(Bloomberg) — Identity thieves, using the IRS website to gain access to information on 104,000 U.S. taxpayers, filed fake tax returns and collected as much as $50 million in refunds, Commissioner John Koskinen said.
The thieves had enough personal information on the taxpayers to get past the security filters on the “Get Transcript” function on the Internal Revenue Service’s website, Koskinen said Tuesday on a conference call with reporters. That allowed them to gain access to past tax returns.
“We’re confident that these are not amateurs, that these actually are organized crime syndicates,” Koskinen said.
The activity occurred from mid-February through May, and the IRS removed the Get Transcript function from its website last week and started a criminal investigation.
“We won’t put it back up until we’re satisfied that we’ve improved the security,” Koskinen said.
The IRS didn’t provide a minimum amount provided in refunds to the identity thieves.
The IRS is providing credit monitoring services to the people affected and will send a letter to another 100,000 taxpayers whose data the thieves tried and failed to breach.
Senate Finance Committee Chairman Orrin Hatch, a Utah Republican, said his panel is working with the IRS to determine how the “devastating breach” could occur.
“That the IRS — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable,” Hatch said in a statement. “This agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”
To contact the reporter on this story: Richard Rubin in Washington at email@example.com To contact the editors responsible for this story: Jodi Schneider at firstname.lastname@example.org Laurie Asseo, Justin Blum