IRS failed to alert 100,000+ taxpayers damaged by massive data breach – inspector general

© Karen Bleier
The Internal Revenue Service missed over 100,000 people whose information was stolen as a result of a data breach, failing to properly assist the affected taxpayers, the federal agency’s inspector general says.

A report released Wednesday by the Treasury Inspector General for Tax Administration says that more than 350,000 people had their information compromised in an early 2015 hack, while the IRS only initially counted about 220,000.

The hack targeted the agency’s Get Transcript system, which allows taxpayers to view their records over the internet. By impersonating the actual owners of these accounts, identity thieves managed to get their hands on the sensitive information of countless Americans.

Get Transcript was disabled following the hack and was only reopened earlier this week. The IRS says that the new iteration of the application will feature strengthened security measures, such as requiring users to answer personal questions and verify logins by mobile phone message.

“While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,” said J. Russell George, the Treasury Inspector General for Tax Administration, according to The Washington Times.

The inspector general’s report gave eight different recommendations to the IRS to tackle the Get Transcript hack and future data breaches, such as recommending that the agency expand its methodology in identifying and assisting affected taxpayers and increase quality assurance mechanism.

The IRS agreed with all of the recommendations except for the last one, which advised the agency to issue an identity protection PIN to holders of accounts that hackers tried but failed to access. In a response to the report, IRS management said that such a measure would be counterproductive, since the attempted breaches had already occurred.

In a response from IRS management attached to the report, Wage and Investment Division commissioner Debra Holland said that the agency is improving its authentication capabilities, as standards that were acceptable years ago are no longer adequate.

“We are moving to a multi-factor authentication which provides a greater level of assurance; however, it will come at a price of additional burden for legitimate taxpayers trying to authenticate,” Holland said.

As a result of the report, the IRS has properly notified and assisted those affected by the 2015 breach, the inspector general said.