In a devastating admission the IRS has announced the number of taxpayers PINs compromised has doubled again. In May of 2015 the IRS announced that there were 114,000 breached accounts. Then, in August, it added 390,00 to that number. Now the number sits at 724,000 breached accounts. The hackers were hard at work as the IRS also reported hackers unsuccessfully targeted an additional 295,000 taxpayer transcripts. Now the number of unsuccessful attempts is 570,000.
Hackers are using the hacked accounts to file false tax returns and stealing tax refunds. Hundreds of millions of dollars have been stolen in this manner and the victims usually don’t know it until they file their return only to have them rejected.
The IRS has begun notifying the new victims and those whose accounts were attacked but not breached. IRS Commissioner John Koskinen said in a statement that “The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft and these mailings are part of that effort. We are moving quickly to help these taxpayers.”
According to the IRS hackers were able to access people’s social security numbers and personal details through their website called “Get Transcript.” Get Transcript was launched in January 2014 on the IRS website. The application enabled taxpayers to view and download their transcript or order previous years of tax filing information.
According to the agency taxpayers used the ‘Get Transcript” tool to download about 23 million transcripts in its first few months of 2015 when it was introduced. The service supposedly used extensive security measures to thwart cyber criminals such as asking for Social Security numbers, addresses and birthdays. The “Get Transcript” function was shut down in May of 2015.
In more sickening news Krebsonsecurity.com reported that the IRS’s attempts to protect last year’s tax fraud victims was also a total failure. Krebs reported that the IRS mailed 2.7 million of the six digit PINs to prior year tax identity theft victims. But the IRS also allowed taxpayers to retrieve their PIN from the IRS website. The same authentication procedures used by the identity thieves to file the fraudulent tax returns in the first place.
Hackers did not attack the IRS computer systems directly. According to experts the information that allowed the criminals to hack accounts came from online searches and social media accounts. Much of the personal information needed to answer security question can be found on sites like Facebook. Another indicator that sharing too much information can be very bad.
Jeff Markley, a tax technician with Burch & Associates Inc. in Lincoln, said, “The culprits already had information through various things. Through social media, you can Google yourself and find out all sorts of sensitive information, like your birth date.”
According to identity theft experts limiting the amount of information shared online is the best way to prevent becoming a victim of identity theft. Also don’t click on attachments and links in an email unless you are certain of what they are. Don’t talk to people claiming to be the IRS over the phone. The IRS only contacts taxpayers via the mail.
The embarrassments for the IRS continue. According to a recent report from the Online Trust Alliance six of 13 IRS approved tax preparation companies failed to provide adequate security to its customers. The companies are all members of the IRS’s Free File Alliance. This group provides free tax preparation and e-filing for an estimated 100 million federal tax returns. The Online Trust Alliance reported the following services failed an online security audit.