The Internal Revenue Service discovered last month that criminals accessed around 104,000 tax returns through its Get Transcript application and tried to get hold of approximately 100,000 more.

But the IRS’s efforts to stop identity theft are running squarely into another priority: to try to get more taxpayers to use online self-service options to save money at the cash-strapped agency, whose customer service levels have been dropping precipitously.

The IRS announced the data breach last week and said it would provide free credit monitoring for the affected taxpayers (see IRS Detects Massive Breach in ‘Get Transcript’ Application). The Senate Finance Committee held a hearing Tuesday to question IRS Commissioner John Koskinen and Treasury Inspector General for Tax Administration J. Russell George about the extent and causes of the data breach (see IRS Risks Data Breach Repeat While Expanding Online Services).

The officials revealed a number of key details about the breach, including revelations that the organized criminals may have come from a number of countries and not just Russia, as previously reported. The Inspector General found that domains from several other countries had also been traced back to the attack, although he acknowledged that cybercriminals are able to make their Internet addresses appear to originate in other places than where they actually are located. Koskinen said the IRS is seeing an increasing number of attacks on its computer systems from hackers in Eastern Europe and Asia.

The IRS commissioner pointed out that the Get Transcript application was an effort by the IRS to make taxpayers’ interactions with the agency easier. The online application launched in January of last year and allows taxpayers to view and print a copy of their prior-year tax information in a matter of minutes.
“Prior to the introduction of this online tool, taxpayers had to wait five to seven days after placing an order by phone or by mail to receive a paper transcript by mail,” said Koskinen. He noted that taxpayers use the tax transcripts for a variety of financial activities, such as verifying their incomes when applying for a mortgage or student loan.

However, the wealth of sensitive financial information available in the online application also made it an attractive target for cybercriminals. Koskinen pointed out that the so-called “Darknet” already has a vast trove of financial information available to identity thieves. Although the IRS has put in place a number of filters in recent years to deter identity theft, including the use of so-called “out-of-wallet” questions to verify someone’s identity before giving them access to a tax transcript, the hackers already had much of this financial information handy. They were able to use it to get access to around 104,000 tax returns, which in turn gave them access to Social Security numbers and other information for those taxpayers’ spouses and dependents.

The IRS has actually been improving its ability to deter identity theft, as a recent report from the Inspector General showed (see IRS Gets Better at Detecting Identity Theft). Over the past few years, nearly 2,000 individuals have been convicted in connection with refund fraud related to identity theft, Koskinen noted.

Koskinen and George pointed out that the cybercriminals already had stolen identifying information for many of the taxpayers before trying to access their transcripts. That information then allowed them to answer the “out-of-wallet” questions, which are a customer authentication method that is now fairly standard in the financial services industry. The questions are designed to elicit information that only taxpayer themselves should know, such as the amount of their monthly mortgages or car payments. Before getting access to the online tax transcripts, taxpayers are also supposed to provide their own Social Security number, birth date, tax-filing status and home address.

Unfortunately, identity thieves already oftentimes have that information available to them, and they now have the funds and resources to run sophisticated data-mining programs to find and match patterns in the information, allowing them to get access to the transcripts. The IRS did not detect the suspicious activity in the Get Transcript app until mid-May because it was consumed by the workload of coping with tax season and initially thought it was a denial of service attack by hackers.

The IRS’s filters caught about 100,000 attempts at accessing the tax transcripts and stopped them, and it caught many of the fraudulent tax returns as well. Koskinen reported that about 35,000 taxpayers had already filed their 2014 income tax returns before the unauthorized access attempts, so these taxpayers’ 2014 returns and refund claims were not affected by the fraudulent activity, because any fraudulent returns that were subsequently filed in their names would be automatically rejected by the IRS’s systems. For another 33,000, Koskinen said there is no record of any tax return having been filed in 2015, perhaps because the Social Security numbers associated with those individuals may belong to those who have no obligation to file, such as children, or anyone below the tax-filing threshold.

Unsuccessful attempts were made to file approximately 23,500 returns. These 23,500 returns were flagged by the IRS’s fraud filters and stopped by its processing systems before the tax refunds were issued. Since the data breach occurred, approximately 13,000 suspect returns were filed for tax year 2014 for which the IRS issued refunds. The refunds issued for these 13,000 suspect returns totaled about $39 million, and the average refund was approximately $3,000 per return. “We are still determining how many of these returns were filed by the actual taxpayers and which were filed using stolen identities,” said Koskinen in his opening statement. “We will work with any of these affected taxpayers who had fraudulent returns filed in their name.”

However, the IRS has another battle on its hands besides fending off identity thieves and computer hackers. That’s with Congress. The IRS has seen its budget cut for the past five years at the hands of lawmakers, with funding for the agency reduced $1.2 billion since 2010.

Koskinen has been trying to make the case to Congress to increase his agency’s budget, but he has come under criticism from lawmakers who accuse the IRS of diverting funds away from taxpayer service and security to other functions, such as paying outside legal counsel and implementing the Affordable Care Act (see IRS Accused by Congress of Diverting Funds from Customer Service). This past tax season, IRS customer service employees have been able to answer fewer than 40 percent of the taxpayer calls that the agency received, and wait times have been longer than ever before at the IRS’s in-person Taxpayer Assistance Center offices.

One of the IRS’s solutions has been to develop online customer self-service applications like Get Transcript and Where’s My Refund so taxpayers won’t have to call into the IRS’s busy call centers and receive so-called “courtesy disconnects,” a polite way of hanging up the phone on taxpayers and suggesting they try again later.

Now the IRS has taken its Get Transcript application offline to deter further identity theft attempts and Koskinen told lawmakers the app wouldn’t go back online until the IRS can be assured it is secure. But the IRS is also coping with an outdated set of information technology systems, some of them dating back to the Kennedy administration. It has to pay Microsoft extra to continue providing support for Windows XP because it hasn’t been able to upgrade many of its desktop computers to more recent versions of Windows. The Government Accountability Office and the Treasury Inspector General for Tax Administration have both issued reams of reports over the years warning about the lapses in computer security at the agency.

Now, as the IRS attempts to compensate for declining levels of customer service with self-service applications, it may have to go back to square one to make sure those apps are secure enough to deter increasingly deep-pocketed and organized cybercriminals.

The IRS is asking Congress for more funding and also to allow it to make changes like requiring employers to file W-2 and 1099 statements earlier so they can be matched up with tax returns faster by the IRS, while also masking the Social Security numbers on those same forms to keep them away from identity thieves. The IRS has also stepped up its efforts to work with the private sector, including online tax software developers, to make sure their systems are secure after identity thieves used such systems last tax season to file fraudulent federal and state tax returns.

It’s going to be a tall order for a Congress that has grown increasingly skeptical of the IRS in the wake of the scandal over applications for tax-exempt status from political organizations. At the hearing, lawmakers asked George when he will release a final report on the emails from the former director of exempt organizations, Lois Lerner, now that most of the emails have been recovered by investigators, and they asked Koskinen when the IRS will come out with its revised regulations for organizations operating under Section 501(c)4 of the tax code. The initial set of proposed regulations garnered fierce reactions from both sides of the political spectrum, and Koskinen quickly shelved it. Neither he nor George was able to provide a definitive answer, although George hopes to release his report by the end of the month. As controversy continues over these and other matters, the IRS will have a difficult time safeguarding the security of the systems it is forced to rely on to operate more cost effectively while facing challenges from cybercriminals and lawmakers alike.

Do you think the IRS will be able to make its systems more secure while providing online access for critical applications for taxpayers?