IRS’ Estimate of Tax Records Stolen by Fraudsters Soars to Over 300,000
More than three months after the Internal Revenue Service shut down its online tax transcript service because of a massive identity theft effort, the IRS is now acknowledging that the number of affected taxpayers is more than three times the agency’s initial estimate. And the number of affected taxpayers may continue to grow as the agency digs into logs of hundreds of thousands of connections to its Get Transcript application over the past year. Today, the agency announced that there were, in total, more than 600,000 suspicious attempts made to create user accounts on the transcript system using what appears to be stolen personal identifying information from recent credit card breaches and other corporate hacks; more than 300,000 of those attempts succeeded.
Apparently stolen data from other breaches was used to answer authentication questions.
The Get Transcript Web application provided online access to all taxpayers’ tax transactions and enough information for the submission of fraudulent tax returns to obtain refunds or for more elaborate fraud—including applying for all manner of credit. Obtaining an account to view transcript data required only knowing the name, birth date, Social Security number, tax filing status (married, single, head of household), and address associated with a household’s tax returns. Brian Krebs had previously reported on the weakness of the security of the system after being alerted to a case of tax return fraud by a reader, and Krebs urged people to set up accounts on the system before a fraudster beat them to it.