If you thought your tax information wasn't compromised in the recent IRS breach, think again. The impact, the agency now says, was broader than initially reported.
The IRS said Monday that an additional 220,000 taxpayers had their information stolen through an IRS record-keeping application. When the agency first disclosed the breach in May, it estimated more than 100,000 individuals were affected. The number of potential victims now stands at more than 334,000.
In the breach, criminals used data stolen from other sources—including Social Security numbers, birth dates and mortgage payment details—to gain access to taxpayers' past returns through the IRS Get Transcript application, which consumers typically use to obtain previous returns for mortgage and college loan applications. The breached records were used to file fraudulent tax returns, the IRS said in May, with nearly $50 million in refunds stolen before the agency spotted the problem.
In all, more than 610,000 fraudulent attempts were made to access consumer records through Get Transcript from February through mid-May, the IRS now says.
"The clear risk is that of identity theft," Kevin Epstein, vice president of advanced security and governance for security management firm Proofpoint, told CNBC when the breach was first announced in late May. A tax return is a treasure trove of information that could easily be used to set up new lines of credit and other accounts in the victims' names—and of course, to file fraudulent tax returns.
"If somebody has all this information … we may see [a] resurgence next year of fraudulent tax returns," Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, told CNBC earlier this year.
The IRS has said it will be mailing letters to the additional 220,000 taxpayers whom criminals targeted to attempt access—an important warning, since the attempt means the would-be thieves had at least some sensitive financial information. "These hackers already had access to Social Security numbers, birth dates and identity verification information like former addresses and phone numbers," Aaron Blau, a certified public account, said via email earlier this year. "They did not steal this information from Get Transcript; they already had it."
The agency will provide free credit monitoring services for the additional 220,000 taxpayers. Those taxpayers' accounts will also be flagged for potential identity theft in this tax year and future tax years, which could qualify them to use a six-digit idenitity protection PIN to verify their identity when filing.
Consumers whose accounts were involved in the attempt will need to remain vigilant, Morey Haber, vice president of technology for security management firm BeyondTrust, told CNBC earlier this year. "There are some things about your likeness that you can't change if it's compromised," he said—including your Social Security number and birth date. Affected taxpayers should take advantage of the free credit monitoring offered, and watch their accounts for potential fraud.
Even if you're not affected by this breach, signing up for a paid monitoring service is becoming a smarter move, said Epstein. Consumers might also consider reaching out to the three major credit bureaus—Equifax, Experian and TransUnion—to have a 90-day fraud alert placed on their file. That red flag requires lenders to take extra steps before opening new loans or lines of credit, although it's not foolproof.