Fraudsters stole private information from the IRS on more than 100,000 taxpayers and used it to bilk the agency of tens of millions of dollars, Commissioner John Koskinen said Tuesday — though he insisted the breach didn’t affect most Americans.
The criminals gained access to the IRS through a new system called “Get Transcript,” which allows taxpayers to go online and get years’ worth of their own tax records. Mr. Koskinen said the perpetrators used information they already knew about taxpayers to fool the system into believing it was the taxpayer logging in, and then stole the transcripts with even more information.
In thousands of instances the criminals turned around and used that same information to file fraudulent returns, stealing potentially close to $50 million from the government.
“This is not a security breach. Our basic information is secure,” Mr. Koskinen insisted in a call with reporters to discuss the theft, which had gone on for months — dating back to February — but was only caught last week.
It’s the latest embarrassment for the tax agency, which has been dealing with reports of political targeting, wasteful spending and poor management that meant it paid out billions of dollars in bogus tax credit claims.
The IRS has also pleaded poverty, begging Congress to send more money and saying its services were suffering in the meantime. But Mr. Koskinen said while they were cutting elsewhere, they weren’t scrimping on security, and the breach wasn’t a result of lack of diligence.
Congressional overseers weren’t convinced.
“That the IRS — home to highly sensitive information on every single American and every single company doing business here at home — was vulnerable to this attack is simply unacceptable,” said Sen. Orrin G. Hatch, Utah Republican and chairman of the Senate Committee on Finance.
Mr. Hatch said the IRS has been “repeatedly warned” it needed to do more to protect taxpayers but fell short.
The Get Transcript application had been highly touted in 2014 as a step in President Obama’s attempts to streamline government, and the agency had insisted at the time that it was taking strong security steps.
Logging in required giving the kind of personal identifying information that credit ratings bureaus keep — questions such as what street someone lived on years earlier — in order to prove someone’s identity.
Mr. Koskinen said the breach suggests that those steps are no longer enough to maintain online security. He said social media has made it much easier to build a massive database to come up with the answers to those questions, which likely helped the fraudsters gain access to the IRS’ transcripts, which provided them with even more information.
“In some cases the criminals can answer the questions better than you can,” Mr. Koskinen said, blaming organized crime syndicates for the breach.
Mr. Koskinen said the fraudsters attempted to access information from 200,000 taxpayers and succeeded in about 104,000 cases.
Of those, fraudulent refunds were filed in thousands of cases — though the commissioner said it’s likely to be fewer than 15,000. He said the fraudsters appeared to be storing data for possible future use.
The IRS will pay for a credit-monitoring service for the 104,000 people whose IRS information was stolen, and will send letters to all 200,000 taxpayers whose accounts were tried by the fraudsters. The IRS said that isn’t strictly necessary since the information didn’t come from the agency, but said it wanted to alert taxpayers that their data is already out there.
The Get Transcript application has been shut down, and taxpayers who need their information will have to have it sent by mail.