700,000 taxpayers have sensitive information stolen, IRS says
Not too long ago, we informed you that filing your taxes early may help you avoid an identity theft issue. As it turns out, if you were one of the 700,000 taxpayers whose sensitive information was accessed by a criminal cyber group in 2015, filing early may not even be enough protection. Here is why.
Over six months ago, the federal Internal Revenue Service (IRS) warned that approximately 300,000 taxpayer accounts may have been compromised. The IRS was wrong. Instead of the 300,000 taxpayers initially believed to be a risk, the damage is, in fact, significantly higher… over two times higher. The IRS now believes 700,000 taxpayers, not 300,000 as originally believed, are at risk.
How did this happen?
The breach was originally reported last spring. The IRS suspects a sophisticated cyber criminal operation out of Russia accessed “Get Transcript,” an IRS system taxpayers could use to access their old tax returns. While Get Transcript was disabled after the IRS discovered the breach last May, the damage was already done.
During the breach, hackers accessed taxpayer information, including Social Security numbers, birth dates, and other data they could use to impersonate a real taxpayer, file a false federal tax return, and collect a refund.
The heightened threat to U.S. taxpayers was documented in a nine-month review conducted by the Treasury Inspector General for Tax Administration, which oversees the IRS. The review released additional suspicious attempts to access taxpayer accounts using sensitive information the cyber criminals had additionally made.
What taxpayers need to look out for
The IRS has begun notifying taxpayers of the incident and is trying to help taxpayers. This includes offering free identity theft protection services and Identity Protection PINs, which those notified taxpayers will be required to use when filing their 2015 tax returns.
These mailings started Monday, February 29, 2016. If you receive one, you will qualify for free Equifax identity theft protection for one year, “extra scrutiny” on tax returns associated with your Social Security number, and a required PIN to file your 2015 tax return.
The IRS is also sharing information about the attack with state tax officials.
Is the threat over?
Absolutely not. The IRS just disclosed that it detected unauthorized efforts to gain access to e-file personal identification numbers for more than 450,000-500,000 Social Security numbers. Approximately 101,000 of those efforts occurred in January 2016, and the IRS said that the hackers succeeded in accessing e-file ID numbers.
Next steps for taxpayers
For now, taxpayers should keep an eye on your mailbox next week. If you receive a package from the IRS, you may have been the victim of identity theft.
As soon as we get our head around one threat or one type of breach, the next one is right around the corner. Cyber criminals are extremely smart and extremely sophisticated. As such, it is important for everyone to take priority of their personal information, and companies must take all necessary measures to adequately protect the personal information of their employees.
While we cannot protect against all breaches, a very big step in protecting against a breach is preparation. It is important to work with privacy, legal, and IT professionals to ensure that sensitive information is properly protected, compartmentalized and, if possible, encrypted so that if a system containing sensitive information is breached, the sensitive information in it is completely useless.
The next step is a proper incident response plan and being able to quickly motivate and respond on all levels to a security incident.