Identity thieves hacked a federal website and made off with millions of taxpayer refunds.

The Social Security Administration (SSA) created an online portal, called my Social Security, that allows individuals to create personal accounts and access their own information. In January 2013, the SSA upgraded my Social Security to allow account holders to change their banking information, and almost immediately, the allegations of fraud started rolling in.

The inspector general audited the website for 2014-2016 and found in a newly-released report that, because of website enhancements, thieves were able to log in and change bank deposit information of account holders to redirect direct deposits to their accounts. Some of the stolen money was recovered, but most of it is long gone.

According to their report, in 2014 $6.8 million was misdirected leaving over 4,400 beneficiaries without their funds. In total over the almost three-year period, about 7,200 Social Security recipients lost $10.9 million in benefits to scammers.

Working with banks, the government recovered $4.7 million, but the rest is irretrievable. They can’t recover it because according to SSA:

… generally, financial institutions only return misdirected funds to the Department of the Treasury when the funds are still in the bank account.  Financial institutions cannot return misdirected funds that are no longer in a bank account.

This report follows a 2016 report about my Social Security, where the IG issued concerns that SSA was doing everything to secure sensitive information of Americans:

In June 2016, SSA informed us that it had conducted a new risk assessment and concluded it needed a higher degree of confidence in users’ asserted identities. Online services are an important component of SSA’s strategy to deliver services to the public during a period of increasing workloads and constrained resources.  Still, we believe SSA’s primary responsibility must be to safeguard the sensitive information the American public has entrusted to the Agency.

To ensure citizens’ sensitive information is adequately protected, we believe it is imperative that SSA take steps to strengthen controls over access to my Social Security as soon as possible.

This is not the first time that the Social Security Administration has been called out for creating an environment for fraud or putting the identities of Americans at risk. Last year, an audit found that two out of three letters it mailed out included enough personal information (such as full Social Security numbers) that recipient identities could be stolen. It would be interesting to see if these occurrences are related.

Social Security pays out about $3 billion per year in improper payments – about 0.4 percent of the $900 billion in total benefits that leave its doors. While $11 million is barely a drop in the bucket of the social safety net program, Americans expect federal agencies to operate with the greatest care for Americans’ sensitive information and good stewardship of public resources.