The Internal Revenue Service failed to identify and assist all taxpayers who may have been affected by the data breach in its online “Get Transcript” application, according to a new government report.
The report, released Wednesday by the Treasury Inspector General for Tax Administration, came a day after the IRS announced it had relaunched the Get Transcript app with improved authentication to safeguard against identity theft (see IRS Relaunches ‘Get Transcript’ App with Better Authentication).
The IRS took down the app in May 2015 after discovering that hundreds of thousands of taxpayers’ may have had their tax transcripts accessed by criminals. Initially the IRS believed that only about 104,000 taxpayers were affected, but it later discovered around 390,000 were potentially affected, with another 295,000 taxpayers whose transcripts were targeted but not accessed (see IRS Finds ‘Get Transcript’ Data Breach Was More Widespread). The IRS said it was contacting all the taxpayers and offering them Identity Protection PINs, with many of them getting free credit monitoring as well.
However, the new TIGTA report found the IRS still did not identify all of the individuals potentially affected by the Get Transcript application breach. TIGTA’s analysis of system audit logs created between Jan. 1, 2014, and May 21, 2015, identified 620,931 taxpayers whose tax account information involved a potentially unauthorized access not identified by the IRS. Further analysis of these access attempts found that potentially unauthorized users were successful in obtaining access to 355,262 of the taxpayers’ accounts.
TIGTA also identified 2,470 additional taxpayers whose accounts were targeted through the Get Transcript application breach that the IRS did not identify. This resulted from the IRS erroneously excluding three system error codes when identifying accounts of potential victims.
In addition, TIGTA found the IRS did not place identity theft incident markers on the tax accounts of 3,206 taxpayers who the IRS identified as affected by the Get Transcript application breach. After TIGTA questioned the IRS’s rationale for not placing the marker on all tax accounts, management agreed that all affected taxpayer accounts need the marker. As a result, IRS officials informed TIGTA they would ensure that all affected taxpayer accounts receive the identity theft marker.
Finally, the IRS did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.
“While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,” said TIGTA Inspector General J. Russell George in a statement. “Once we notified the IRS of this issue, it acted to notify these additional taxpayers.”
TIGTA recommended that the IRS implement additional evaluative methods to identify all individuals affected by the breach, issue notification letters to 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts. The IRS should also ensure that authentication system error codes are analyzed when responding to future data breaches as well as notify the additional 2,470 taxpayers identified and place identity theft incident markers on their accounts, TIGTA recommended. The report also suggested the IRS should place identity theft incident markers on the 3,206 taxpayer accounts, as required, and issue IP PINs to the 79,122 individuals whose personal information was used by unauthorized individuals to attempt access to the Get Transcript application.
The IRS agreed with seven of the eight recommendations. However, the IRS disagreed with the recommendation to issue IP PINs to the 79,122 individuals with attempted accesses to their tax information. Although it disagreed with the recommendation, the IRS acknowledged the potential inconsistency in its IP PIN issuance policy and stated that it would consider this inconsistency in future IP PIN policy decisions. TIGTA said it is concerned that the lack of prompt action on this issue leaves these taxpayers’ accounts at an increased risk of fraud.
The IRS pointed out that much of the information used by the identity thieves originated from outside the IRS. “The theft of taxpayer data from the Get Transcript system was unprecedented in both its scope and the method by which the crime was committed,” wrote Debra Holland, commissioner of the IRS’s Wage and Investment Division, in response to the report. “Criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS. They have attempted to use that cache of personal data stolen from other sources to impersonate their victims and either create or access online accounts and to obtain the tax return and account information of the legitimate taxpayer whom they are impersonating.”
Until the relaunch this week, taxpayers and tax professionals could only use the Get Transcript service to order tax transcripts to be sent to them by mail, but they could not view and print them online. The new multi-factor authentication features require users to enter codes that are sent to their email account or mobile phone to authenticate them.
“In an age where massive losses of personally identifiable information (PII) of individuals occur regularly, through theft or by loss from public and private entities, the authentication standards that were widely acceptable just a few years ago, when our online systems were designed, are no longer adequate,” said Holland. “We are moving to multi-factor authentication which provides a greater level of assurance; however, it will come at a price of additional burden for legitimate taxpayers trying to authenticate. For those unable to authenticate under the strengthened process, we will continue to provide alternative methods of service delivery to meet their needs while protecting against the unauthorized exposure of PII.”
An IRS spokesperson emailed a further comment to Accounting Today in response to the report. “The IRS took numerous steps to notify and protect affected taxpayers involved in the Get Transcript incident,” said the IRS statement. “We thank the TIGTA audit team for their work and helping us to identify additional ways we can better serve the victims of the theft of taxpayer records. IRS worked closely with the audit team, and we have already taken action to address the majority of their recommendations and findings. In particular, as TIGTA noted, we notified all taxpayers that criminals had possession of the taxpayer’s personal information as soon as we identified the taxpayers involved. We also marked for special monitoring the accounts of all taxpayers where the criminals attempted to access previous tax returns. For those where the criminals had obtained access to previous tax returns through the Get Transcript App, we also offered credit monitoring and the availability of an Identity Protection PIN to help protect their account.
“The IRS on Tuesday announced a new secure access framework for Get Transcript with a more rigorous e-authentication process for taxpayers,” the IRS added. “This new secure access process will significantly increase protection against identity thieves impersonating taxpayers and serve as a foundation for additional IRS self-help services in the future.”