IRS Transcripts and Tax Return data stolen: What? How?

What happened?

According to IRS statements available online, 100,000 taxpayers had their transcripts stolen from the IRS Get Transcript website. Of the 100,000 tax payers

·         About 35,000 had already filed their 2014 income tax returns before the unauthorized attempts at access. This means that these taxpayers’ 2014 returns and refund claims were not affected by this fraudulent activity, because any fraudulent return subsequently filed in their names would be automatically rejected by IRS systems;

·         For another 33,000, there is no record of any return having been filed in 2015.

·         Unsuccessful attempts were made to file approximately 23,500 returns. These 23,500 returns were flagged by our fraud filters and stopped by our processing systems before refunds were issued; and

·         Since this activity occurred, about 13,000 suspect returns were filed for tax year 2014 for which the IRS issued refunds. Refunds issued for these 13,000 suspect returns totaled about $39 million

How did this happen?

"In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."  IRS Statement online

Because the thieves already had the information, they were most likely looking to increase the value of the information by either ‘cashing in’ in the data with a fraudulent tax return filings or gaining additional information (e.g. spousal or dependent identification for future use).  Here is a good example of just one thief who was able to purchase stolen information from a website and used it to file false tax return information.  But keep in mind we are dealing with someone or some organization who had (at the VERY least) 200,000 sets of taxpayer’s personal and financial data.

So where did the criminal(s) get the taxpayer information?  Perhaps the investigation will be able to draw a link to the source but if the data came from a random data sample from a larger database breached from a credit bureau than small correlations in the victim’s data may by unhelpful in identifying who is really at fault.   Some other possibilities are large banks or government agencies.  It is clear in IRS Commissioner’s Koskinen’s statement before the senate that he recognizes an exponentially growing problem and states that he believes that he is fighting organized crime syndicates. 

How do I know if my tax return transcript was stolen?

If your transcript was one identified as being stolen, you will be getting a letter from IRS.

What I do?

We are talking about institutional sized leaks so there is often little that the individual can do other than protecting the access to and the ‘need to know’ of sensitive data whenever possible.  Generally, organizations who have your data should use heightened clearances (like multi-step authentication logins and risk profiling of employees) while concurrently reducing the number of people who have access to that data.  

Thieves will usually go to places where they can get the most data for their effort (large business or governments), however even the smallest business, NGO, or governments with access to sensitive data should be concerned with protecting their patrons. Written information security policies (WISPs) concurrent with the size of the business, type of data, and  amount of stored data are a good start to begin the discussion.  Here is a link to a nice two page Massachusetts WISP regulation (.pdf).

In accordance with our policy, all prepared employees use multi-factor authentication for all email, drive, and virtual network access. That way if someone at google sells our login information to a thief, that thief would need our key generator as well to log in. Additionally, prepared accountants only have access to the network folders of the clients that they are working on.   

One other things that can be done is to file your tax returns early.  If you file your tax return first, than the fraudulent efile would be rejected.  Although many of the fraudulent efiles could be prepared prior to the efile season's opening and be ready file at the gate,  it would not hurt to gather your complete information and meet with your tax preparer as soon as possible in the new year.