In May 2015, the Internal Revenue Service (IRS) announced that identity thieves had illegally accessed tax information tied to taxpayer accounts. In February 2016, the IRS announced that the attack was worse than initially thought: approximately 390,000 additional taxpayer accounts were potentially accessed with more accounts – 295,000 taxpayers – targeted. As a result, IRS shut down the “Get Transcript” online tool and pledged to notify taxpayers about the unauthorized access and access attempts.
Following that initial announcement, a Treasury Inspector General for Tax Administration (TIGTA) audit was conducted to evaluate IRS identification and assistance to affected taxpayers. Assistance included a combination of sending potential victims a notification letter, marking affected accounts with an identity theft incident marker, offering free credit monitoring and/or issuing an Identity Protection Personal Identification Number (IP PIN), depending on the level of access.
- In its audit, TIGTA found that the IRS did not identify all potentially affected taxpayers about the access or attempted access. To identify affected taxpayers, the Office of Compliance and Analytics (OCA) analyzed data and determined that individuals attempting to access accounts cleared an authentication process that required knowledge about the taxpayer, including taxpayer personally identifiable information (PII) and out-of-wallet questions. Additional attempts were performed by individuals who were not able to clear the authentication process because they did not have the taxpayer’s PII, could not correctly answer the out-of-wallet questions or received a system error.
Among the specific TIGTA findings was that the IRS did not identify 17,077 accounts as potentially affected because IRS did not believe that access to an account by multiple e-mail addresses was sufficient to establish an attempt at theft. After the TIGTA report, the IRS indicated that it would send a notification letter and place an identity theft incident marker on accounts of those taxpayers. IRS officials also informed TIGTA that the online authentication system had been modified to prevent an e-mail address from being used to access more than one account through the “Get Transcript” tool. TIGTA identified 2,470 additional taxpayers whose accounts were targeted – but not accessed – that the IRS did not identify due to an issue with error codes. Since the initial report, the IRS indicated that a notification letter had been mailed to the affected taxpayers. - TIGTA also found that the IRS did not place identity theft incident markers on the tax accounts of 3,206 potentially affected taxpayers. Theft incident markers help IRS identify accounts which may be vulnerable to future identity theft. Markers were not initially placed on accounts of taxpayers who did not receive a letter from IRS; letters were not mailed to victims 18 years and under or to victims who did not have a date of birth include on their tax account. About 15% of those who were not marked were as a result of employee error. The IRS has since notified TIGTA that all affected tax accounts would get a marker.
- The IRS did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access. Free credit monitoring was not initially offered to taxpayers whose PII had been pulled from sources outside the IRS (such as through a breach like the one at Anthem). The decision to not provide an IP PIN was based on the fact that individuals who tried to access taxpayer accounts were unsuccessful (for example, they could not answer the out-of-wallet questions).
TIGTA believes that all individuals whose tax accounts were targeted should receive the same protection because they are at an increased risk of identity theft. While the IRS agreed with most of TIGTA’s recommendations, the IRS disagreed with the recommendation to issue IP PINs to the 79,122 individuals with attempted accesses to their tax information but stated that it would consider this inconsistency in future IP PIN policy decisions.
In its initial response to TIGTA, IRS acknowledged the challenges it faced, noting that “[c]riminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS.” The IRS also confirmed that a more rigorous e-authentication process was necessary to increase protection against identity thieves.
You can read the TIGTA report in its entirety here (downloads as a pdf).
Since the release of the report, the IRS “Get Transcript” online tool with a new, more secure access framework has again been made available for taxpayers to access a copy of their tax transcripts and other documents with important tax return information. The IRS now requires a two-step authentication process for all online tools and applications that require a high level of assurance.
In response to the release of the report, the IRS has issued the following additional statement:
The IRS took numerous steps to notify and protect affected taxpayers involved in the Get Transcript incident. We thank the TIGTA audit team for their work and helping us to identify additional ways we can better serve the victims of the theft of taxpayer records. The IRS worked closely with the audit team, and we have already taken action to address the majority of their recommendations and findings. In particular, as TIGTA noted, we notified all taxpayers that criminals had possession of the taxpayer’s personal information as soon as we identified the taxpayers involved. We also marked for special monitoring the accounts of all taxpayers where the criminals attempted to access previous tax returns. For those where the criminals had obtained access to previous tax returns through the Get Transcript App, we also offered credit monitoring and the availability of an Identity Protection PIN to help protect their account.
The IRS on Tuesday announced a new secure access framework for Get Transcript with a more rigorous e-authentication process for taxpayers. This new secure access process will significantly increase protection against identity thieves impersonating taxpayers and serve as a foundation for additional IRS self-help services in the future.
While some taxpayers may now find it more difficult to authenticate their identities with this strengthened process, the IRS is committed to making sure everyone accessing the site will be able to do so in a safe and secure way. For taxpayers unable to authenticate through the new secure access process, Get Transcript by Mail – which is available online – remains an option.
Even with our constrained resources as a result of repeatedly decreased funding over the past few years, we continue to devote significant time and attention to this challenge of securing our systems and taxpayer data. We work continuously to protect our main computer systems from cyber incidents, intrusions and attacks, but our primary focus is to prevent criminals from accessing taxpayer information stored in our databases. These core tax processing systems remain secure, through a combination of cyber defenses, which currently withstand more than one million attempts to maliciously access our systems each day. Second, the IRS is waging an ongoing battle to protect taxpayers and their information as we confront the growing problem of stolen identity refund fraud. That’s why we asked state tax agencies and the tax industry to work with us and our unprecedented Security Summit alliance is yielding even more safeguards for the nation’s taxpayers, especially in the area of authentication and trusted customer requirements.