisc., also released a statement upon learning of the IRS data breach. "While the committee is seeking more information about the situation, it's deeply concerning that taxpayer information has been compromised,” said Ryan. “Protecting the taxpayer is supposed to be the IRS’s top priority, and we need answers from them."

Rep. Sander Levin, D-Mich., the ranking Democrat on the House Ways and Means Committee, said he had also been briefed by Koskinen about the data breach. “I’ve been briefed by Commissioner Koskinen on Friday and again today, and he has expressed his strongest commitment to protecting taxpayer information,” Levin said in a statement. “He conveyed that a criminal investigation has been launched and the notification of taxpayers is underway. The commissioner also assured me that the IRS is reviewing its systems to get to the bottom of how an organized criminal syndicate was able to use taxpayer information stolen from non-IRS sources to access taxpayer data in the ‘Get Transcript’ system. It is important that members of Congress work together to ensure that the IRS has adequate resources to carry out the vital priority of protecting confidential taxpayer information.”

The 104,000 taxpayers whose Get Transcript accounts were accessed will receive free credit monitoring. The IRS said the taxpayers will receive specific instructions so they can sign up for the credit monitoring. The outreach letters will not request any personal identification information from taxpayers. In addition, the IRS is marking the underlying taxpayer accounts on its core processing system to flag for potential identity theft to protect taxpayers going forward. The letters will be mailed out starting later this week and will include additional details for taxpayers about the credit monitoring and other steps. At this time, the IRS said no action is needed by taxpayers outside these affected groups.

The IRS said it is also continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of those households filed taxes in 2015. The agency noted that it is possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.

The IRS emphasized that this incident involves one application involving transcripts. It does not involve other IRS systems, such as core taxpayer accounts or other applications, such as Where’s My Refund. The IRS said it will be working aggressively to protect affected taxpayers and strengthen its protocols even further going forward.

For reprint and licensing requests for this article, click here.
Tax practice Technology Data security Tax fraud
MORE FROM ACCOUNTING TODAY