Two days ago, the, the IRS announced that the hacking of its “Get Transcript” program, which they had originally announced in May of 2015 and which was the subject of my Scam of the day for May 28, 2015 was far worse than either the number they originally indicated or the updated figure of a few months ago. While originally, the IRS stated that 114,000 people were affected by the IRS data breach, which was then increased to 220,000 people, now the IRS is saying that the number of people affected is 724,000. The fact that it has been so difficult for the IRS to ascertain through its forensic investigation the number of people affected is a good indication of how serious the problem is.
As a result of the data breach, the IRS indicated in May that it paid more than 50 million dollars in fraudulent returns filed using the information stolen from the IRS’ “Get Transcript” program. With the increased awareness of the much higher number of people affected by the data breach, the amount of payments made to the hackers may well increase. The”Get Transcript” program enables taxpayers to get copies of their federal income tax returns from previous years. People often use this service to get copies of earlier income tax returns for uses such as when they apply for a mortgage or financial aid for college.
Although many people were surprised at this hacking, Scamicide readers were not among them because here at Scamicide, we exposed this vulnerability in the “Get Transcript” program in our Scam of the day of April 3, 2015. Apparently, the IRS doesn’t read Scamicide. Maybe it should.
The problem with the system was in the authentication process used by the IRS to limit access to this information to the taxpayer who is seeking his or her own income tax returns. In order to access the income tax returns, the system required the inquirer to provide his or her name, Social Security number, birth date, address and other personal identity verifications, such as what was your high school mascot or when you got a mortgage. The problem is that, in many instances, this information can be gathered by a diligent hacker from public data bases, social media where people provide this information to hackers, and data breaches.
If you are one of the newly discovered people affected by this data breach, you will get a letter, not an email, from the IRS and will be offered free credit monitoring services. These letters will not require you to provide any personal information in response. Any communication you get that purports to be from the IRS that requests that you provide personal information is not from the IRS, but from another scammer.
A lesson for all of us is to remember to try to protect the privacy of our Social Security numbers as best we can. Most identity theft starts with the identity thief obtaining and exploiting the victim’s Social Security number. Don’t provide it to companies with which you do business unless you absolutely must do so. Medical care providers routinely ask you to provide this, but they have no need for this and the health care industry has been among the worst in protecting its data from being hacked. In addition, people should be more careful as to the personal information they post on various social media that could be used by identity thieves as was done in this case.
The verification process of using personal identity verification information is fundamentally flawed in today’s world. Better systems should be used, such as dual factor authentication where a code is sent to your smartphone when you need to access an account.