Internal Revenue Service (IRS) Commissioner John Koskinen was back on the Hill this week, together with J. Russell George, The Treasury Inspector General for Tax Administration (TIGTA), to testify before members of Congress. This time, both were asked about the unauthorized access to the “Get Transcript” application on the IRS website.
The hearing was a bit awkward on a number of levels, not the least of which being that Sen. Orrin Hatch (R-UT) advised the Senate Finance Committee that due to the nature of the investigation, which is ongoing, the Committee needed to tailor their questions so as not to ask anything so specific that it might jeopardize those efforts. That, of course, begs the question, why have this hearing at all just now?
The IRS has already held a press conference on this matter and released an official statement on its website. Both of those were admittedly a bit short on details. That was explained away by saying that this was an ongoing criminal investigation (sound familiar?). The initial information provided was, it was noted, to alert taxpayers to the problem but until more inroads were made into the investigation, IRS indicated that it intended to keep some details close to the vest so as not to tip off the criminals. Hopefully, that means that IRS has something concrete on these identity thieves that could result in an arrest but at this point, we really don’t know all that much.
That hasn’t stopped the press from doing a little digging. CNN reported, for example, that a source close to IRS indicated that the breach came from Russia. That information was later confirmed by Rep. Peter Roskam (R-IL), who said that Commissioner Koskinen told him about the Russian involvement over a phone call. Previously, Commissioner Koskinen had only indicated that the origin of the theft was likely foreign, which of course, lead to a lot of speculation. When I asked IRS for official comment, they declined, citing the ongoing investigation. That, leads us, of course, back to the hearing which was equal parts rehashing, accusing and speculating.
Commissioner Koskinen offered some prepared remarks at the open. He reiterated that “[s]ecuring our systems and protecting taxpayers’ information is a top priority for the IRS.” He also reminded the Committee (which he did repeatedly throughout the hearing) that the initial data which was stolen was obtained from “sources outside the IRS” in order to access taxpayer information. That data would include Social Security numbers as well as “out of wallet” data, which is the kind of data IRS and financial institutions use to check to see that you are who you say you are (questions like, for example, “What is the name of your pet?”).
Commissioner Koskinen acknowledged that it has been a struggle to meet taxpayer demand for self-service and electronic service options on the web, which speeds up access to taxpayer information, with the increasing problem of identity theft. That is even more difficult, he indicated, considering the numbers of sophisticated organized crime syndicates in the U.S. and abroad.
Clearly, the “Get Transcript” application is an example of that struggle. The IRS launched the application in January 2014 in order to allow taxpayers access to their previously filed returns in a matter of minutes compared to the previous five to seven day wait for a transcript ordered by phone or by mail. During the 2015 filing season, he explained, taxpayers used the application to successfully obtain approximately 23 million copies of their recently filed tax information.
The IRS was alerted to suspicious activity relating to the application and eventually determined that a total of approximately 200,000 irregular attempts were made using the application between mid-February and mid-May. About 100,000 of those attempts were unsuccessful. The other half were successful.
That part, we knew already.
Commissioner Koskinen added a few additional details about those attempts, noting:
About 35,000 taxpayers had already filed their 2014 income tax returns before the unauthorized attempts at access. This means that these taxpayers’ 2014 returns and refund claims were not affected by this fraudulent activity, because any fraudulent return subsequently filed in their names would be automatically rejected by our systems;
For another 33,000, there is no record of any return having been filed in 2015. This could be the case for a number of reasons. For example, the SSNs associated with these individuals may belong to those who have no obligation to file, such as children, or anyone below the tax filing threshold;
Unsuccessful attempts were made to file approximately 23,500 returns. These 23,500 returns were flagged by our fraud filters and stopped by our processing systems before refunds were issued; and
Since this activity occurred, about 13,000 suspect returns were filed for tax year 2014 for which the IRS issued refunds. Refunds issued for these 13,000 suspect returns totaled about $39 million, and the average refund was approximately $3,000 per return. We are still determining how many of these returns were filed by the actual taxpayers and which were filed using stolen identities. We will work with any of these affected taxpayers who had fraudulent returns filed in their name.
While Commissioner Koskinen noted that fraud filters stopped almost 3 million fraudulent returns before processing in 2015, he expressed the belief that “it is possible” that the information obtained this year would be used to file fraudulent tax returns next year.
Commissioner Koskinen sat through a great deal of not wholly unexpected bashing over the IRS’ handling of technology related issues but had a few words for Congress. He asked Congress to approve President’s FY 2016 Budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure.
Commissioner Koskinen also touted a proposal to accelerate information return filing dates for information returns, including Forms 1099 and 1098; the proposal would require these information returns to be filed when copies of this information are provided to the taxpayers (generally by January 31). Tax professionals have long argued that this would greatly reduce the opportunities for identity theft by allowing IRS to match documents before potentially fraudulent refunds were issued.
Inspector General George was also available to testify. After noting that IRS had failed to fully implemented TIGTA past recommendations on tech-related security issues, George was pressed on whether that failure resulted in the unauthorized access to the “Get Transcript” application. George replied, “I cannot at this stage…give you a definitive answer as to whether or not it would have been possible but I can say it would have been much more difficult had they implemented all of the recommendations that we made.”
George also had some gloomy news to share with members of the Committee, telling Sen. Tom Carper (D-DE), “[t]his is a federal, state, local, global problem, and I don’t see it ending anytime soon, sir, because just as soon as the IRS increases its security posture, the bad guys will increase their efforts to overcome those, and they have a lot of time on their hands.”
George’s prepared written remarks are available here (downloads as a pdf).
You can watch the hearing via CSPAN video here. Have a drink handy, it’s nearly two hours long.
And if you don’t have the time or inclination to watch this one, don’t worry. There’s more to come: Sen. Hatch promised that this hearing would be the “first step of many.”