The Internal Revenue Service said Tuesday that identity thieves used one of its online services to obtain prior-year tax return information for about 100,000 U.S. households, a major breach of the agency charged with safeguarding taxpayers’ privacy.
The agency said cybercrooks used stolen Social Security numbers and other specific data acquired from elsewhere to gain unauthorized access to the tax-agency accounts, beginning in February and continuing through mid-May.
About 104,000 attempts successfully accessed earlier returns, IRS Commissioner John Koskinen said. An additional 100,000 attempts were unsuccessful, the agency said.
The incident, which echoes similar problems earlier this year in some states, highlights the growing risks from cybersecurity breaches to both individuals and the government. It particularly reflects crooks’ ability to carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.
The agency believes fewer than 15,000 refunds were paid as a result of the frauds, and the total paid out was under $50 million, Mr. Koskinen said. But in a statement, the IRS said it is possible that some of the stolen tax transcripts were being stockpiled, “with an eye toward using them for identity theft for next year’s tax season.”
The IRS said that to access the information, crooks had to clear a multistep authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems. The process also involved answering personal identity-verification questions, such as “What was your high school mascot?”
Mr. Koskinen, when asked how impostors obtained answers to these so-called “out-of-wallet” questions, suggested social media might have played a role.
Source: The Wall Street Journal | John D. McKinnon, Laura Saunders