For the second time, the IRS has revised the estimated damage of a criminal syndicate’s massive theft of American taxpayer data.
In May 2015, the government agency said criminals used a tool on the IRS website to steal the tax forms of 104,000 people. Then in August, it revised that number up to 330,000.
On Friday, the tax-collection agency revealed that number is now closer to 720,000.
The latest number is the result of a nine month investigation by the U.S. Treasury Inspector General for Tax Administration.
Investigators found that “390,000 additional taxpayer accounts” were affected. Fraudsters tried to target an additional 295,000 taxpayer transcripts than previously thought, but “access was not successful,” the IRS said.
“We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed. We are moving quickly to help these taxpayers,” IRS Commissioner John Koskinen said in a statement.
Starting next week, the IRS will send letters to those taxpayers to warn them about potential identity theft, offer free credit protection and give them an extra PIN to protect future tax filings.
Until the spring of last year, the IRS website provided a tool called “Get Transcript.” It was meant to help taxpayers who lose track of old tax documents. They could easily download several years of tax forms for tasks like applying for a mortgage or college financial aid.
It was a popular tool. Americans used it to download 23 million transcripts in the first few months of 2015, the agency said.
To keep out fraudsters, the “Get Transcript” tool asked for lots of personal information before granting access: Social Security numbers, birthdays, physical addresses and more.
An unidentified cybermafia used previously acquired stolen information to dupe the “Get Transcript” tool and downloaded millions of tax documents related to the 720,000 people whose tax forms had been stolen.
Tax forms contain much more sensitive information, including salary, family information, and property and investment values. With this additional stolen information, criminals can claim bogus tax refunds — or open fraudulent credit lines.
The cybermafia members posed as legitimate taxpayers and tried to download forms between January 2014 and May 2015, the IRS said. That means the fraud stretched back more than year earlier than previously thought.
The IRS disabled the online document tool last year to prevent further fraud.
This incident is a curious one. It wasn’t a hack — or even a data breach. These fraudsters didn’t manage to break into IRS computers at all. They just turned a useful IRS feature into a leaky faucet — by answering all the verification questions correctly.
This data leak shows how difficult it is nowadays to verify true identities.
That’s one reason the IRS has started an experimental program in which it gives select taxpayers a six-digit PIN. It’s an additional layer of protection, like a passcode.
PINs are currently only available to tax fraud victims and residents of Florida, Georgia and Washington. The agency wants to take this pilot program nationwide.
The IRS is extending this PIN to the 720,000 people whose tax documents were exposed in this incident. However, it’s not offering that protection to the other 575,000 people — even though they arguably need it too (given that criminals already have their Social Security numbers and can already claim tax refunds in their names).
IRS law enforcement agents are hunting for the fraudsters who did this.