Data breaches are becoming almost commonplace, but when the data is taken from the IRS, it really gets people's attention. Indeed, the recent admission by IRS commissioner John Koskinen that criminals accessed information from over 104,000 taxpayers through an IRS site caused a significant stir throughout Washington, DC, as well as stoking flames in the media.
Technically, the IRS information leak was not a system hack or data breach. The thieves used information obtained through other means to access past tax returns of individual taxpayers with the IRS's Get Transcript application. The past returns gave crooks enough added information to file false tax returns and claim refunds totaling almost $50 million before the IRS shut down the application.
The IRS is notifying affected taxpayers, as well as another 100,000 taxpayers who experienced attempts to access their accounts that were foiled by the IRS filters. The 104,000 taxpayers with compromised information will be offered free credit monitoring by the IRS.
Unfortunately, many taxpayers found out about their data being compromised when their tax forms were rejected for having "already been filed." The first filing takes precedence in the IRS's automated systems, so affected taxpayers have to contact the IRS directly to get the situation resolved. The IRS will pay an earned refund to you even if they have already paid a thief — but it takes time to resolve the situation.
Shutting down the Get Transcript site can throw a monkey wrench into the plans of those seeking a mortgage or student financial aid. The mortgage connection is especially troubling, since lenders routinely use third-party access to pull your past tax records (with your approval) in order to underwrite a mortgage loan. What are the safeguards within these third parties? The Washington Post attempted to find out but received no comment from the IRS and few responses from the third parties.
In any case, if you were affected by the breach that means your basic information is out there in the criminal world and even more information has been opened up through your tax records. Even if you were not affected by the breach, there is no guarantee criminals are not holding onto your information and planning to use it later.
What Should You Do Now?
If you have been affected, make sure that you contact the IRS and verify the free credit monitoring has been activated. You should be issued a personal identification number (PIN) that will be supplied each year by the IRS as an extra layer of security. If you are not offered a PIN, request one — because enough of your permanent information is available now that you need the extra security level to thwart fraudulent filings. When you use third-party tax services, whether it is through a CPA or an online entity like TurboTax, do not be afraid to challenge the details of how your information is being protected.
Check with your state tax agency as well, since thieves can also file false state tax returns in your name. The refund levels are often not as large, but state returns are more easily overlooked.
The IRS could (and should) add multiple layers of security to the Get Transcript system, such as a multifactor system that requires a secondary password sent through their mobile device. However, we suggest you take your own protection steps, since your information is probably also being used to open false accounts.
Check with all three Credit Bureaus, and if there is evidence of attempts to open a false account, consider a credit freeze. You can also take a series of simple steps to reduce the likelihood of similar breaches — use strong passwords, change them often, and do not re-use passwords at different sites just for convenience. Don't make life easier for criminals attempting this style of breach. A lax attitude may be part of the reason why your information is out there in the first place.
If you would like to prevent identity theft, check out our credit monitoring service.