Until recently, the IRS website provided a service called “Get Transcript.” It’s an easy way to download several years of tax forms for tasks like applying for a mortgage, or college financial aid.
An unnamed cybermafia used this app to download forms full of personal information. They tried to download it 200,000 times between February and May and got away with half of them, the IRS said.
The crooks used about 15,000 of them to claim tax refunds in other people’s names.
But the potential damage is worse. IRS Commissioner John Koskinen said he believes the criminals’ true mission was to gather vast amounts of personal information and steal tax refunds in the future.
“This is just the latest manifestation of people getting enough data to masquerade as a taxpayer,” Koskinen said. “Now they’re getting additional data to file a better false return.”
Last week, the IRS spotted an odd flood of computer traffic and initially thought its website was facing a cyberattack to block its services. But on further investigation, it discovered that the slew of requests were pulling data from its “Get Transcript” service and the agency immediately cut off communication.
The IRS has temporarily disabled the “Get Transcript” service. It was too easy to game, Koskinen said. The agency had tried to make the service difficult for fraudsters — but not too burdensome for the average person trying to get a hold of previous years’ tax returns.
The agency is now trying to increase the security on the app — and figure out the right balance, Koskinen said.
Taxpayers can still request previous years’ documents, but they’ll have to do it via the older and slower process — by paper.
This cyberattack wasn’t a hack in the traditional sense, the IRS said. No one broke into its computer systems and stole information. They merely used a public tool for nefarious purposes. And it was an attack the agency wasn’t well suited to combat, Koskinen said.
“We’re dealing with criminals with a lot of money and using expensive equipment and hiring a lot of smart people,” he said during a conference call Tuesday.
To assist the victims, the IRS is offering paid credit protection programs for the potential 200,000 people that might be affected by this.
It’s offering a secure PIN to the 104,000 whose details the IRS is sure were exposed.
The PIN program is a permanent security feature that requires taxpayers to use a six-digit passcode when filing taxes. It’s currently only available to tax fraud victims and residents of Florida, Georgia and Washington. The agency wants to take this pilot program nationwide.
Koskinen said there is “no indication there is any connection” to the recent wave of fraud involving TurboTax preparation software.
But he said this is just more proof criminals are ramping up their theft of personal data for illicit gain.
“These guys are very good at data analytics. They have volumes of data available they can match up,” he said. “The criminals can answer questions better than you can.”