IRS Failed to Alert 100,000 Taxpayers of Data Breach
The Treasury Inspector General for Tax Administration released a report last week that said more than 350,000 people had their information compromised in a 2015 hack. The IRS initially only reported 220,000 victims.
Hackers obtained the sensitive information, including names, addresses, social security numbers and previous return information, through the IRS’s Get Transcript service, which allows taxpayers to view their records online.
The service was disabled after the hack but was reopened last week. The IRS said the new application has much stronger security features, including the requirement that users answer personal questions and verify logins via texts.
“While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,” said J. Russell George, the Treasury Inspector General for Tax Administration, according to The Washington Times.
The Inspector General’s report gave eight recommendations to the IRS to improve their security. They recommended it should improve its methodology in identifying and assisting affected taxpayers, and increase its quality assurance mechanism.
The IRS agreed with all recommendations except one, which asked the agency to give taxpayers an identity protection PIN. The agency said this would be a waste of time, since the breaches had already occurred.
In response to the hack, the agency said they are improving their authentication practices.
“We are moving to a multi-factor authentication which provides a greater level of assurance; however, it will come at a price of additional burden for legitimate taxpayers trying to authenticate,” Holland said.
The agency said they are in the process of notifying and assisting the additional taxpayers affected by the breach.