IRS Sued for Data Breach

A group of law firms has filed a class-action lawsuit against the Internal Revenue Service on behalf of an estimated 330,000 taxpayers who were affected by a data breach in the IRS’s online Get Transcript application.

IRS Commissioner John Koskinen disclosed the data breach in May, estimating that the tax returns of approximately 104,000 taxpayers could have been accessed by identity thieves (see IRS Detects Data Breach in ‘Get Transcript’ Application). Last week, the IRS increased its estimate to 330,000 taxpayers (see Extra 220,000 Hit by IRS ‘Get Transcript Breach’). The data breach is suspected to be the work of hackers working for an organized crime ring abroad. In response, the IRS said it was offering free credit monitoring and ID protection PINs to the affected taxpayers.

However, the class-action lawsuit accuses the IRS of not doing enough to protect the security of its systems.

“At the time of the data breach of taxpayers’ information, the IRS had received—but not acted on—numerous reports that its systems did not have adequate security; it knew its systems had been previously hacked by cyber-criminals; it knew that cyber-criminals were highly motivated to hack the IRS system in order to steal taxpayer information that has significant value in the black market; and it had actual knowledge that cyber-criminals were engaged in ongoing efforts to hack the IRS systems,” said the complaint. “Despite this knowledge, the IRS deliberately and intentionally decided not to implement the security measures needed to prevent the subject data breach.”

The lawsuit was filed last week by four law firms: McCune Wright of Redlands, Calif., Abbott Law Group of Jacksonville, Fla., Morgan & Morgan of Tampa, Fla., and Rhine Law Firm of Wilmington, N.C. It names two plaintiffs, Becky Welborn and Wendy Windrich.

An IRS spokesman declined to comment on the lawsuit, but instead directed readers to the agency's statement last week on the expanded number of taxpayers affected by the data breach: "We can’t comment on pending litigation, but if you haven’t done so already, take a look at our posting at http://www.irs.gov/uac/Newsroom/Additional-IRS-Statement-on-the-Get-Transcript-Incident."

The complaint argues that the IRS’s process for verifying transcript requests is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication,” or KBA, using “challenge questions” that can be easily answered using information that is widely available for sale in the cybercrime underworld or with a small amount of searching online. The KBA involves asking multiple-choice “out of wallet” questions, such as previous address, loan amounts and dates, which can be successfully answered with random guesses or found on the Internet.

“For example, Zillow.com can provide answers to the KBA questions in a matter of minutes,” said the complaint. “Spokeo also solves the ‘old address’ questions with 100% accuracy. Moreover, answers to common security questions such as ‘What is your mother’s maiden name?’ are easily gleaned from the public domain by using such non-sophisticated techniques as looking up a Facebook profile or engaging in a little light social engineering.”

The complaint noted that once cybercriminals infiltrated the IRS’s system, they gained access to taxpayers’ full tax transcripts, including identification information, Social Security numbers for their children and spouses, prior W-2s, current W-2s, income, holdings, and more than enough information to fraudulently file for a tax refund using a taxpayer’s identification.

For reprint and licensing requests for this article, click here.
Tax practice Data security Technology
MORE FROM ACCOUNTING TODAY