Internal Revenue Service

The frequency of cyber attacks has made most Americans somewhat, for lack of a better word, accustomed to breach announcements. But, it was a bit shocking when on May 26, 2015 Internal Revenue Service Commissioner, John Koskinen held an impromptu press conference to announce that cyber thieves had illegally accessed highly sensitive tax data of more than 114,000 taxpayers by way of the IRS’s “Get Transcript” online application. The personal information of an additional 111,000 taxpayers was also attempted to be illegally accessed during the breach, but failed the final verification step and so access was denied.

It appears that the cyber criminals had illegally accessed taxpayer information using credentials from “non-IRS sources” which allowed them undetected illegal access for an extended period of time, specifically from February 2015 thru May 2015. It is also now known that the hackers utilized the “Get Transcript” application to gain access to taxpayer income tax filings for as many as the previous five years, according to commissioner Koskinen. This data breach included exposure of taxpayers Social Security information, dates of birth, and street addresses.

The cyber incident is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation. So far this is what is known, the IRS has determined the hacker’s entry point of the breach to be its “Get Transcript” app.

In its investigation the IRS concluded that unauthorized third parties had access to the transcript app by clearing a multi-step authorization process. This multi-step process to gain access to the IRS app system mandates the applicant to answer questions that requires knowledge of sensitive information on the taxpayer, such as; full name, street address, date of birth, Social Security number, tax filing status, and then in the final step of the process to gain access you must be able to answer correctly numerous identity verification questions that normally only the taxpayer would be able to answer.

Because the hackers were still able to access over 100,000 taxpayer accounts the “Get Transcripts” application has been removed from the IRS website and will remain so until the investigation of the incident has been completed and totally resolved. For taxpayers that may still need transcripts of their previous income tax filings, you can still safely access transcript services by US mail utilizing the Form 4506 series.

The sudden urgency of the press conference, commissioner Koskinen explained, was in an effort to alert taxpayers of the cyber breach as quickly as possible. Despite the fact that notification letters would be mailed out very soon to the affected taxpayers, including the other 111,000 taxpayer accounts the cyber thieves tried to access and failed to get into, the commissioner felt the need for speed so to speak in informing taxpayers of the dangers immediately where possible.

The commissioner also wanted to assure the public that this breach does not involve the IRS’s main network system responsible for processing tax filing submissions from taxpayers; the main IRS computer system is secure and functioning. And to inform the public of assistance available to all taxpayers who may be affected by the cyber intrusion.

Below are the actions the IRS has initiated since the breach in May and assistance being offered to the victims, the following is a direct quote taken from the ‘IRS Statement on the “Get Transcript” Application’:

In addition, to disabling the Get Transcript application, the IRS has taken a number of immediate steps to protect taxpayers, including:

• Sending a letter to all of the approximately 200,000 taxpayers, whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application. Although half of this group did not actually have their transcript account accessed because the third parties failed the authentication tests, the IRS is still taking an additional protective step to alert taxpayers. That’s because malicious actors acquired sensitive financial information from a source outside the IRS about these households that led to the attempts to access the transcript application.
• Offering free credit monitoring for the approximately 100,000 taxpayers whose Get Transcript accounts were accessed to ensure this information isn’t being used through other financial avenues. Taxpayers will receive specific instructions so they can sign up for the credit monitoring. The IRS emphasizes these outreach letters will not request any personal identification information from taxpayers. In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward — both right now and in 2016.

These letters will be mailed out starting later this week, (the week of May 25, 2015) and will include additional details for taxpayers about the credit monitoring and other steps. At this time, no action is needed by taxpayers outside these affected groups.

The IRS is continuing to conduct further reviews on those instances where the transcript application was accessed, including how many of these households filed taxes in 2015. It’s possible that some of these transcript accesses were made with an eye toward using them for identity theft for next year’s tax season.

While it would appear the IRS is doing everything it possibly can now to get ahead of the cyber criminals involved in this breach, the cost is already very high. That high cost comes not only from the estimated $50 million price tag in fraudulent income tax returns paid out associated with this breach so far (the actual cost is expected to be much higher), but the cost to the IRS in the loss of public confidence in keeping taxpayer’s sensitive information out of the hands of criminals and identity thieves is not quantifiable. We will update this story as the investigation continues.

UPDATE: August 17, 2015

Additional IRS Statement on the “Get Transcript” Incident

In May of 2015, the IRS determined that unauthorized third parties had amassed enough sensitive taxpayer information, allegedly from sources outside of the tax authority (IRS), to gain access to the agency’s “Get Transcripts” app from the IRS website. At the time of the discovery of suspicious activity in May, the IRS identified 225,000 total attempts of third parties attempting to clear the app’s multi-step authentication process. Of those 225,000 attempts it was determined that 114,000 were successful; the remaining 111,000 were unable to complete the process and were denied access to taxpayer information through the IRS’s Get Transcript services. At that time the investigation of the incident was in its initial stages, but was being vigorously pursued in an effort to protect the 225,000 known data intrusion victims and possible others.

Subsequently, as a result of a widening investigation being conducted by the IRS, the time frame of the investigation was expanded to extend into the 2015 tax filing season; examining more than 23 million applications for the “Get Transcript” service.

In the wake of the expanded investigation the IRS determined there is an additional 220,000 taxpayer accounts that were granted access to the Get Transcripts services and an additional 170,000 who were denied access due to failing the authentication process.

Once again the IRS will be notifying all 390,000 taxpayers by U.S. mail during the week of August 17, 2015. The letter will explain the expanded scope of the IRS’s investigation and instruct taxpayers to disregard the letter if they were in fact the one who utilized the Get Transcript service or if the taxpayer had already filed their income tax return before the Get Transcript breach occurred.

However, the IRS is still warning all 390,000 taxpayers that there is a good probability that the hackers may try to use their previously and newly collected sensitive information for the upcoming 2016 tax filing season. To prevent further fraudulent activities the IRS strongly recommends taxpayers take steps to protect their identity by taking advantage of the free identity protection/monitoring services the IRS is offering and the newly added Identity Protection (IP) PINs which will be used to verify the validity of next year’s tax returns, the IRS is offering these protection steps to anyone who receives a letter from the IRS regarding this matter.

The investigation of this matter remains under examination and review by the Treasury Inspector General for Tax Administration and IRS Criminal Investigation. As before this writer will keep you updated with all further developments. It would be highly valuable to all those affected to read Commissioner Koskinen’s testimony before the Senate Finance Committee from June 2, 2015 for a more detailed account of what has been learned from this ongoing investigation and some insight as to how cyber thieves operate.

UPDATE: February 26, 2016

IRS Statement On “Get Transcript”

The IRS announced that there is yet again another major “adjustment” to the figures of the unauthorized third parties access to taxpayer account information through the IRS’s “Get Transcripts” app service.

After nine months of intensive investigation dating back to the inception of the “Get Transcript” application services, beginning in January 2014 up through to the closing of the online transcript application service on May 21, 2015, the IRS has now identified 390,000 additional suspicious attempts to access taxpayer accounts through the “Get Transcripts” app and another 295,000 that were unsuccessful attempts.

The latest revelations of the Treasury Inspector General’s investigation into this matter has to date brought the total of affected taxpayers to a shocking 1.3 million people, leaving many people wondering when all of this will end as every few months taxpayers are given yet more bad cyber intrusion news from the IRS regarding this matter. It would seem that the hackers have a counter to what ever additional security step protections the IRS puts into place to enhance taxpayer’s identity security, as was seen on February 9, 2016 when there was an automated attack on the IRS’s Electronic Filing PIN application on IRS.gov.

On these latest developments Commissioner John Koskinen said,

The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort. We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed. We are moving quickly to help these taxpayers

The IRS has said it will begin mailing out the 685,000 notification letters to the affected taxpayers beginning on February 29, 2016.

In an effort to provide assistance and precise accuracy to our readers we are posting the “Help For Taxpayers” directly from the updated IRS Statement On “Get Transcripts” and it is as follows:

Help For Taxpayers

As it did last year, the IRS is moving aggressively to protect these additional taxpayers from tax-related identity theft. This includes:

• Notifying by mail those taxpayers whose transcripts were accessed and those taxpayers whose transcripts were targeted but not accessed. These mailings will provide guidance and notify them that criminals may have their personally identifiable information.
• Informing taxpayers whose transcripts were accessed that they can request an Identity Protect PIN by completing a Form 14039, Identity Theft Affidavit. An IP PIN provides an additional layer of protection for the taxpayer’s SSN on the federal tax return.
• Offering taxpayers whose returns were accessed a free Equifax identity theft protection product for one year, and encouraging taxpayers to place a “fraud alert” on their credit accounts.
• Placing extra scrutiny on tax returns with taxpayers SSNs.
• Placing special markers on these taxpayer accounts to advise IRS assistors that the caller is part of this event.

To further protect taxpayers, the IRS also is sharing information about this incident with the states as part of the Security Summit effort. This is part of a larger effort undertaken this tax season to protect against identity theft refund fraud through the Security Summit group, a partnership between the IRS, state revenue departments and the tax industry.

The IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our systems.

As always this writer will continue to update this article should more information become available.