IRS Breach Exposes Data of 100,000 Taxpayers (May 27, 2015)
Cybercriminals accessed the personal information of about 100,000 U.S. taxpayers in an attack on the IRS’s systems, the agency confirmed this week. The compromised data—including Social Security numbers, birthdates and street addresses—was accessed through the IRS’s “Get Transcript” online application, which enables taxpayers to view filings from previous years. The thieves used personal information from “an outside source” to clear a multistep authentication process that includes personal identity verification questions usually known only to the taxpayer, the agency said. The hackers could attempt to use the stolen data to file fraudulent returns—a multibillion-dollar enterprise—during next year’s tax season, the IRS noted.
The agency discovered the breach late last week, after it identified suspicious attempts to access the returns of 200,000 taxpayers. Only half of the attempts, which occurred in mid-May, were successful, but the IRS said it will notify all 200,000 targeted taxpayers. The 100,000 whose data were compromised will receive free credit monitoring services. The Get Transcript application has been disabled until security modifications can be made, and the matter is under review by the Treasury Inspector General for Tax Administration and the IRS’s Criminal Investigation division. The agency said the breach was limited to the Get Transcript application, and no other systems—including its core system for handling tax filing submissions—were affected.
ID-related fraud comprised the largest chunk of the $5.2 billion in tax fraud in the U.S. in 2014, according to the GAO. Earlier this year, a group of U.S. senators introduced legislation aimed at combating ID-based tax fraud. The Identity Theft and Tax Fraud Prevention Act proposes not requiring taxpayers to disclose their entire Social Security numbers when filing and significantly increases criminal and civil penalties for illegally accessing personal data.
See related stories:
