Hackers gained access to personal information of 104,000 taxpayers this spring, downloading an online service the Internal Revenue Service uses to give Americans access to their past tax returns, the agency said Tuesday.
The information included several years’ worth of returns and other tax information on file with the IRS, Commissioner John Koskinen said in a press conference. The thieves hacked into a system called “Get Transcript,” clearing a security screen that requires users to know the taxpayer’s Social Security number, date of birth, address and tax filing status.
Those who successfully downloaded the transcripts gained access to information from prior years’ tax returns that could be used to file fraudulent tax returns that more closely resemble those of legitimate taxpayers, officials said. Koskinen said the system, which has temporarily been shut down, was targeted from February through mid-May.
“To get these, our criminals already had to have personal identifiers available and personal information for each taxpayer,” Koskinen said, calling the breach a “modified form” of the identify theft that has plagued the IRS in recent years.
He said the criminals were able to use the information to submit fraudulent tax returns. Fewer than 15,000 of these fraudulent returns were processed this tax season, costing the IRS about $50 million, officials said.
In all, the hackers made about 200,000 attempts to access “Get Transcript” from questionable e-mail domains. About half were successful, clearing hurdles requiring authentication. About 23 million transcripts of past tax returns are legitimately downloaded each filing season, officials said.
The IRS is notifying taxpayers whose information was accessed. The agency’s information technology team noticed an unusual amount of activity in the “Get Transcript” application and became suspicious, Koskinen said.
He stressed that the hackers are most likely sophisticated criminals.
“We’re confident that these are not amateurs but organized crime syndicates that not only we, but others in the financial industry are dealing with,” he said.
Tax returns include a slew of personal details. Many taxpayers download them when they apply for mortgages or loans.
Koskinen said the incident was probably not related to a spike in suspicious tax filings this year, which raised red flags for the IRS and state tax authorities, which saw fraud jump by as much as 3,700 percent. Some state tax officials mentioned that criminals appeared to have information from prior tax returns, which made the fraud more difficult to catch. Intuit, the maker of TurboTax, temporarily halted the transmission of state tax returns while it investigated. The fraud grabbed the attention of the FBI, Congress and other regulators, which launched probes into the fraud.
Some identity theft victims have sued Intuit, claiming that poor security measures contributed to a surge in tax fraud this year and arguing that the company could have done more to protect their personal information. Richard McCune, a lawyer representing the taxpayers, said his firm would seek class-action status down the line to represent other tax victims.
After the incident, Intuit rolled out additional security measures such as multi-step authentication, which is intended to make it harder for people to take over customers’ accounts by requiring users to enter a code when they sign on to their accounts from a new computer or mobile device.
In March, the IRS called on state tax officials and major tax preparation companies to help come up with fixes that could be rolled out by next tax season. Intuit, which has called for industry-wide standards, said in a statement Tuesday night that “this episode reinforces the strategic urgency of the IRS Security Summit process which Commissioner Koskinen has been vigorously leading this year, and which we strongly support.”