Hackers accessed more than 104,000 tax accounts and used the information they retrieved to collect more than $50 million in fraudulent tax refunds.
The IRS said the cyber criminals were able to gain access to taxpayer information through its “Get Transcript” application, which allows taxpayers to retrieve old tax returns. The online application has since been disabled.
The thieves reportedly had to use personal taxpayer information, including Social Security numbers, dates of birth, tax filing status and street addresses, gathered from elsewhere — likely another breach — to access the transcript service.
“This is a wake-up call that breaches have a compounding effect and the stakes are getting higher,” Eric Chiu, a security expert who is the president of HyTrust, a cloud-computing security company, told The New York Times. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals.”
Information from the transcript service was then used to file fraudulent tax returns, The New York Times said. Although there were more than 200,000 attempts to gain access to old returns between February and mid-May, only half were successful.
The IRS sent about $50 million in tax refunds before it detected the scheme.
“We’re confident that these are not amateurs,” said IRS commissioner John Koskinen in a statement. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”
The IRS said it is “working aggressively to protect affected taxpayers and continue to strengthen our protocols.” It plans to mail letters to all taxpayers affected by the data breach. It will also provide free credit-monitoring services to those individuals.
It’s alarming that the IRS, which holds some of Americans’ most sensitive personal information, is the latest victim of a cyberattack. Sen. Orrin Hatch, R-Utah and chairman of the Senate Finance Committee, said:
That the IRS — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable. What’s more, this agency has been repeatedly warned by top government watchdogs that its data-security systems are inadequate against the growing threat of international hackers and data thieves.
What do you think of the IRS data breach? Have you been the victim of a cyberattack or identity theft? Share your comments below.