This article first appeared in the May 27, 2015 edition of Tax Notes Today.
Criminals using personal identifying information from outside sources raided the IRS's online Get Transcript application 200,000 times between mid-February and mid-May, gaining unauthorized access to about 104,000 taxpayers' accounts, Commissioner John Koskinen announced during a call with reporters May 26.
The fraudsters apparently had access not only to basic identity information such as names, addresses, and Social Security numbers but also to individuals' answers to "out-of-wallet" questions the IRS uses to authenticate online requests for Get Transcript accounts, Koskinen said. He speculated that much of the out-of-wallet information may have come from taxpayers' social media accounts.
The commissioner emphasized that the raid did not compromise the IRS's database of more than 150 million taxpayers' tax accounts. But the 104,000 taxpayers whose transcripts were stolen may now be at increased risk of stolen identity refund fraud and may have other identity theft risks as a result of their compromised transcripts, he said.
The IRS will provide credit monitoring and protection to the 104,000 victims at the agency's expense, Koskinen said. Victims will also be given the IRS's identity protection personal identification numbers so they are not targeted again, he said. All 200,000 of the taxpayers affected by the raid will be sent notification letters from the IRS and will have their accounts flagged on the agency's core processing systems, he added.
Koskinen estimated that fewer than 15,000 fraudulent refunds made it through IRS identity theft filters, resulting in less than $50 million in refunds issued, as a result of the raid.
Better Fraud Detection
The IRS Criminal Investigation division and the Treasury Inspector General for Tax Administration have begun looking into the matter, Koskinen said.
The IRS has processed 23 million downloads of taxpayer transcripts through the Get Transcript app, the commissioner said. IRS IT specialists initially believed the increased network traffic was part of a denial of service attack, he said. But they tracked the burst of activity down to the Get Transcript app on the IRS.gov Web page, noted that the requesters' domain names were suspicious, and shut down the app last week, he said.
Koskinen said the purpose of stealing taxpayers' transcripts is to raise the likelihood that a fraudulent refund will get past the IRS's increasingly strong filters. By using past years' tax return information, criminals can more closely match their refund demands to the historical patterns and to the IRS's and real taxpayers' own expectations, he said. Thieves can then reroute the refunds to new bank accounts or to hard-to-trace debit cards, he added.
To pull off the raid, the criminals would almost certainly need access to sophisticated computer tools and IT experts who can run them, the commissioner said. They would need to be able to match basic personal identity information with the right taxpayers' social media and other data to answer out-of-wallet questions, he added. The volume of the attack, and when it came, indicate it was likely highly automated, he said.
While Get Transcript is offline, Koskinen said, the IRS will maintain emergency transcript services to send paper copies for things like mortgage applications. But if the IRS had to move the entire transcript service offline, "our backlog would be tremendous," he said. When it is reopened online -- the date is undetermined -- Get Transcript will probably be more onerous for taxpayers to use, though the additional burden will be worth it, he said.
Congress Weighs In
Koskinen informed the Senate Finance Committee of the thefts late last week by phone, committee Chair Orrin G. Hatch, R-Utah, said in a statement May 26.
Hatch said the federal government's first order of business must be to find the perpetrators and punish them. Next, investigators must learn what was stolen and how it will affect taxpayers, he said.
Then, Congress and the Obama administration must work more closely together to protect taxpayer information, Hatch said. He did not elaborate on what he thought should be done.
"That the IRS -- home to highly sensitive information on every single American and every single company doing business here at home -- was vulnerable to this attack is simply unacceptable," Hatch said. "What's more, this agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves."
In a separate statement May 26, House Ways and Means Committee Chair Paul Ryan, R-Wis., said, "While the committee is seeking more information about the situation, it's deeply concerning that taxpayer information has been compromised. Protecting the taxpayer is supposed to be the IRS's top priority, and we need answers from them."
Also contributing a statement May 26, Ways and Means Oversight Subcommittee Chair Peter Roskam, R-Ill., said Koskinen had also called him on May 22 to discuss the breach. Roskam said his subcommittee will be looking to see if the transcript thieves exploited security weaknesses earlier identified by TIGTA.