Earlier this year, the Internal Revenue Service (IRS) announced that identity thieves illegally accessed tax information tied to approximately 114,000 taxpayers with unsuccessful attempts made on about 111,000 additional taxpayer accounts. IRS Commissioner John Koskinen delivered the news at a hastily arranged press conference on May 26, 2015, to alert taxpayers to the breach.
At the time, the IRS released a statement advising taxpayers that it would be sending out letters to affected taxpayers. The IRS also noted at the time that the matter was under “continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation.”
The additional review has revealed that at least 220,000 additional taxpayer accounts were potentially affected. As before, access was attempted – but failed – for even more taxpayer accounts (the IRS puts this number at 170,000). The IRS will begin mailing letters to those taxpayers whose accounts were accessed shortly. The IRS will also mail letters to those taxpayers with accounts which showed evidence of unsuccessful attempts since those taxpayers may have personal information at risk.
The announcement came about a month after the federal Office of Personnel Management (OPM) admitted that it had been hacked affecting 21.5 million people. Information gleaned in the OPM attacks included Social Security numbers, addresses and other personal information which could be used for identity theft fraud.
The unauthorized access to IRS records occurred using the “Get Transcript” application on the IRS website. As a result, the transcript application was taken down and the online request system remains unaccessible. You can, however, request a tax transcript by mail via a form 4506, Request for Copy of Tax Return (downloads as a pdf).
To successfully access the application on the IRS, identity thieves must have had access to previously stolen Social Security numbers and other personally identifiable information, including so-called “out of wallet” information such as high school mascots. That information, explained IRS Commissioner Koskinen in May, is often found in databases compiled by criminals from other sources such as credit bureau records and social media sites like Facebook. (You can read more about “out of wallet” information here.)
In response to the latest findings, the IRS has released the following statement:
Following an incident involving the IRS’s “Get Transcript” web application discovered in May, the IRS conducted an extensive review covering the 2015 filing season to assess whether other suspicious activity occurred. Following this review, the IRS has identified more questionable attempts to obtain transcripts using sensitive information already in the hands of criminals. As a result, the IRS is moving immediately to notify and help protect these taxpayers.
As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed. The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to “Get Transcript” taxpayer account information. As an additional protective step, the IRS will also be mailing letters to approximately 170,000 other households alerting them that their personal information could be at risk even though identity thieves failed in efforts to access the IRS system.
A wide variety of actions to protect taxpayers are being taken beyond the mailings, including offering taxpayers free credit protection as well as Identity Protection PINs. The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for “Get Transcript”, including by enhancing taxpayer-identity authentication protocols.
