|Cyber thieves were able to steal as much as $39 million by gaining access to Internal Revenue Service data and filing fraudulent tax returns this year, IRS Commissioner John Koskinen reported to Congress June 2 after news about the data breach broke last week. The hackers were able to steal the personal finance information of over 100,000 taxpayers.“Commissioner Koskinen, put simply, your agency has failed these taxpayers,” Sen. Orrin Hatch (R-Utah) told him Tuesday. Hatch, who chairs the U.S. Senate Committee on Finance, called the hearing; the FBI has also opened an investigation into the breach.
Electronic fraud detection programs used by the IRS were able to prevent the criminals, thought to be Russian, from filing around 23,500 returns. But the 13,000 they were successful in filing enabled them to get about $39 million in tax refunds.
The IRS has pledged to contact all the affected taxpayers and help them to secure their personal information. “For now, our biggest concern is for the affected taxpayers, to make sure they are protected against fraud in the future,” Koskinen explained.
IRS Failed to Update Security
Treasury Inspector General J. Russell George told lawmakers that as of March, 44 updates that had been deemed necessary through a security audit had not been completed. Of those, 10 had first been recommended more than three years ago.
And according to the Associated Press, the Government Accountability Office issued a March report showing more than 50 unresolved gaps in the agency’s cybersecurity system, concluding that without resolving the weaknesses, “financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification or disclosure.”
Would taking appropriate security steps have prevented the breach? George said that while it’s impossible to know for sure, “it would have been much more difficult had [the IRS] implemented all of the recommendations that we made.”
“People need to make sure they file their 1040 as early as possible,” said Christina Klein, owner of Klein Hall CPAs. “Those who file fraudulent tax returns can only do so if an individual hasn’t already filed their original return, because the IRS can only accept one return per social security number. All fraudulent returns we see exist because the individual waited until late March or early April to file. Other advice would be to follow all normal identity theft prevention protocols.”