On May 26, 2015, the Internal Revenue Service (IRS) publicly announced that about 100,000 taxpayer accounts were breached through the IRS’ “Get Transcript” feature, which allows taxpayers to access computer generated records of past tax returns.
Frequently used to substantiate income for borrowing needs like student loans and mortgages, the transcript includes online access to line items from past tax returns, and the accompanying forms and schedules filed with them.
Though the compromised records represent a small portion of the 23 million valid “Get Transcript” requests the IRS says it fulfilled in this tax season alone, the breach is concerning for a few reasons. Here’s a look at what the hack entailed, and how to react if you find you were impacted by it.
How the IRS Hack is Different
What makes the IRS hack any more concerning than the breaches that have become so frequent in corporations, and financial institutions? In large part, it’s because the IRS “Get Transcript system uses multi-step verification system that includes private personal and financial information.
In “phase one” of the authentication process, users verify their identity by answering questions/inputting data like social security number, previous tax filing status, date of birth, home address, and an email address. Once the information is successfully entered, the taxpayer receives an email with a confirmation code to request a transcript. The taxpayer must then correctly respond to several “out-of-wallet” questions (like the data a loan was opened, the balance on it, or the amount of a monthly loan payment) to complete the request. For the 100,000 accounts that were successfully compromised, identity thieves had all of the required information (which was likely obtained from sources outside the IRS).
Though not successfully breached, an additional 100,000 taxpayer accounts failed the authentication, indicating that the thieves had least enough sensitive data from this group to believe the accounts could be hacked.
Though the online “Get Transcript” feature was disabled on May 21 when the breach was detected (it’s still accessible via phone or mail), the IRS saw initial signs of suspicious activity all the way back in February. In other words, thieves didn’t just access this personal taxpayer information; they may have accessed it from an outside source some time ago.
How to Know If You Were Impacted
The IRS has begun to notify taxpayers whose accounts were hacked, and those with unsuccessful attempts to obtain their information, by mail. If you receive such a letter, take advantage of the free credit protection services the IRS offers at their expense—even an attempt to hack your account was unsuccessful. Sign up for the service and take its warnings about your credit activity seriously. If you do receive a letter from the IRS, you will also be assigned a six digit secure PIN to use when filing future tax returns. Keep the PIN stored in a safe place, and update your passwords for financial and personal accounts using a combination of upper and lowercase letters, numbers and symbols. Though your information may not have been compromised yet, it doesn’t mean that it won’t be in the future.
Protect Yourself With the Right Tools
Though credit monitoring is one way to stay aware of fraudulent activity, consider taking proactive protections to ensure you’re not left more vulnerable than you think. With credit monitoring like the IRS is offering victims, for example, accountholders are alerted (usually by email, or mail) when a lender initiates a credit inquiry. If the account application is fraudulent, you’ll need to react quickly to notify the credit service and/or the major credit bureaus (Experian, Equifax, TransUnion, and Innovis) of the fraudulent activity so it can’t progress.
Though monitoring protects you to some extent, credit inquiries can lower your credit score, particularly if your credit history isn’t positive and/or well established. In turn, your credit score may wrongly be penalized, even if only temporarily, from the activity.
Because the IRS hack involved the theft of information that isn’t easily reissued, victims of the hack (even those who are part of the unsuccessful attempts) may also want to consider having a security or credit freeze placed on each credit bureau’s record. Though a freeze may extend the amount of time it takes to obtain legitimate credit (you’ll have to initiate a “thaw” and verify that the lender is authorized to check your credit and potentially open the account), it allows from more proactivity, requiring that you authorize any attempt to access your credit. Because the freeze prevents the inquiry, it may help protect your credit score from any damage that may result from fraudulent inquiries.
You can initiate a credit/security freeze online with the bureaus. Though it may involve a nominal fee, it is offered free in some states and if you know your identity was stolen. (Equifax outlines its fee/free structure in this table).
As the IRS investigates the hack, more information about what was stolen, and what remains at risk, will likely unfold. In the interim, take advantage of the protections offered to you, and understand what such services will do—and what they won’t. Though having your sensitive data stolen is scary, you can control the extent of damage thieves are able to do with it.