In its latest admission, the IRS says last year’s hack into the agency’s “Get Transcripts” system is much worse than was thought. Hackers made off with Social Security numbers and other information for more than 700,000 taxpayers – double previous estimates.
Last year, the IRS said hackers stole the private information of more than 100,000 taxpayers, then they increased that number last August to 334,000 Americans. Using that stolen information, scammers successfully filed bogus tax refunds and defrauded the government of $50 million in federal funds.
Now, we’re learning it was way, way worse. Last week, the IRS added another 390,000 accounts to the list of targeted Americans. Another 500,000 taxpayers were targeted, but those attempts failed.
This is still different from the recent hacking where 464,000 unique Social Security numbers were used to help generate electronic filing personal information numbers (PINS). Only 101,000 Social Security numbers were successful.
This is a dizzying number of hackings. It is becoming difficult to keep up with them, which is an indictment on the IRS. Hackers and scammers don’t get tired of trying to break into the Fort Knox of personal information, because the IRS has fumbled security and data protection.
Worse, as Wired magazine explains, one year is a lot of time for nearly 400,000 people to be have been vulnerable for identity theft and fraudulent stolen returns without knowing it:
The revelations come at the end of a nine-month investigation by the Treasury Inspector General for Tax Administration, which hopefully means that it’s the last of upward revisions. The IRS also notes that not all of these cases necessarily involve malevolent actors.
“TIGTA investigators identified suspicious email addresses that made multiple attempts to access accounts,” the agency said in a statement today. “It is possible that some of those identified may be family members, tax return preparers, or financial institutions using a single email address to attempt to access more than one account.”
For now, just keep an eye on your mailbox next week. And if you have a notice from the IRS, brace yourself for the very real possibility of identity theft.
Sadly, we don’t really know if this is the end of last year’s hacking saga. The IRS is either being less than forthcoming about the magnitude of the problem to save face or is clueless about the scope of the problem. Both cases are scary and give us more good reasons to question the IRS management, judgment and motives.
The IRS has no good explanation, but plans to push all customer service operations online, which makes us nervous given the agency's inability to protect information.