The 2015 breach of the IRS' Get Transcript tool swept up far more taxpayer accounts than the IRS initially thought, an IG investigation has revealed.
The IRS officials announced Feb. 26 that the damage caused by last year's breach of the Get Transcript web app is much worse than they initially thought.
After the IRS' disclosure of the breach in May 2015, the Treasury Inspector General for Tax Administration went back to Get Transcript's January 2014 launch to hunt for compromise clues. That investigation revealed more damage: 724,000 taxpayer accounts might have been accessed by hackers, and another 576,000 accounts were targeted unsuccessfully.
The IRS had initially said 100,000 or so accounts were compromised and then revised its figures upward in August 2015.
Get Transcript has been down since May 2015, but the IRS said it hopes to revive the once-popular app eventually.
The breach wasn't a hack, per se, but rather efforts by scammers to use information they already had to access the IRS files of targeted taxpayers, officials have said. The scammers could locate many of the answers needed to take advantage of Get Transcript's knowledge-based authentication by using readily available online search tools. The IRS allowed one email address to be used for multiple taxpayer accounts, enabling large-scale pulls of highly sensitive taxpayer data.
The IRS said it would begin mailing notifications to the newly revealed batch of affected taxpayers on Feb. 29.
"The IRS is committed to protecting taxpayers on multiple fronts against tax-related identity theft, and these mailings are part of that effort," IRS Commissioner John Koskinen said in a statement. "We appreciate the work of the Treasury Inspector General for Tax Administration to identify these additional taxpayers whose accounts may have been accessed."
Mailings will include an offer of identity theft protection and an invitation to get an IRS Identity Protection Personal Identification Number.
IP PINs help secure taxpayer accounts against impostors, but they're a drain on the IRS, which has to process an extra piece of data with each IP PIN-enabled account, and taxpayers, who have to keep track of them.
Koskinen told Congress in June 2015 that the IRS can't give every taxpayer an IP PIN because of the strain on the system.