100,000 Taxpayers Had Transcripts Accessed by Criminals Who Created Accounts on IRS Get Transcript Website

The IRS on May 26, 2015 announced in a statement published on the agency’s web page that criminals had obtained access to information about 100,000 taxpayers via unauthorized use of the IRS’s “Get Transcript” application.  The information accessed included Social Security information, date of birth and street address.

The IRS has shut down the “Get Transcript” application pending a determination by the IRS about what modifications to the program should be made in order to strengthen security for the program.

The IRS announcement indicated that the criminals had obtained access to the information that was needed to clear the IRS original authentication process from “non-IRS” sources, though those sources are not identified.  As the IRS described in its release, the information needed would include:

  • Social Security information
  • Date of birth
  • Tax filing status
  • Street address
  • Questions related to additional items that should be known only by the taxpayers (generally the IRS has used information obtained from credit reports)

The release notes that there were 200,000 total attempts—so that about half of the attempts failed, while the other half successfully gained access to the transcript system.  The IRS found questionable activity that it believes relates to attempts to gain unauthorized access from mid-February until May.

Although the notice doesn’t give details in this area, more sophisticated frauds that use information obtained from one source (perhaps via a true hack of a site) to then be able to simply gain access to another site (and its information) by simply being able to either log in or create an account.

Brian Krebs, a long time writer on the topic of computer security, on his website KrebsonSecurity published an article that discussed the matter on the day the IRS posted the announcement.  Mr. Krebs had published an article in March that detailed the issues one taxpayer ran into when a third party created an account that blocked him from obtaining a transcript online when he was victimized by tax return fraud. 

It would appear that the gentleman in Mr. Krebs’ article was likely one of those now identified by the IRS as part of a much wider criminal fraud.

The IRS will be notifying all 200,000 taxpayers that had an attempt made to access their data and offering credit monitoring to the 100,000+ individuals whose accounts were actually accessed.

Advisers may get phone calls from clients who are on one or the other list.  While it may seem “better” to be on the “failed” class, advisers should caution clients that right now we don’t have much information on why these particular accounts were targeted.  But it seems likely those who targeted the accounts had a relatively large trove of information on these individuals to make them believe they had a reasonable chance (50% or so) of success.

If that is the case, such individuals should be aware that it’s likely someone unauthorized has a substantial amount of what they’d consider personal and private information about them and that this information could be leveraged to allow those individuals to pose as the client.  Thus the individuals should consider doing their own credit report monitoring for the foreseeable future and be on the lookout for any sort of unauthorized access to their accounts.

That information may lead to other problems—many sites and organizations have “password recovery” options for users who claim to have misplaced both their username and password, often “verifying” the user by asking for personal information of some sort. If the criminal has that information it’s trivial to “hijack” an account and make nefarious use of it while locking out the legitimate customer.

Advisers may want to educate clients on the use of “two-factor” authentication for sites that offer the option.  In such cases the site normally requires, in addition to the username and password, that the user give the site a unique one time code that is sent to the user as an SMS or generated by an application (like Google Authenticator) that runs on the user’s phone.  Use of second factor authentication greatly complicates any attempt by a criminal to make use of username/password combinations.

Adviser also should strongly caution clients about the risks of “reusing” passwords on multiple sites.  While there may be little concern about a third party gaining access to a client’s account on a blog devoted to rugby, if that same username password combination is also used to access the client’s bank’s site, a criminal who gains access to the rugby site’s list of usernames and passwords can make use of that to access the bank account.  And, quite often, there simply won’t be strong protections for the password database on sites like the rugby blog, often because the blog is simply a site being run by a rugby (or needlepoint, etc.) enthusiast in his/her spare time.

In particular advisers who maintain portals that allow clients to access information (like tax returns) should be sure to advise clients to not use a password for your firm’s site that is used anywhere else.  Because, unfortunately, if the client’s data is accessed by a third party making use of the password from the rugby site the news story will be, like the one for the IRS, that clients of your firm had data accessed by unauthorized third parties.