Just a little more than three months after the Internal Revenue Service shut down their online tax transcript service that identity thieves abused to steal sensitive data and file fraudulent tax refund requests, the agency is now reporting that the number of affected taxpayers is three times the agency’s initial estimate. Not only is it three times their estimate, the number of affected taxpayers could continue to grow as the agency combs through the hundreds of thousands of logs sent to its Get Transcript application over the past year. Today, the agency announced that over the past year, more than 600,000 suspicious attempts to create user accounts using what appears to be stolen data from past breaches were made, yet more than 330,000 of those attempts were successful.
The Get Transcript web application the IRS implemented provided online access to taxpayers tax transactions and enough information to submit fraudulent tax returns. Once the fraudulent returns were filed, thieves would then be able to open a line of credit or bank with their stolen documentation. The only information the transcript required was a US citizens name, date of birth, Social Security number, tax filing status (married, single, head of household) and address associated with the individuals tax returns.
The vulnerable system was initially reported by Brian Krebs who urged users to sign up at IRS.gov before the criminals do for you. Krebs urged readers to signup with their legitimate information to stop any potential thieves for doing it for you.
Originally, the IRS reported that only around 200,000 attempts were made with some 100,000 taxpayers information being successfully stolen. Since the shutdown, the agency has been under investigation calculating the scope of the breach, with the agency reported it at some 330,000 Americans being affected.
Yet, even after the shutdown criminals can still easily file fraudulent returns simply by obtaining tax transcripts through mail with a letter that contains a valid Social Security number, date of birth and address. Meaning identity fraud does exist, it just must be completed through snail mail first.
IRS officials said they are notifying all affected taxpayers and offering free credit monitoring services. However, the full affect of the attack may have not yet sunk in. While several hundreds of thousands of fraudulent tax returns were filed in 2015, officials believe attackers are getting ready for the 2016 season. Remember folks, file early, or the criminals will!