IRS

IG: 700,000 taxpayer accounts could be compromised

Cyberattack, financial services

The IRS officials announced Feb. 26 that the damage caused by last year's breach of the Get Transcript web app is much worse than they initially thought.

After the IRS' disclosure of the breach in May 2015, the Treasury Inspector General for Tax Administration went back to Get Transcript's January 2014 launch to hunt for compromise clues. That investigation revealed more damage: 724,000 taxpayer accounts might have been accessed by hackers, and another 576,000 accounts were targeted unsuccessfully.

The IRS had initially said 100,000 or so accounts were compromised and then revised its figures upward in August 2015.

Get Transcript has been down since May 2015, but the IRS said it hopes to revive the once-popular app eventually.

The breach wasn't a hack, per se, but rather efforts by scammers to use information they already had to access the IRS files of targeted taxpayers, officials have said. The scammers could locate many of the answers needed to take advantage of Get Transcript's knowledge-based authentication by using readily available online search tools. The IRS allowed one email address to be used for multiple taxpayer accounts, enabling large-scale pulls of highly sensitive taxpayer data.

The IRS said it would begin mailing notifications to the newly revealed batch of affected taxpayers on Feb. 29.

"The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort," IRS Commissioner John Koskinen said in a statement. "We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed."

Mailings will include an offer of identity theft protection and an invitation to get an IRS Identity Protection Personal Identification Number.

IP PINs help secure taxpayer accounts against impostors, but they're a drain on the IRS, which has to process an extra piece of data with each IP PIN-enabled account, and taxpayers, who have to keep track of them.

Koskinen told Congress in June 2015 that the IRS can't give every taxpayer an IP PIN because of the strain on the system.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.