The Washington PostDemocracy Dies in Darkness

Opinion Thieves stole taxpayer data from IRS ‘Get Transcript’ service

Internal Revenue Service (IRS) 1040 individual income tax forms. Photographer: Michael Nagle/Bloomberg

Shortly after the Internal Revenue Service launched its “Get Transcript” service in 2014, IRS Commissioner John Koskinen lauded it as “another innovation…a secure online system that allows taxpayers to view and print a record of their IRS account, also known as a transcript, in a matter of minutes.”

Unfortunately, it wasn’t just taxpayers who got their records through the service. Identity thieves did too.

More than 350,000 taxpayer accounts “were successfully accessed by unauthorized individuals” from January 1, 2014 and May 21, 2015, according to an audit report by the Treasury Inspector General (IG) for Tax Administration.

Furthermore, almost 610,000 taxpayers “were at heightened risk of future identity theft” and the inspector general’s office identified nearly a million accounts with “suspicious access attempts.” That’s bad enough, but “the actual number of individuals whose personal information” potentially was available to cyber thieves “is significantly larger” because the tax records include information on spouses and dependents. IRS provided 23 million records through Get Transcript in just over six months beginning October 2014.

Agency officials temporarily took down the Get Transcript function from the IRS website “when the scope of the crime became apparent,” according to a memorandum from Debra Holland, commissioner of the IRS wage and investment division, that was included in the report. She called the theft “unprecedented” in scope and method.

“Criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” said the memo to Michael E. McKenney, a deputy inspector general.  They use that information to “impersonate their victims … to obtain the tax return and account information of the legitimate taxpayer.”

Separately, just this month, the IRS warned tax professionals of “a new wave of attacks that allow identity thieves to file fraudulent tax returns by remotely taking over practitioners’ computers.”

To complicate Get Transcript matters, the May audit report said IRS officials “did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.”

IRS did not offer free credit monitoring, according to the report, because the data poachers apparently obtained the taxpayers’ personal information, including Social Security numbers, from outside the IRS.

That’s not good enough for the inspector general.

“All individuals whose accounts were targeted through the Get Transcript application should receive the same protection,” the report says, “because they are at an increased risk of having an identity thief file a fraudulent tax return using their personal information.”

But IRS officials disagreed with the inspector general’s recommendation to offer an identity protection personal identification number to the 79,000 taxpayers whose Social Security numbers were fraudulently used.

“The IRS disagreed with this recommendation primarily because they consider the issuance of IP PINs to be just one tool in its efforts to combat identity theft,” the audit said.

Again, the inspector general’s office was not impressed with the agency’s response.

“Unfortunately,” the inspector general concluded, “the lack of prompt action on this issue leaves the 79,122 taxpayers whose accounts were targeted at an increased risk of an identity thief filing a fraudulent tax return using their personal information.”

Sen. Ron Johnson (R-Wis.) also is upset with the agency’s cyber protection efforts. In a letter to Koskinen last week, Johnson, chairman of the Homeland Security and Governmental Affairs Committee, complained about the agency’s “apparent reluctance” to implement a cyber security system known as Einstein. All agencies are required to use Einstein by December 18 under a law cosponsored by Johnson.

An agency statement, however, indicates no reluctance. It has implemented the first two Einstein steps and said “as a next step in hardening our network and detecting and preventing malicious traffic, the IRS will put in place Einstein 3 … and is on track to implement before the Dec. 18, 2016 mandated date.”

IRS officials did agree with other inspector general recommendations, including one to improve notification letters to taxpayers. IRS officials also agreed to implement additional methods to identify everyone hit by the Get Transcript breach.

“Our review of IRS issuance of notification letters identified that the letters did not always provide sufficient information to identify dependents who may have been listed on accessed transcripts,” according to the IG’s report. “Other letters did not provide the correct address for the credit bureau to be contacted for free credit monitoring. In addition, duplicate letters were mailed to some taxpayers.”

Holland’s memo spoke to the frustrations of agency data protectors who can’t keep up with cyber thieves.

“The authentication standards that were widely accepted just a few years ago, when our online systems were designed,” she said, “are no longer adequate.”

Read more:

[$3.1 billion – at least – lost in bogus tax refunds to ID thieves in 2014]

[Weak IRS controls leave taxpayer data vulnerable, report says]

[IRS service dramatically improves to mediocre]