The Internal Revenue Service disclosed this week that following the latest review of its system, 334,000 taxpayers – more than three times the agency’s initial estimate – may be affected by the hack it announced in May.
Through the compromise, hackers were able to infiltrate the agency’s Get Transcript service, a service that provides tax payers with tax account transaction and line by line information. Attackers pried their way into the system by using non-IRS information, including individuals’ Social Security numbers, names, dates of birth, and other attainable details.
In a statement regarding the Get Transcript incident published to its site Monday, the IRS claims that an additional review of the 2015 filing season found that an additional 220,000 successful attempts to access its system were made by attackers and another 170,000 attempts that failed to make it through authentication. In May it claimed there were only 114,000 successful attempts and another 111,000 that failed to make it through. While they may have only been successful half of the time, the latest figures confirm that hackers made approximately 615,000 attempts to access taxpayers’ accounts.
As any company, corporation, or in this case agency does when it encounters a data breach, the IRS claims it will begin mailing letters to those affected over the course of the next several days to let them know their data may have been accessed. The agency claims it will also mail letters to the 170,000 other households whose information the hackers attempted to access even though they apparently failed to access it.
The agency is advising that some of the information hackers may have collected could figure into fake tax return filings for the year 2016 and that victims should remain vigilant.
“The IRS believes some of this information may have been gathered for potentially filing fraudulent tax returns during the upcoming 2016 filing season so anyone receiving a letter should take steps to protect themselves by taking advantage of the free credit monitoring and IP PIN which can be used to verify the authenticity of next year’s tax return,” the IRS writes.
The IRS didn’t clarify how far back its latest review went but according to a Wall Street Journal article Monday the agency looked at data from as early as November 2014, roughly four months before the IRS’ initial investigation, from February 2014 to May 2014.
The Get Transcript feature has been unavailable since May and it’s unclear when the IRS will bring it back. The agency claims it is continuing to work on strengthening its system but in the meantime is encouraging taxpayers to order transcripts by mail.
Security reporter Brian Krebs first called the security of the IRS’s website irs.gov into question back in March after learning from a reader that the site allowed individuals to register for a transcript by using a name, date of birth, Social Security number and filing status. From there, at least before it was taken down, the service would supply anyone who wanted the victim’s tax transcript, current and prior W2s and more.