More than 100,000 U.S. taxpayers are at high risk of having their financial information used by criminals to file fraudulent tax returns in their name.
The Internal Revenue Service (IRS) has confirmed that a group of sophisticated hackers have gained entry into an application on its website called Get Transcript, which allows taxpayers to download copies of previous tax returns.
In a statement, the IRS said at least 200,000 attempts to steal citizens' tax returns were made from February until two weeks ago, when the IRS discovered more than the usual number of tax returns were made.
More than half of those attempts, the IRS said, were successful, allowing hackers to steal taxpayers' Social Security numbers, dates of birth, physical home addresses, tax filing status and other information pertinent to filing tax returns.
The tool has been temporarily shut down, but the damage has already been done. The IRS itself admits that around $5.8 billion in fraudulent tax returns were paid last year, although another 3 million returns believed to cheat out the real owners were prevented from being sent out to crooks this year.
Two officials, who asked to remain anonymous, said the hackers were traced to Russia, but IRS Commissioner John Koskinen declined to comment about the source of the crime.
The IRS makes clear that its own computer system was not affected. Instead, the hackers stole taxpayers' private information elsewhere and used that data to log into their IRS Get Transcript accounts.
"The online application will remain disabled until the IRS makes modifications and further strengthens for it," the agency said in a statement. "The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS' Criminal Investigation unit."
The IRS plans to send letters to all of the 200,000 people whose accounts were accessed by hackers, including those whose tax returns were not downloaded in an "additional protective step" to alert taxpayers that sensitive information used to access their accounts are already in the hands of crooks.
The 100,000 taxpayers whose previous tax returns were downloaded will also receive an entire year of free credit monitoring, but people who are concerned about their private information can still avail of the three free credit reports available to them each year from Equifax, TransUnion and Experian via AnnualCreditReport.com. Taxpayers can also ask the credit bureaus to issue them alerts when a loan is being made in their name, or they can freeze their credit accounts altogether to prevent anyone from using their information to file for loans.
Government monitors have long warned of weak security measures within the IRS computer system. Dating back from 2007, the reports warn of failures in IRS database controls and the lack of screening measures for employees who handled sensitive taxpayer information. The IRS does not deny these weak spots in its system, but it argues that the massive budget cuts mandated by Congress prevent it from properly executing a more secure system.
Photo: Tim Evanson | Flickr