The IRS’s online Get Transcript app (GTA) (https://www.irs.gov/individuals/get-transcript) experienced a data breach during tax season that is still affecting taxpayers, according to a report released by the Treasury Inspector General for Tax Administration (TIGTA). The report was released a day after the IRS relaunched the app with fixes to prevent identity theft.
Kevin Thompson, CPA says “TIGTA was established in January 1999 in accordance with the Internal Revenue Service Restructuring and Reform Act of 1998 (RRA 98) to provide independent oversight of Internal Revenue Service (IRS) activities. As mandated by RRA 98, TIGTA assumed most of the responsibilities of the IRS’ former Inspection Service.” For more information on this function, click here https://www.treasury.gov/tigta/about_what.shtml.
The GTA was taken down in May 2015 after the agency discovered that thousands of taxpayers’ transcripts had been accessed by thieves. It turns out that 390,000 taxpayers were affected and 295,000 more had their transcripts targeted but not stolen. In an effort to help victims, the IRS provided taxpayers with Identity Protection PINS as well as free credit monitoring.
Unfortunately, the IRS was not able to identify 620,931 individuals whose information was compromised. It was also discovered that unauthorized users successfully obtained access to 355,262 taxpayer’s accounts.
Another 2,470 taxpayers whose accounts were breached through the GTA were not identified because the IRS excluded three system error codes that could have identified them. The IRS also didn’t place identity theft incident markers on the accounts of 3206 taxpayers who had been identified as victims of the breach. They have informed the TIGTA that each would receive an identity theft marker. The IRS also did not offer PINS or free credit monitoring to 79,122 taxpayers whose accounts may have been targeted. Thompson says “as a businessman and CPA, I am aware that these breaches happen. The host of the data breached should do everything in its power to restore those violated. It troubles me that the IRS did not do that in this circumstance.”
The TIGTA is recommending that the IRS execute other methods of evaluation that will identify individuals who have been affected by the breach as well as issue notifications to the taxpayers who may have been targeted and place identity theft markers on their accounts. They must also analyze system error codes, place identity theft markers, and issue PINS to those whose personal data was used by the hackers of the Get Transcript app.
The IRS has agreed to comply with 7 of 8 recommendations from the TIGTA. They do not want to issue PINS to 79,122 taxpayers whose accounts thieves attempted to hack but didn’t access. The TIGTA is concerned that the IRS’s failure to provide prompt action will leave taxpayers at the risk of further fraud.
The IRS says that most of the information used by the hackers originated outside of the agency. However, Debra Holland, commissioner of the IRS’s Wage and Investment Divisions says, “The theft of taxpayer data from the Get Transcript system was unprecedented in both its scope and the method in which the crime was committed.” Thompson says “and with that, the IRS must take measures to prevent further hacks.”
When the GTA relaunches, its new multi-factor authentication will require users to enter codes, sent to their email or mobile phone to protect their identity. Multi-factor authentication is an upgrade that will provide better security even though it will mean taxpayers will have to take extra steps in the process.
The IRS thanked the TIGTA for their help in finding better ways to serve the taxpayers who were victims. They have announced a new secure access framework that will significantly increase protection against criminals who impersonate taxpayers and aid them in other services in the future.