Any data breach is bad news but the one announced this past May at the IRS was considered especially bad because hackers accessed huge amounts of data for an estimated 114,000 individuals. Now the news has worsened as the victim pool has increased alarmingly. Late Monday, the tax agency indicated the victim list had tripled to 334,000.
“The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to ‘Get Transcript’ taxpayer account information,” the IRS stated in this week’s update.
This has become an all-too-predictable pattern after a breach discovery. Initial impact estimates turn out to be just the tip of the iceberg. So most data breach experts won’t be surprised to find that there’s been a huge increase in the number of individuals impacted. What’s most concerning is the wealth of personally identifiable information (PII) needed to commit this sort of data theft and what that collection of PII could be used for in the future.
Thieves had access for nearly four months. To compromise Get Transcript, they needed to have the taxpayer’s name, filing status, date of birth and Social Security number (SSN). Authorities speculate that this breach was possible using PII collected from numerous sources by hackers. In short, that means giving data as simple as your home address could complete the identity puzzle a hacker’s been building. So controlling and restricting every piece of your personal data – not just your SSN – is vital.
The biggest concern now is how hackers will use their ill-gotten data trove. The most probable use will be to file fictitious tax returns for the 334,000 victims when the next filing season rolls around in February. In fact, the IRS did detect fake returns filed in the early months of the 2015 season that might be linked to this breach – thousands of them.
Estimates indicate the IRS has recently paid out between $4 Billion and 45 Billion fraudulent refunds in recent years. The figure is staggering but the bigger shock is in the details. For 2011, the IRS mailed out $1 million in unearned refunds to a single address in Lakewood, CO. Over $220,000 in refunds—655 checks in all—were mailed to a single address in Lithuania. The Treasury Inspector General for Tax Administration (TIGTA) documented the many abuses of the system in a report released in September that covered the 2011 tax year. A report released in April of this year indicated the agency was cutting the rate of fraud but still mails out billions in tax refunds to fraudsters annually.
In this latest audit of tax-related identity theft efforts, the Inspector General documented over 525 refund checks mailed to an address in Lithuania but this time, Kilkenny Ireland topped the list with 580 refunds to a single address. As many as 155 direct tax refund deposits were sent to a single bank account. The audit also documented over 6,000 fraudulent returns filed using the identifying info of children under 14 and another 4,000 filed using PII of dead individuals.
The agency is now offering help to their own breach victims and recently announced that the free ID coverage would not be subject to income taxes. The tax collector also shut down its Get Transcript option in the weeks following discovery of the attacks. That service has not been relaunched as of August 17 but transcripts can still be ordered by mail
Any victim who’s had their SSN compromised should consider filing an IRS Identity Theft Affidavit known as Form 14039. The agency offers advice to breach victims on how to proceed after key personal data has been compromised. It’s good advice for victims of the agency’s own breach too.
Had an issue with tax refund fraud on your account? We’d love to talk to you and share your story. Please email email@example.com.