Call Now: (833) 803-4222
Se Habla Espanol

IRS Failed to Help All Taxpayers Affected by ‘Get Transcript’ Breach

‘Get Transcript’ is an online service by the IRS that allows taxpayers access to the transcripts of their tax returns. A security breach of ‘Get Transcript’ in May, 2015 enabled cyber thieves to steal the sensitive information of close to four hundred thousand taxpayers. Following this, the IRS re-launched the service this July with additional security. To add to the IRS’ woes, shortly after the re-launch, the Treasury Inspector General for the Tax Administration released a report which revealed that the IRS failed to identify and help all the taxpayers affected by the breach. Accounting Today shares:

get transcript“Initially the IRS believed that only about 104,000 taxpayers were affected, but it later discovered around 390,000 were potentially affected, with another 295,000 taxpayers whose transcripts were targeted but not accessed (see IRS Finds ‘Get Transcript’ Data Breach Was More Widespread). The IRS said it was contacting all the taxpayers and offering them Identity Protection PINs, with many of them getting free credit monitoring as well.

“However, the new TIGTA report found the IRS still did not identify all of the individuals potentially affected by the Get Transcript application breach. TIGTA’s analysis of system audit logs created between Jan. 1, 2014, and May 21, 2015, identified 620,931 taxpayers whose tax account information involved a potentially unauthorized access not identified by the IRS. Further analysis of these access attempts found that potentially unauthorized users were successful in obtaining access to 355,262 of the taxpayers’ accounts.

TIGTA also identified 2,470 additional taxpayers whose accounts were targeted through the Get Transcript application breach that the IRS did not identify. This resulted from the IRS erroneously excluding three system error codes when identifying accounts of potential victims.

“In addition, TIGTA found the IRS did not place identity theft incident markers on the tax accounts of 3,206 taxpayers who the IRS identified as affected by the Get Transcript application breach. After TIGTA questioned the IRS’s rationale for not placing the marker on all tax accounts, management agreed that all affected taxpayer accounts need the marker. As a result, IRS officials informed TIGTA they would ensure that all affected taxpayer accounts receive the identity theft marker.

“Finally, the IRS did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to 79,122 individuals whose tax accounts the IRS identified as being involved in an attempted access.

“‘While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,’ said TIGTA Inspector General J. Russell George in a statement. ‘Once we notified the IRS of this issue, it acted to notify these additional taxpayers.’

TIGTA recommended that the IRS implement additional evaluative methods to identify all individuals affected by the breach, issue notification letters to 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts. The IRS should also ensure that authentication system error codes are analyzed when responding to future data breaches as well as notify the additional 2,470 taxpayers identified and place identity theft incident markers on their accounts, TIGTA recommended. The report also suggested the IRS should place identity theft incident markers on the 3,206 taxpayer accounts, as required, and issue IP PINs to the 79,122 individuals whose personal information was used by unauthorized individuals to attempt access to the Get Transcript application.

“The IRS agreed with seven of the eight recommendations. However, the IRS disagreed with the recommendation to issue IP PINs to the 79,122 individuals with attempted accesses to their tax information. Although it disagreed with the recommendation, the IRS acknowledged the potential inconsistency in its IP PIN issuance policy and stated that it would consider this inconsistency in future IP PIN policy decisions.”