The IRS for the second time has revised the estimated damage of a big theft of American taxpayer data; it now thinks 720,000 taxpayers have had their information stolen, according to CNN.
In May of 2015, the IRS reported that fraudsters used a tool on its website to access the tax forms of 104,000 people. In August, the agency revised the number to 330,000 people.
Investigation Uncovers More Thefts
Yesterday, the IRS said the number is closer to 720,000 following a nine-month investigation by the U.S. Treasury Inspector General of Tax Administration. The investigators found an additional 390,000 taxpayer accounts had been compromised. The criminals attempted to target an additional 295,000 taxpayer transcripts than previously believed, but the attempt did not succeed, according to the IRS.
IRS Commissioner John Koskinen said the agency appreciates the work of the Treasury Inspector General for Tax Administration to determine which taxpayer accounts have been compromised and that the agency will move quickly to help those taxpayers.
Beginning next week, the agency will send notices to taxpayers to alert them about the theft. IRS will provide free credit protection and an extra PIN to protect future tax filings.
Thieves Used A Standard Tool
Until last spring, the IRS website offered a tool called “Get Transcript” designed to assist taxpayers who lose tax documents. Taxpayers can download several years of forms for doing things like applying for college financial aid or a mortgage. Taxpayers downloaded 23 million transcripts in the first few months of 2015.
The “Get Transcript” tool asked for a lot of personal information before granting access, such as physical addresses, birthdays, Social Security numbers and more.
The IRS noted that an unidentified “cybermafia” had acquired stolen information to dupe the “Get Transcript” tool and downloaded tax documents of the 720,000 people. The tax forms contain more sensitive information such as investment values, family information and salary. With this information, fraudsters can claim phony tax refunds or open fraudulent credit lines.
The cybermafia posed as legitimate taxpayers and attempted to download forms from January 2014 and May 2015. The fraud extended back more than a year than previously believed.
The agency disabled the online document tool last year.
The incident is not a hack or a data breach, the IRS said. The fraudsters did not break into the IRS computers. They simply used an IRS feature and turned it into a leaky faucet by answering the verification questions correctly.
The leak reflects how hard it is to verify identities. This is one reason the IRS has begun an experimental program to provide select taxpayers a six-digit PIN as a new layer of protection.
Also read: Identity thieves breach IRS-computer systems seeking taxpayer data
PINS Available To Certain Victims
The PINS are available to tax fraud victims and residents of Washington, Georgia and Florida.
While the PIN is being offered to the 720,000 people whose documents were exposed in this incident, it is not offering it to another 575,000 people whose Social Security numbers have been exposed.