IRS breach a sign of troubles to come
The plot to steal information on more than 100,000 taxpayers from the Internal Revenue Service and hijack nearly $50 million in refunds not only reveals a previous security breach but also hints at a wider fraud that may bedevil Americans in the future.
Some security and tax experts warned that this latest data theft may be a prelude to more targeted swindles aimed at duping taxpayers into handing millions of dollars over to cybergrifters or to help thieves circumvent the agency’s security filters next year and beyond.
The information was stolen as part of an elaborate scheme to claim fraudulent tax refunds, IRS Commissioner John Koskinen told reporters this week. Koskinen declined to say where the crime originated.
But two officials briefed on the matter told the Associated Press Wednesday that the IRS believes the criminals were in Russia, based on computer data about who accessed the information. The officials spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing criminal investigation.
“This breach is not just about what this single group is going to do with the information, but what
happens when this information gets sold in the black market,” said Peter Warren Singer, the author of “Cybersecurity and Cyberwar: What Everyone Needs to Know.” “It’s rare for the actual attackers to turn the information directly into money. They’re stealing the data and selling it off to other people.”
It is almost impossible to find a business or government agency that has not had some kind of security breach, Singer noted. Millions of customers at companies like Target and the private insurer Anthem have been raided.
And earlier this year, TurboTax temporarily halted electronic filing of state income tax returns after seeing an uptick in attempts to use stolen information to file fraudulent returns and wrongly claim tax refunds.
With the IRS, it was not the agency’s own system that was hacked. Criminals had already obtained individuals’ Social Security numbers, addresses and birth dates and then used the information to hoodwink the network and gain access to taxpayers’ returns and filings through an application on the IRS website.
“There was no identity theft within the IRS’ actual system,” Aaron Blau, a tax expert in Tempe, Ariz., pointed out. “These people already had all of this data. They could have used this information to call your bank, your doctor, your insurance carrier, and they would have gotten through 100 percent of the time. In this case they chose to use the IRS.”
Many Americans are being attacked more directly, Blau said. One popular scheme is to cold-call taxpayers and threaten them with prosecution if they do not immediately pay money supposedly owed to the IRS by directing them to purchase a prepaid debit card and then transfer the money. Now, with more detailed information from returns, criminals could better target potential victims, Blau said.
Without more information about the individuals who were targeted, it is hard to know the endgame, said Marc Goodman, the author of “Future Crimes.” He noted that previous security breaches have sometimes been used to embarrass politicians, celebrities or corporate figures, and tax returns would provide a rich source of personal information.
Although some critics have been quick to condemn the IRS, several tax experts said using this episode to vilify the agency was unfair.
“The IRS takes data, privacy and data security extremely seriously,” said Edward Kleinbard, a professor of law at the University of Southern California and former staff director of the Joint Tax Committee of Congress. “They do their best, but the resources arrayed against it have become increasingly well-funded and sophisticated, and the problems will only compound over time.”
William Gale, co-director of the tax policy center at the Brookings Institution, agreed the issue extends beyond a single agency.
“I don’t think this is an IRS problem per se,” Gale said. “It is facing the same problems that all the major data providers have.”
The IRS has repeatedly said protecting taxpayer information and combating fraud is a priority. Half of the attempted information thefts were rebuffed through a system of filters that are used to detect fraud, the agency said.
Still, there is little debate that its efforts have been hampered by budget cuts. Just two months ago, an agency overseer issued what now seems to be a prescient warning.
“Resources have not been sufficient for the IRS to work identity theft cases dealing with refund fraud, which continues to be a concern,” J. Russell George, the Treasury Inspector General for Tax Administration, testified before a Senate subcommittee.
The agency’s budget has been cut by 17 percent over the past four years after taking inflation into account, and its work force, now at roughly 83,000, has been reduced by 12,000.
Earlier this year, Koskinen, the IRS commissioner, warned that impending budget cuts would have devastating effects, including the delay of new protections against identity theft and refund fraud.