BY MICHAEL COHN
The Internal Revenue Service said Friday that an investigation into last year’s data breach in the online Get Transcript application revealed it affected hundreds of thousands more taxpayers than originally believed.
Last May, the IRS revealed that identity thieves had used the online application to access the tax returns of 104,000 taxpayers (see IRS Detects Massive Data Breach in ‘Get Transcript’ Application). Organized criminals used taxpayer-specific data that they acquired from non-IRS sources, including Social Security information, birth dates and street addresses. In August, the IRS admitted that another 220,000 taxpayers had been affected (see Extra 220,000 Hit by IRS ‘Get Transcript’ Breach).
On Friday, the IRS said a nine-month investigation by the Treasury Inspector General for Tax Administration found potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014, when the application was launched, through May 2015, when the breach was detected. In addition, 295,000 taxpayer transcripts were targeted but access was not successful. All taxpayers are being notified and they are being offered Identity Protection PINs.
“This expanded review has identified additional suspicious attempts to access taxpayer accounts using sensitive information already in the hands of criminals,” said the IRS. “The IRS is moving immediately to notify and help protect these taxpayers, including through free identity theft protection services as well as Identity Protection PINs.”
Mailings to these taxpayers will start February 29. The IRS noted that the “Get Transcript” web application has been offline since this incident was discovered last May. Taxpayers and tax preparers can only go online to order transcripts of prior tax returns that are sent to them by mail. The old application allowed the transcripts to be viewed online and printed.
“The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort,” IRS Commissioner John Koskinen said in a statement. “We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed. We are moving quickly to help these taxpayers.”
As it did last year, the IRS said it is moving aggressively to protect these additional taxpayers from tax-related identity theft. This includes:
• Notifying by mail those taxpayers whose transcripts were accessed and those taxpayers whose transcripts were targeted but not accessed. These mailings will provide guidance and notify them that criminals may have their personally identifiable information.
• Informing taxpayers whose transcripts were accessed that they can request an Identity Protect PIN by completing a Form 14039, Identity Theft Affidavit. An IP PIN provides an additional layer of protection for the taxpayer’s SSN on the federal tax return.
• Offering taxpayers whose returns were accessed a free Equifax identity theft protection product for one year, and encouraging taxpayers to place a “fraud alert” on their credit accounts.
• Placing extra scrutiny on tax returns with taxpayers SSNs.
• Placing special markers on these taxpayer accounts to advise IRS assistors that the caller is part of this event.
To further protect taxpayers, the IRS said it is also sharing information about this incident with the states as part of the Security Summit effort. This is part of a larger effort undertaken this tax season to protect against identity theft refund fraud through the Security Summit group, a partnership between the IRS, state revenue departments and the tax industry.
“The IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our systems,” said the agency.
Earlier this month, the IRS disclosed a data breach in its Electronic Filing PIN application (see IRS Detects Attack on Electronic Filing PIN App). At the time, the IRS said it had identified unauthorized attempts involving approximately 464,000 unique SSNs, of which 101,000 SSNs were used to successfully access an E-file PIN.