The IRS announced late yesterday that criminals used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 100,000 tax accounts through the IRS online “Get Transcript” application. This data included Social Security numbers, date of birth and street address.
These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer. The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the “Get Transcript” application has been shut down temporarily. The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.
The IRS will be sending a letter to all of the approximately 200,000 taxpayers whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application. Although half of this group did not actually have their transcript account accessed because the third parties failed the authentication tests, the IRS is still taking an additional protective step to alert taxpayers. That’s because malicious actors acquired sensitive financial information from a source outside the IRS about these households that led to the attempts to access the transcript application.
In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.
I believe it is important for our clients to understand the issue at hand here. In the first place, IRS was not “hacked.” More to the point, criminals did not break into IRS databases and steal 100,000 accounts. The criminals had the keys, obtained elsewhere and they went in the front door by fraudulently posing as taxpayers. While our clients may not be particularly interested in this fine distinction, I believe the distinction is one worth making.
We were aware that the IRS temporarily shut down the Get Transcript application last week after an initial assessment identified questionable attempts had been detected on their system in mid-May. The online application will remain disabled until the IRS makes modifications and further strengthens security for it.
Rest assured that that our information systems are secure.
Facebook Comments