The IRS announced Tuesday that data taken from third-party sources has been used to access 100,000 accounts through the IRS’ “Get Transcript” application.
Late last week, the IRS noticed unusual activity on the application, and after an initial review, realized that third parties gained access to the accounts using a multistep authentication process that required personal knowledge tied to the taxpayer account. That information included Social Security numbers, dates of birth, tax filing statuses and street addresses. The process also includes additional steps where account holders must answer personal identity questions.
The IRS shut down Get Transcript last week, and IRS Commissioner John Koskinen said he is unaware of when service will resume. If taxpayers still need a copy of their transcripts, they can apply to receive them via mail.
“The millions of people who use [Get Transcript] over time have a lot of different needs, so we would like to get this up as quickly as we can, but we want to be careful,” Koskinen said. “We are trying to make sure that the difficulty of accessing this for criminals is as much as we can, without making it difficult for the taxpayers to access the information.”
The IRS said the malicious activity took place between February and mid-May. They also said there were 200,000 attempts to access data, and around 100,000 accounts were compromised. The agency said it would notify those who have been breached and provide free credit monitoring services.
The IRS caught between 23,000 and 25,000 suspicious tax returns that were associated with the compromised accounts. However, another 15,000 returns linked to the accounts made it through the agency’s filters. The commissioner said the agency doesn’t have a definite dollar figure for what was paid out in fraudulent returns due to the breach, but roughly estimates it be “under $50 million.” Koskinen said it would take time to figure out if the fraudulent returns are tied to the breach or filed by independent taxpayers. The IRS deals with 3 million suspicious returns per year.
The agency said the system that holds the Get Transcript application is not linked to the system that handles tax filing submissions. People use Get Transcript to access their old tax transcripts for things like a mortgage or a college loan application.
Koskinen said a lot of the data that was used to bypass the process was already available through social media accounts, which criminals mine for information they can use for their operations. The criminals keep that information in databases, and run scripts that will fill in questions until they match a correct answer for security questions, such as a high school mascot or pet’s name.
“Our real concern is trying to make sure that these taxpayers understand the amount of their personal information that is already in the hands of crooks before they tried to access our information,” he said. “Our criminal investigation division has learned more and more about the amount of data that’s in the hand of criminals. In some cases, the criminals can answer the questions a lot better than you can.”
Ken Westin, a security analyst for IT security firm Tripwire, said breaches like this are going to become more common as more personal data is placed online.
“We live in a world where the Internet has become a database of ‘you’ and where one data breach can easily feed another,” Westin said. “Tax filing status can be identified pretty easily if you know whether the person is married or not. Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information and this data should not be used as security or authentication checks.”
The IRS has opened a criminal investigation, and the Treasury inspector general for tax administration also is reviewing the matter.