Criminals Exploit IRS Website to Steal Data
A “sophisticated” organized crime syndicate used the IRS website to steal tax forms full of personal financial information on 104,000 taxpayers, the agency said Tuesday.
An AccountingTODAY article reported that the Internal Revenue Service warned of a huge data breach of its online Get Transcript application that allowed the tax returns of approximately 104,000 taxpayers to be accessed by identity thieves.
Third parties gained enough information from outside sources before trying to access the IRS site, allowing them to clear a multi-step authentication process, including several personal verification questions that typically are only known by taxpayers themselves.
The matter is under review by the Treasury Inspector General for Tax Administration, along with the IRS’s Criminal Investigation unit, and the Get Transcript application has been shut down temporarily.
“We greatly regret that this additional information is available to criminals, although as I say it’s primarily attractive for them to file fraudulent refunds going forward,” said IRS Commissioner John Koskinen. “We’ve taken the Get Transcript application down late last week and we won’t put it back up until we’re satisfied that we’ve improved the security.”
What You Should Do
The IRS said it will notify by mail all 200,000 people who might be affected by this. They will all be placed on a list of Americans whose tax profiles are more closely monitored next year.
The IRS said it would provide free credit monitoring services for the approximately 104,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.
If you are a data breach victim, take these steps:
The IRS posted the following advice at their website for victims of identity theft:
- Determine what type of Personally Identifiable Information (PII) has been lost or stolen. It is important to know what kind of information has been stolen so you can take the appropriate steps. For example, a stolen credit card number will not affect your IRS tax account.
- Stay in touch with the company that lost your data. Companies sometimes offer special services, such as credit monitoring services, to assist victims.
- Follow the Federal Trade Commission recommended steps:
- File a police report
- File a complaint with the FTC
- Notify one of the three majority credit bureaus to place a fraud alert on your credit file
- Close any accounts opened without your permission
- If you received IRS correspondence or your e-file tax return was rejected as a duplicate, take these additional steps with the IRS:
- Submit an IRS Form 14039, Identity Theft Affidavit
- Continue to file your tax return, even if you must do so by paper, and attach the Form 14039
- Watch for any follow-up correspondence from the IRS and respond quickly.
IRS law enforcement agents are now hunting for the fraudsters who did this, and the agency’s own internal investigator is looking into how this happened.