IRS Security Breach

by Joy Johnson on June 1, 2015

On May 27, 2015, this announcement appeared on irs.gov:

“The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.”

An additional 100,000 attempts that failed to pass authentication were made in an effort that continued from February through mid May until detected.  It makes one question the normal failure rate of authentication for this particular function.  You can read the announcement in it’s entirety at http://www.irs.gov/uac/Newsroom/IRS-Statement-on-the-Get-Transcript-Application

The first thing to consider is the amount of information someone would have to have on a taxpayer in order to circumvent the safety controls built into the IRS system.  While I’ve heard no speculation from anyone else, I have to wonder if it might not be some kind of “inside job” since the only people who would have access to that kind of information on 100,000 people would be someone working for a large tax preparation chain, or the IRS.  The person or persons perpetrating these crimes would have needed information that would only be known to the taxpayer, someone who has prepared the taxpayer’s returns for more than one year, or a tax agency since one of the authentication hurdles would be the prior year’s results.

Think about all of the information included in a complete tax transcript.  It would normally include your address, all dependent information including DOB and Social Security number, all employers, earnings, interest and dividends earned, rental properties, other income or loss producing assets, your mortgage company, medical expenses, taxes, and more.  These are the documents lenders require to take out loans.  This is sufficient information for someone to take out a second mortgage on your home, or perhaps sell it outright, especially to an unscrupulous buyer if presented with a sob story indicating the house needs to be sold quickly and the seller will take less than FMV in cash.  Amended returns with new addresses could even be filed claiming additional refunds so profits could accrue to the criminals without waiting for another tax season.  The depth and breadth of information disclosed is extraordinary.

The important thing is to protect yourself quickly if your information has been compromised.  The IRS is flagging taxpayer accounts it thinks might have been breached.  That should limit the ability of the criminals to benefit.  They are also offering free credit monitoring.  By all means make use of the monitoring.  Just be aware that the value of this information will linger forever since you can never change your social security number, birthdate, etc.  The many ways in which this information can be used are unclear, but this information will, for the most part, never go stale.

Good financial monitoring practices are good for all of us. The IRS discovered this breach.  How many beaches go undiscovered or unreported?  Always assume that criminals have all the information they need to completely assume your identity and transact business in your name.  Proceed accordingly.  You have to stay close to your lenders, and those who have control of your assets in any way.  You have to constantly monitor all of your accounts and all of your assets – including your home.  The minute anyone pulls your credit, you must know about it – which means that you don’t just get the reports, you actually look at them consistently, and in a timely manner.  It will do you no good to get this information, then become complacent about monitoring it.

It’s up to each of us to defend ourselves today.  Get and use a credit monitoring service.  Minimize the number of people who have access to debit card and checking account information.  While I hate having to give banks several percent of every bit of business that is transacted, credit cards are safer than checks or debit cards in terms of what thieves get if they steal the account information.  Build vigilance into your daily routines.


Leave a Comment

Previous post:

Next post: