The Internal Revenue Service is one of the federal government’s least-liked agencies. No surprise there since the job of the IRS is to pry plenty of your hard earned dollars from your hands. Still, the IRS is in fact sensitive to the fact that it needs to try to make reporting income and paying taxes slightly less painful.
That was the reasoning behind the IRS’ effort to make it relatively easy for folks to get a look at the tax records being held for them by using what the IRS called the “Get Transcript” application.
Those records included detailed information about their income tax returns, reported income and other tax-related information. The idea was that you could go to the IRS.gov Website and, after providing some information to establish your identity, be shown what they have.
The system worked pretty well. I used it and I found it helpful, but in the process of making things easier for taxpayers, the IRS also found the truth of a long-honored Washington saying: “No good deed goes unpunished.”
On Aug. 8, the IRS announced that its previously announced breach affecting about 100,000 taxpayers had turned out to be worse than expected. In fact, the breach appears to have been about three times as bad as originally thought.
The IRS announcement says that the agency will be contacting the affected taxpayers over the course of the next few days to offer credit monitoring and a secure form of taxpayer identification that will prevent the people who may have stolen your information from filing for a false refund before you can file your real tax return.
Identity theft is a constant problem for the IRS because crooks will try to file tax returns using the information belonging to legitimate taxpayers in order to claim their tax refunds. For many people, this can amount to thousands of dollars each.
It also creates problems and additional expense for the government. Some of those problems arise when annoyed taxpayers, and there are always plenty of them, complain to their representatives in Congress, who then hold hearings and ask tough questions.
Once the IRS determined the extent of the problem with the “Get Transcript” application, it was immediately shut down, which solved the immediate problem, but hasn’t done anything for the ability of taxpayers to see their tax information. However, the real trouble appears to be lurking in wait for the 2016 tax filing season. Then, the details gleaned from the harvested tax information can be used to file more false returns requesting refunds.
One way or the other, taxpayers and the government will be out a ton of money. The immediate solution is worth using. For those who are informed they were affected by this break, take the government up on its offer of free credit monitoring, by all means.
In addition, accept the offer of a new secure PIN that will validate the authenticity of tax returns relating to your account.
IRS Data Breach Demonstrates the Risk of Trying to Help Taxpayers
Once you get that new PIN, keep track of it, but not in the same place as your other personal data. You’ll need it at tax time, and if you work with a tax preparer, they’ll need it too.
Regardless of whether this potential scam hits your personal or business taxes, it pays to be prepared. The IRS has a whole section on their Website just for helping people deal with identity theft. In addition, there’s a one-page summary for individual taxpayers, and there’s another page for protecting businesses against identity theft. The IRS provides help in the event that a data breach that potentially involves tax-related records hits your employer or your own business.
Even if you or your business aren’t notified that your information was taken in the latest data breach there are still steps you can take even if you only think your information might not be secure. One of the most important is an affidavit you can fill out to request one of those security PINs that the agency is giving out to people it knows have been breached.
By now you’ve probably noticed that I haven’t excoriated the IRS for shoddy security practices, lax management of personal information or even carelessness. There are a couple of reasons for this. The first is that considering the trove of personal data the agency holds, the fact that the scammers only reached a tiny percent means that the IRS must be doing a lot right.
Considering that the hackers, even when armed with detailed information from tax accounts, could only manage to get tax return information from fewer than half, says that the verification security the IRS is using must be working pretty well.
Still, the IRS did get breached, but they found it in a relatively short time and then shut down the offending system immediately. While no breach is acceptable, the difference between what happened at the IRS and other federal agencies (the Office of Personnel Management for example) is remarkable. This even is likely a good case study of how it was possible to breach the fairly well-defended network of a public-facing site filled with sensitive information.
But of course there is more to be done. The secure PINs the IRS is issuing are effectively a type of two-factor authentication. It would be useful if the IRS could find a way to extend two-factor authentication to all or nearly all taxpayers.
Even something comparatively simple such as sending a random confirmation number to a taxpayer’s cell phone, much like Apple and Microsoft do when verifying identity, would go a long way to preventing successful breaches.
But right now, it’s best to look at the IRS breach as being thankful everything worked as well as it did, and that more information wasn’t taken. The IRS security may not be perfect, but it sure seems to be far better than other agencies, such as OPM, the White House or the Department of State.