How Did Taxpayers' Info Get Hacked at the IRS?
WASHINGTON – The Internal Revenue Service has determined that about 104,000 taxpayers experienced identity theft recently as a result of computer hackers entering an agency application and security steps are being taken to assure the calamity doesn’t occur again.
Appearing before the Senate Finance Committee, IRS Commissioner John Koskinen reported the recent occurrence of numerous unauthorized attempts to obtain taxpayer data through the agency’s “Get Transcript” online application, intended to provide taxpayers with access to their previous year’s returns, remains under investigation.
“While we are continuing our in-depth analysis of what happened, the analysis thus far has found that the unauthorized attempts to request information from the ‘Get Transcript’ application were complex and sophisticated in nature,” Koskinen said. “These attempts were made using taxpayers’ personal information already obtained from sources outside the IRS – meaning the parties making the attempts had enough information to clear the Get Transcript application’s multi-step authentication process.”
Koskinen said the IRS recognizes “the severity of the situation for these taxpayers” and the agency is doing everything possible to regain the information.
“Securing our systems and protecting taxpayers’ information is a top priority for the IRS,” Koskinen said. “Even with our constrained resources as a result of cuts to our budget totaling $1.2 billion since 2010, we continue to devote significant time and attention to this challenge.”
Hackers, he said, have proved able to gather increasing amounts of personal information of taxpayers as a result of data breaches at sources outside the IRS, rendering “protecting taxpayers increasingly challenging and difficult.”
“Get Transcript” allows taxpayers to view and print a copy of their prior-year tax transcript in a timely fashion. Prior to the introduction of the online tool, taxpayers had to wait five to seven days after placing an order by phone or by mail to receive a paper transcript by mail.
Koskinen said taxpayers use tax transcript data for a variety of reasons, including verifying income when applying for a mortgage or student loan.
The IRS cybersecurity team first noticed unusual activity on the “Get Transcript” application in the middle of May. At that time, investigators thought the agency might be facing a “denial of service” attack, an event involving an attempt by hackers to try to disrupt a website’s normal functioning.
“Our teams worked aggressively to look deeper into the situation during the following days and ultimately uncovered questionable attempts to access the ‘Get Transcript’ application,” Koskinen said. “As a result, the IRS shut down the ‘Get Transcript’ application on May 21. The application will remain disabled until the IRS makes modifications and further strengthens security for the application.”
Koskinen assured the committee that the hackers did not attempt to gain access to the main IRS computer system that handles tax filing submissions.
“We believe it is possible that some of the attempts to access tax transcripts were made with an eye toward using the information to file fraudulent tax returns next year,” Koskinen said. “For example, any prior-year return information criminals obtain would help them more easily craft seemingly authentic returns, making it more difficult for our filters to detect the fraudulent nature of the returns.”
Now that the application has been closed, Koskinen said, the agency’s biggest concern is to make sure affected taxpayers are protected against fraud in the future. Immediate steps have been taken to assist the affected taxpayers in protecting their data against fraud.
J. Russell George, the Treasury Department inspector general for tax administration, said IRS reports that have not yet been validated indicate a hacker or hackers cleared an authentication process that required knowledge of information about the taxpayer, including Social Security number, date of birth, tax filing status and street address.
“In addition, it appears that these third-parties had access to private personal information that allowed them to correctly answer questions which typically only the taxpayer would know,” George said. “This type of information can be purchased from illicit sources or fee-based databases or obtained from social media sites.”
George noted that the current technology environment has raised taxpayers’ expectations for online customer service interactions and the IRS feels the need to meet those expectations. But the risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering taxpayers self-assisted interactive online tools.
“The proliferation of data breaches reported in recent years and the types of information available on the Internet has resulted in a degradation of controls used to authenticate individuals accessing personal data in some systems,” George said. “The expansion of e-commerce services often conflicts with the tenets of strict security standards.”
Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online, George said, “also creates greater risk to an organization and provides more opportunities for exploitation by hackers and other fraudsters.”
George said the inspector general’s office has identified a number of areas in which the IRS could better protect taxpayer data and improve its overall security posture. As of March, IG audits of IRS systems have resulted in 44 security recommendations that have yet to be implemented. While most of these recommendations are based on recent audits, there are 10 recommendations from five audits that are over three years old.
“The IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly-evolving hacker world,” George said. “This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers who are anonymous, persistent and have access to vast amounts of personal data and knowledge.”
The agency, George said, “needs to be even more vigilant in protecting the confidentiality of sensitive taxpayer information. Otherwise, as shown by this incident, taxpayers can be exposed to the loss of privacy and to financial damages resulting from identity theft or other financial crimes.”
Sen. Orrin Hatch (R-Utah), the committee chairman, told Koskinen that, as a result of the breach, the IRS “has failed these taxpayers.”
“In fact, there is reason to believe the IRS will be more frequently targeted in the future,” Hatch said. “After all, the IRS stores highly sensitive information on each and every American taxpayer, from individual taxpayers to large organizations and from mom and pop businesses to multinational corporations. The challenge of data security matters a great deal to every single taxpayer and will continue to be a central challenge to tax administration in the coming years.”
Data security and the protection of taxpayer information, Hatch added, “is of the highest importance in the prevention of stolen identity refund fraud.”
“Identity theft, and the resulting tax fraud, costs taxpayers billions of dollars every year, and, once it occurs, it can take months or years for a taxpayer to mitigate the damage,” he said.
Sen. Ron Wyden (D-Ore.), the panel’s ranking member, said in his view the conduct of the hackers “fits the definition of organized crime.”
“This is not just a question of resources, and certainly it is not a lack of commitment from the IRS staff,” Wyden said. “It’s also a question of expertise. The era of punch cards and paper forms ended long ago. Federal agencies like the IRS need to tap into the expertise of our leading web firms – the pros who serve not millions or tens of millions, but hundreds of millions of users.”