This afternoon IRS Commissioner John Koskinen announced that criminals were able to use the IRS “Get Transcript” application to access approximately 104,000 tax returns. (An additional 100,000 or so attempts were unsuccessful.) From the Wall Street Journal:
Thieves used the information from prior years’ returns to help them file for fraudulent refunds, the IRS said.
The IRS said the matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’s Criminal Investigation unit. In addition, the agency said its “Get Transcript” application—which the identity thieves successfully penetrated—has been shut down temporarily.
The IRS said it would provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. The IRS said it identified 200,000 attempts to access data and will notify all of these taxpayers about the incident.
The Hill has the number of returns accessed at 104,000.
That the Get Transcript application is insecure isn’t a surprise. Over one year ago I wrote:
Meanwhile, the Get a Transcript has its own problems. My partner attempted to use the service, but it could not verify either him or his wife as living where he’s lived for years. Second, the verification information relies on publicly available information for many. (It did for my partner, myself, and one other individual.) This is anything but a secure system. (I have sent a request to TIGTA noting the weakness of the system and requesting that they audit it. If TIGTA audits this, it’s unlikely we will hear anything for many months–probably not until 2015.) [emphasis in original]
Last year TIGTA responded to my request and stated that there were no issues with “Get Transcript.” I suspect they’ve changed their mind on that.
Meanwhile, I continue to have issues with IRS notices. Today I spoke with the Practitioner Priority Service (after being on hold for 1.5 hours) regarding a client where I have both a Tax Information Authorization (Form 8821) and a Power of Attorney (Form 2848), either of which should have had me copied on the notices. PPS confirmed that the POA and Tax Information Authorization were on file for the year in question. They could not explain to me why I didn’t receive any of the notices sent to my client.
One solution to the identity theft fiasco is the modest proposal on identity theft I made back in 2012. Instead, identity theft continues to balloon, while the IRS limits the tools available to tax professionals. Is it any wonder the IRS is so loved?
UPDATE: The IRS released a statement on the breach. Here are excerpts:
The IRS announced today that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through IRS’ “Get Transcript” application. This data included Social Security information, date of birth and street address.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident…
The IRS determined late last week that unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application. Following an initial review, it appears that access was gained to more than 100,000 accounts through the Get Transcript application.
In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.
I question that the answers to these questions are only known by the taxpayer. The questions I was asked could be discovered through a search of public records. It would be time consuming but entirely possible for a stranger who had my social security number and date of birth to answer all the other verification questions.