The US Internal Revenue Service (IRS) is having a bad year. On top of a serious breach in 2015 that affected at least 330,000 and led to a class action lawsuit against the IRS, 2016 may turn out to be an even worse year for the agency. The lawsuit claims that the IRS knew its website was vulnerable to security breaches but did nothing to mitigate the problem. This is important, because the same systems are responsible for at least some of the 2016 breaches.
So far in 2016:
- In January cybercriminals used malware to use 464,000 stolen Social Security Numbers to generate over 100,000 e-file personal identification numbers. These numbers along with your Social Security Number enable a cybercriminal to file a fraudulent tax form and generate a refund.
- In early February, the IRS could not accept electronic filings (e-file) tax forms for at least one day. The IRS claims this failure was not related to the January attack.
- In early March, the IRS revealed yet another problem: the system the IRS put in to protect those who were victims of the 2015 hack was itself hacked. What would be funny if this was some movie is that the same IRS online identity verification mechanism that was exploited in 2015 was used to verify the online identify of those who were supposedly protected by the new system. The IRS knew that this verification mechanism was the cause of the 2015 breach, and the pending class action suit alleges that the IRS knew of the problem even earlier. Yet, somehow, the IT security people at the IRS thought it would be a good idea to use it again. As of this writing, the IRS claims that this latest attack has resulted in less than 200 fraudulent filings.
If you are a victim of any of these cyber attacks do not expect a lot of help from the IRS. You should receive a letter in the mail indicating that you were potentially a victim. You might first find out when the IRS tells you that you have already filed your return. In any case, expect that it will delay any refund by weeks and will involve several phone calls with the IRS. It may even require that you go to an IRS office and file in person. If a fraudulent refund has already been sent out, the IRS is likely to claim they have already paid you.
The last word:
In fiscal year 2014 the IRS collected $3.1 trillion in revenue and processed 240 million tax returns. You should expect the IRS to be very careful with the information they keep on every taxpaying individual and corporation in the US. You will be very disappointed. The IRS used to take pride in its ability to protect taxpayer information, but that is clearly not even on their priority list. The 2015 hack enabled cybercriminals to steal $50 million of your tax dollars by using identity theft to file for bogus tax refunds. While $50 million is a very small percentage of $3.1 trillion, each fraudulent tax filing has a serious impact on an individual or company. Also, the stolen information can and has been used in other identity theft exploits.
Even if the IRS has not yet told you it has exposed your information, check your free credit reports periodically looking for new accounts or other fraudulent activity. You can check each of the three agencies (Equifax, Experian, and TransUnion) once a year for free. I recommend that you spread them out over the year, checking one every four months.
Keep your sense of humor.