WASHINGTON (AP) — A computer breach at the IRS in which thieves stole tax information from thousands of taxpayers is much bigger than the agency originally disclosed.
An additional 220,000 potential victims had information stolen from an IRS website as part of a sophisticated scheme to use stolen identities to claim fraudulent tax refunds, the IRS said Monday. The revelation more than doubles the total number of potential victims, to 334,000.
The breach also started earlier than investigators initially thought. The tax agency first disclosed the breach in May.
The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.
The personal information was presumably stolen from other sources. The IRS believes the thieves were accessing the IRS website to get even more information about the taxpayers, which could help them claim fraudulent tax refunds in the future.
“As it did in May, the IRS is moving aggressively to protect taxpayers whose account information may have been accessed,” the IRS said in a statement. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to `Get Transcript’ taxpayer account information.”
In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns. They were successful in getting information from about 334,000 taxpayers.
“The IRS’s failure to protect private and confidential information from cyber-attacks risks further fraud for hardworking taxpayers,” said Sen. Orrin Hatch, R-Utah, chairman of the Senate panel that oversees the IRS. “The agency should act swiftly to alleviate the damage for all those affected.”
The IRS isn’t the first agency – public or private – to initially underestimate the magnitude of a data breach. The Office of Personnel Management announced earlier this year that hackers had stolen sensitive information on 4.2 million people. The number of affected people has since grown to more than 21 million.
Rep. Peter Roskam, R-Ill., said, “Today’s revelation that the IRS didn’t fully understand this security breach for months is not confidence-inspiring.” Roskam chairs a House subcommittee that oversees the IRS.
The IRS said it is notifying all potential victims and offering free credit monitoring services. The IRS is also offering to enroll potential victims in a program that assigns them special ID numbers that they must use to file their tax returns.
The IRS said Monday that thieves started targeting the website in November. Originally, investigators thought it started in February. The website was shut down in May.
On Monday, the IRS did not identify a potential source of the crime. But in May, officials said IRS investigators believe the identity thieves are part of a sophisticated criminal operation based in Russia.
It wouldn’t be the first time the IRS has been targeted by identity thieves based overseas.
In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.
The IRS estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013.