The plot to steal information on 100,000 taxpayers from the Internal Revenue Service and hijack nearly $50 million in refunds not only reveals a previous security breach but also hints at a wider fraud that may bedevil Americans in the future.
Some security and tax experts warned that this latest data theft may be a prelude to more targeted swindles aimed at duping taxpayers into handing millions of dollars over to cybergrifters or to help thieves circumvent the agency’s security filters next year and beyond.
“This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold in the black market,” said Peter Warren Singer, the author of “Cybersecurity and Cyberwar: What Everyone Needs to Know.” “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”
It is almost impossible to find a business or government agency that has not had some kind of security breach, he noted. Millions of customers at companies like Target and the private insurer Anthem have been raided. And earlier this year, TurboTax temporarily halted electronic filing of state income tax returns after seeing an uptick in attempts to use stolen information to file fraudulent returns and wrongly claim tax refunds.
IRS investigators believe the identity thieves who stole the personal tax information of more than 100,000 taxpayers from an IRS website are part of a sophisticated criminal operation based in Russia, two officials told the Associated Press. An IRS spokeswoman said the agency couldn’t comment on the investigation.
With the IRS, it was not the agency’s own system that was hacked. Criminals had already obtained individuals’ Social Security numbers, addresses and birth dates and then used the information to hoodwink the network and gain access to taxpayers’ returns and filings through an application on the IRS website.
“There was no identity theft within the IRS' actual system,” Aaron Blau, a tax expert in Tempe, Ariz. pointed out. “These people already had all of this data. They could have used this information to call your bank, your doctor, your insurance carrier, and they would have gotten through 100 percent of the time. In this case they chose to use the IRS.”
Many Americans are being attacked more directly, Blau said. One popular scheme is to cold-call taxpayers and threaten them with prosecution if they do not immediately pay money supposedly owed to the IRS by directing them to purchase a prepaid debit card and then transfer the money. Now, with more detailed information from returns, criminals could better target potential victims, and bolster their credibility with information stolen from taxpayer filings, Blau said.
Reusable prepaid cards have become a magnet for fraud, according to law enforcement officials, with swindlers often posing as bill collectors, government agents and others.
Without more information about the individuals who were targeted, it is hard to know the endgame, said Marc Goodman, the author of “Future Crimes.” He noted that previous security breaches have sometimes been used to embarrass politicians, celebrities or corporate figures, and tax returns would provide a rich source of personal information.
Although some critics have been quick to condemn the IRS, several tax experts said using this episode to vilify the agency was unfair.
“The IRS takes data, privacy and data security extremely seriously,” said Edward Kleinbard, a professor of law at the University of Southern California and former staff director of the Joint Tax Committee of Congress. “They do their best, but the resources arrayed against it have become increasingly well-funded and sophisticated, and the problems will only compound over time.”
William Gale, co-director of the tax policy center at the Brookings Institution, agreed the issue extends beyond a single agency.
“I don’t think this is an IRS problem per se,” Gale said. “It is facing the same problems that all the major data providers have.”
The IRS has repeatedly said protecting taxpayer information and combating fraud is a priority. Half of the attempted information thefts were rebuffed through a system of filters that are used to detect fraud, the agency said.
Still, there is little debate that its efforts have been hampered by budget cuts. Just two months ago, an agency overseer issued what now seems to be a prescient warning.
“Resources have not been sufficient for the IRS to work identity theft cases dealing with refund fraud, which continues to be a concern,” J. Russell George, the Treasury Inspector General for Tax Administration, testified before a Senate subcommittee.
As for this most recent data theft, the IRS urged taxpayers not to contact the agency, saying it would only delay the already overburdened staff. Anyone whose information was stolen will be contacted, the agency said.
The best advice at this stage, Blau, the tax expert, said, is, “Hurry up and wait.”
Guard your personal data
▪ Turn on multifactor authentication. If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in. Most banking sites, however, offer two-factor authentication and will ask for a second one-time code anytime you log in from a new computer.
▪ Change your passwords, again. And yes, they have to be passwords you have never used before. They also need to be long and not words you would find in a dictionary.
▪ Forget about security questions. These questions are problematic because the Internaet has made public record searches a snap and the answers are usually easy to guess.
▪ Monitor your credit. Typically a service will offer one year of free credit monitoring if it has been breached. But it is better to monitor your credit at all times through free services like AnnualCreditReport.com