Earlier this year, the IRS joined the ranks of federal agencies targeted by hackers to gain access to their treasure trove of private information. We thought hackers stole the private information of more than 100,000 Americans taxpayers, but now the IRS is admitting that the breach was far bigger than initially claimed.

The IRS said hackers made off with the coveted private data of an additional 220,000 taxpayers during the breach in May bringing the estimated total number of victims to 334,000. Scammers used information (including social security numbers, birth dates, and addresses) to gain access to past returns through the IRS’s Get Transcript application, and then used all of that information to file fraudulent 2014 tax returns. With all of the other information, they were able to fudge employment records or other documents to file what appeared to be real returns.

As we reported, some taxpayers learned that their identity had been stolen when they logged online to submit their tax returns and were greeted with congratulatory messages that their returns had already been filed.

In all about 610,000 fraudulent attempts were made to access consumer records through the Get Transcript tool from February to May.

If you’re one of the 220,000 new victims, expect to get a letter from the IRS alerting you to the fraudulent activity. The IRS is providing free credit monitoring services (for what it's worth) and flagging these accounts as potential targets for identity theft this tax year and for future tax years.

The Hill reports:

In all, the new information means that the breach was at least more than twice as big as originally reported. 

The IRS said in May that thieves were successful in getting access to 114,000 sets of taxpayer information and were blocked another 111,000 times. On Monday, the IRS said that it found the almost 400,000 other attempts after a deeper dive that analyzed more than 23 million uses of IRS systems.

In a statement, the IRS said it was "moving aggressively to protect taxpayers whose account information may have been accessed."

Rep. Peter Roskam (R-Ill.), the chairman of a House Ways and Means subcommittee that oversees the IRS, called Monday's developments "deeply troubling."

"Taxpayers deserve to know that the IRS is taking every possible step to safeguard their personal information," Roskam said. "Today's revelation that the IRS didn't fully understand this security breach for months is not confidence-inspiring."

Sen. Ron Wyden (Ore.), the top Democrat on the Finance Committee, would only say that "we need to do a better job of protecting taxpayers and I welcome swift action from the IRS to address this situation now and against future cyber threats.”


The IRS is one of –if not the- most powerful agencies of the federal government because of its coercive power to collect taxes from individuals, companies, and organizations; penalize and prosecute for non-compliance; and to collect immense private information on us. You might expect that security is its top priority, but apparently when you have to spend a lot of time and energy targeting conservative groups (of which there is an going investigation), you just don't have time for security.  

Cyber security is no video game. The victims in all of this are by-standing taxpayers whose only crime is compliance with the law.

When private companies are hacked, as a consumer you can choose whether to do business with them again. Because they know this, they move expeditiously to investigate the problem, shut down the vulnerable processes, and work to put protections in place to ensure that it doesn’t happen again. Social media magnifies the PR nightmare of a data breach, which leaves no room for more errors or slothfulness.

Not so with the federal government. With no profit motive, there is less motive to correct the problem.