Nothing is certain but death and taxes—and now, problems for victims of the IRS breach. Even consumers whose records weren't compromised may experience some short-term hassles.
The agency announced Tuesday that criminals used stolen data—including Social Security numbers, addresses and birth dates—to gain access to more than 100,000 taxpayers' past returns through the IRS Get Transcript application, which consumers typically use to obtain previous returns for mortgage and college loan applications. The breached records were used to file fraudulent tax returns, the IRS said, with nearly $50 million in refunds stolen before the agency spotted the problem earlier this month.
In all, more than 200,000 fraudulent attempts were made to access consumer records through Get Transcript from February through mid-May, the IRS said. "As always, the IRS takes the security of taxpayer data extremely seriously, and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols," the agency said.
"The clear risk is that of identity theft," said Kevin Epstein, vice president of advanced security and governance for security management firm Proofpoint. A tax return is a treasure trove of information that could easily be used to set up new lines of credit and other accounts in the victims' names—and of course, to file fraudulent tax returns. "If somebody has all this information … we may see [a] resurgence next year of fraudulent tax returns," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.
The IRS has said it will be mailing letters to all 200,000 taxpayers whom criminals targeted to attempt access—an important warning, since the attempt means the would-be thieves had at least some sensitive financial information. "These hackers already had access to Social Security numbers, birth dates, and identity verification information like former addresses and phone numbers," Aaron Blau, a certified public account, said via email. "They did not steal this information from Get Transcript; they already had it."
The IRS will provide free credit monitoring services for the 100,000 taxpayers whose accounts were accessed. Those taxpayers' accounts will also be flagged for potential identity theft in this tax year and future tax years, which could qualify them to use a six-digit idenitity protection PIN to verify their identity when filing.
Consumers whose accounts were involved in the attempt will need to remain vigilant, said Morey Haber, vice president of technology for security management firm BeyondTrust. "There are some things about your likeness that you can't change if it's compromised," he said—including your Social Security number and birth date. Affected taxpayers should take advantage of free credit monitoring offered, and monitor their accounts for potential fraud.
Even if you're not affected by this breach, signing up for a paid monitoring service is becoming a smarter move, said Epstein. Consumers might also consider reaching out to the three major credit bureaus—Equifax, Experian and TransUnion—to have a 90-day fraud alert placed on your file. That red flag requires lenders to take extra steps before opening new loans or lines of credit, although it's not foolproof.
The more extreme action: requesting a credit freeze. That prevents anyone (including you) from opening new lines of credit. You'll need to notify the bureaus first if you later want to apply for a new loan or credit card. "Unless you are someone who is actively, frequently applying for credit, it's a fairly easy thing to initiate," said Epstein. "From a security standpoint, it's always better to have something locked and unlock it when you need it, than to leave a door unlocked."
Another immediate risk to taxpayers at large is phishing, if other criminals take advantage of the news to send out emails telling people they're among those compromised and asking for personal data, said Stephens. Keep in mind the IRS won't email victims, but rather, send a letter via mail. "Taxpayers will receive specific instructions so they can sign up for the credit monitoring," the IRS said in its announcement. "These outreach letters will not request any personal identification information from taxpayers."
In coming years, affected taxpayers should make an effort to file their returns early, to limit the possibility of a fraudulent return being filed first, said Haber. "It just goes to diligence," he said. "Don't always wait until the last minute."
While the fraud is investigated, the IRS has shut down the Get Transcript application. "The online application will remain disabled until the IRS makes modifications and further strengthens security for it," the agency said. In the meantime, consumers who need such records can request them online to arrive via mail in five to 10 calendar days.
That could pose a slight hurdle for consumers in the process of applying for a mortgage. "It's certainly something you're going to want to discuss with your mortgage lender, whether this particular instance will affect your application," said Keith Gumbinger, vice president at mortgage data site HSH.com. Some lenders may want that IRS-confirmed return rather than one copied from your own records. If that's the case, he said, consider whether you'll need to lock in your rate for a longer period to allow time for those records to arrive through mail.
Procrastinators filing the Free Application for Federal Student Aid just ahead of the June 1 deadline are even less likely to be affected, said Mark Kantrowitz, senior vice president and publisher of college planning firm Edvisors.com. The system allows applicants to manually enter data from past returns in lieu of using the IRS retrieval tool.