Nothing is certain but death and taxes—and now, problems for victims of the IRS breach. Even consumers whose records weren't compromised may experience some short-term hassles.
The agency announced Tuesday that criminals used stolen data—including Social Security numbers, addresses and birth dates—to gain access to more than 100,000 taxpayers' past returns through the IRS Get Transcript application, which consumers typically use to obtain previous returns for mortgage and college loan applications. The breached records were used to file fraudulent tax returns, the IRS said, with nearly $50 million in refunds stolen before the agency spotted the problem earlier this month.
In all, more than 200,000 fraudulent attempts were made to access consumer records through Get Transcript from February through mid-May, the IRS said. "As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols," the agency said.
"The clear risk is that of identity theft," said Kevin Epstein, vice president of advanced security and governance for security management firm Proofpoint. A tax return is a treasure trove of information that could easily be used to set up new lines of credit and other accounts in the victims' names—and of course, to file fraudulent tax returns. "If somebody has all this information … we may see [a] resurgence next year of fraudulent tax returns," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.
The IRS has said it will be mailing letters to all 200,000 taxpayers whom criminals targeted to attempt access—an important warning, since the attempt means the would-be thieves had at least some sensitive financial information. "These hackers already had access to Social Security numbers, birth dates, and identity verification information like former addresses and phone numbers," Aaron Blau, a certified public account, said via email. "They did not steal this information from Get Transcript; they already had it."
The IRS will provide free credit monitoring services for the 100,000 taxpayers whose accounts were accessed. Those taxpayers' accounts will also be flagged for potential identity theft in this tax year and future tax years, which could qualify them to use a six-digit idenitity protection PIN to verify their identity when filing.
Consumers whose accounts were involved in the attempt will need to remain vigilant, said Morey Haber, vice president of technology for security management firm BeyondTrust. "There are some things about your likeness that you can't change if it's compromised," he said—including your Social Security number and birth date. Affected taxpayers should take advantage of free credit monitoring offered, and monitor their accounts for potential fraud.
Even if you're not affected by this breach, signing up for a paid monitoring service is becoming a smarter move, said Epstein. Consumers might also consider reaching out to the three major credit bureaus—Equifax, Experian and TransUnion—to have a 90-day fraud alert placed on your file. That red flag requires lenders to take extra steps before opening new loans or lines of credit, although it's not foolproof.