Hackers used taxpayer-specific data, including Social Security information, to gain unauthorized access to more than 100,000 tax accounts through an agency computer system.
The agency said in a press release, “These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.”
Here’s what you need to know:
1. The Hack Targeted the ‘Get Transcript’ System
According to the IRS, the hackers used the agency’s “Get Transcript” system to access taxpayers accounts. The transcripts contain personal taxpayer information, but the agency says the hackers appear to have already had that information in order to get into the account.
The system, according to the IRS website, allows you to “view your tax account transactions, line-by-line tax return information or wage and income reported to us for a specific tax year.”
“The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure,” the agency said in a statement to The Associated Press. “In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles. During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”
“The IRS emphasizes this incident involves one application involving transcripts — it does not involve other IRS systems, such as our core taxpayer accounts or other applications, such as Where’s My Refund,” the IRS said in its statement.
The unauthorized access and attempts to access accounts were made from February to May, the IRS says.
2. The Breach Is Under Investigation
“We’re confident that these are not amateurs,” IRS Commissioner John Koskinen told The Associated Press. He said the agency learned about the thieves when its technicians saw an increase in the number of taxpayers trying to access transcripts.
The IRS said the Treasury Inspector General for Tax Administration and the IRS’ Criminal Investigation Unit are investigating the breach.
The “Get Transcript” application has been temporarily shut down. Taxpayers who need access to copies of old tax returns, for example to apply for mortgages or college financial aid, can apply for transcripts by mail, while the online system is down.
3. The IRS Is Providing Free Credit Monitoring Services to Those Affected
The IRS said it will give free credit monitoring services to the more than 100,000 taxpayers whose accounts were accessed. The IRS has identified more than 200,000 total attempts to access data and will be notifying all of the taxpayers about the incident, including those whose accounts were not accessed.
4. The IRS Estimates That Less Than $50 Million in Returns Were Fraudulently Obtained This Year
Koskinen told the AP that less than $50 million in fraudulent refunds were successfully claimed this year using information from stolen transcripts, according to a preliminary estimate. He said the agency is still figuring out how many fradulent refunds were claimed.
Old tax returns can help thieves fill out credible-looking returns in the future, helping them get around the IRS filters.
The IRS said the hackers possibly planned to use the information acquired from this latest hack to file fraudulent returns next year. The old tax returns could help the crooks fill out credible-looking returns in future tax years, getting around IRS filters, the AP reports. The IRS said the thieves already had a lot of personal information about the victims.
The agency said in its statement, “The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.”
Koskinen said the IRS stopped about 3 million suspicious returns this year. He said the agency has added filters to its computer system to identify suspicious returns, including anomalies in the information provided by taxpayers.
5. Security Experts Have Warned About the Risks of Hackers Accessing IRS Accounts
In March, security reporter Brian Krebs advised taxpayers to sign up for an account at IRS.gov before hackers do it with stolen information.
Krebs wrote on his site KrebsonSecurity:
The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.
To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.