IRS Commissioner John Koskinen told lawmakers Thursday the personal information of up to 100,000 taxpayers may have been stolen through one of its tools used by the Education Department to help students apply for federal aid.
Students applying for federal student aid were given the option to use IRS data retrieval tool, which is integrated with the Free Application for Federal Student Aid website, FAFSA.gov, to automatically transmit their parents’ or guardians’ previous tax information to their application. The IRS took the tool down in early March citing technical issues, but later revealed March 30 the problem was actually related to security vulnerabilities.
Criminals reportedly used stolen taxpayer information to login to the tool and obtain additional taxpayer information, which they then used to file fraudulent tax returns with the IRS.
From that stolen information of about 100,000 taxpayers, Koskinen estimates “fewer than 8,000 fraudulent returns were actually filed, processed and refunds issued.”
Those 100,000 are a “pool of people in the suspicious area of activity who did not complete their application,” the commissioner explained. It’s possible and very likely, he said, that many could be “legitimate people who actually just didn’t complete the application.”
Fraud filters stopped the processing of about 52,000 returns from that pool, and of those 52,000, about 14,000 were labeled as legitimate fraudulent attempts.
However, “out of an abundance of caution, we’re going to notify all 100,000,” Koskinen told the Senate Finance Committee. IRS has sent out 35,000 notification letters already.
“Fortunately we caught this at the front end,” he said.
That’s because, in a sense, Koskinen explained, the IRS expected the data retrieval tool could be a target. After the agency’s 2015 similar debacle with criminals using the Get Transcript tool to steal the information of 320,000 Americans, the IRS began looking for all the different ways tax thieves could get “either money or information out of our systems,” the commissioner said.
“I thought there might be 30 or 40,”he testified. “It turns out there are over 200 different ways we provide tax data” to various entities. “We had an early indication in September  that it was possible with relatively little stolen information to pretend you were a student, go online, start to fill out an application, giver permission for us to populate that application with tax data, most importantly the adjusted gross income, and then complete the application.”
Because the IRS stopped issuing E-File PIN numbers, which were the root of the 2015 breach, criminals this season were driven to the data retrieval tool, the commissioner believes, because with a few bits of a taxpayers’ information it will display their past year’s adjusted gross income, “cause that’s the key that we have this year for all taxpayers.”
The IRS alerted the Education Department in October that “the system could be utilized by criminals,” Koskinen said, but ultimately decided against taking it offline because 12 million to 15 million applicants use the app for its convenience and at that time it “didn’t have any volume of criminal activity.”
“We told them as soon as there was any indication of criminal activity, we would have to take that application down, and that occurred as we monitored into the early part of February — it became clear there was a pattern of activity … that was clearly not consistent with people who actually apply for student loans,” he said.
When asked if the 100,000 total could grow before the IRS has its arms around this latest identity theft saga, Koskinen said, “these numbers always have a way of growing.”
The IRS said in March the data retrieval tool won’t be back online likely until the start of next application season for student federal aid, which begins in October. By then, IRS will have a “long-term solution that will mask that data,” Koskinen said.