IRS OMG WTF —

IRS’ estimate of tax records stolen by fraudsters soars to over 300,000

Using data from previous corporate breaches, fraudsters frolicked in IRS transcript data.

You can't do this any more, because some bad people did it about 300,000 times.
You can't do this any more, because some bad people did it about 300,000 times.

More than three months after the Internal Revenue Service shut down its online tax transcript service because of a massive identity theft effort, the IRS is now acknowledging that the number of affected taxpayers is more than three times the agency’s initial estimate. And the number of affected taxpayers may continue to grow as the agency digs into logs of hundreds of thousands of connections to its Get Transcript application over the past year. Today, the agency announced that there were, in total, more than 600,000 suspicious attempts made to create user accounts on the transcript system using what appears to be stolen personal identifying information from recent credit card breaches and other corporate hacks; more than 300,000 of those attempts succeeded.

The Get Transcript Web application provided online access to all taxpayers’ tax transactions and enough information for the submission of fraudulent tax returns to obtain refunds or for more elaborate fraud—including applying for all manner of credit. Obtaining an account to view transcript data required only knowing the name, birth date, Social Security number, tax filing status (married, single, head of household), and address associated with a household’s tax returns. Brian Krebs had previously reported on the weakness of the security of the system after being alerted to a case of tax return fraud by a reader, and Krebs urged people to set up accounts on the system before a fraudster beat them to it.

Originally, the IRS believed that only about 200,000 attempts were made to create Get Transcript accounts, using a scripted attack from suspicious Internet addresses—of which the agency thought about 100,000 were successful. The service was taken offline, and it remains unavailable as the IRS investigates the breach. However, it’s still possible to obtain tax transcripts through mail by sending a letter with a Social Security number, date of birth, and address from the most recent tax return—so fraud remains possible using stolen data, albeit at snail-mail rates.

IRS officials said that credit protection would be offered to taxpayers whose accounts were exposed. The full brunt of the attack may not have been felt yet. While several thousand fraudulent tax returns were filed for 2015, officials said they believed the attackers were gathering data for the 2016 tax season. So remember—file early.

Channel Ars Technica