Identity thieves stole information on 104,000 U.S. taxpayers from the IRS website and used the data to file fake tax returns that yielded as much as $50 million in refunds, agency Commissioner John Koskinen said.
The thieves had enough personal information on the taxpayers to get past security filters on the “Get Transcript” function on the Internal Revenue Service’s website, Koskinen said Tuesday on a conference call with reporters.
That allowed them to gain access to past tax returns, which contain the information they would need to file convincing fake returns.
“We’re confident that these are not amateurs, that these actually are organized crime syndicates,” Koskinen said. He said the breach resulted in the filing of fewer than 15,000 fake returns.
The problem is another setback for the beleaguered tax agency, which had been encouraging taxpayers to use its online services to relieve the burden on its jammed toll-free telephone lines.
“This is a wakeup call that breaches have a compounding effect and the stakes are getting higher,” said Eric Chiu, president and co-founder of HyTrust Inc., a data-security company. “Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals. The outcome of this could be devastating to consumers.”
The amount stolen is relatively small compared with the broader wave of tax-refund identity theft the IRS has fought for several years. In 2011 alone, the IRS paid out $3.6 billion in potentially fraudulent refunds, according to its inspector general. That money is a loss for the Treasury, except to the extent that the government can get it back through prosecutions.
The breach was unusual because the thieves gained access directly through the IRS.
The activity occurred from mid-February through May. The IRS removed the Get Transcript function from its website last week and started a criminal investigation.
“We won’t put it back up until we’re satisfied that we’ve improved the security,” Koskinen said.
The Get Transcript function allowed taxpayers who provided identifying information to access their past tax returns without calling the IRS or visiting the agency in person. In addition to Social Security numbers and addresses, they had to provide “out-of-wallet” information, such as their high school mascot or the type of car they once owned, Koskinen said.