IRS computer hack was worse than agency admitted

The IRS’ computer hack was worse than previously admitted, and the tax agency failed to alert thousands of people that their information was stolen, and didn’t give credit monitoring assistance to nearly 80,000 others who were targeted, an inspector general said Wednesday.

Investigators said nearly 1 million accounts were potentially targeted, and nearly 360,000 people actually had their accounts broken into. That’s far more than the 220,000 hacks the tax agency initially acknowledged.

In thousands of instances, the IRS missed the evidence of a hack, the inspector general said, leaving those taxpayers unaware of their vulnerabilities for months.

“While the IRS acted swiftly to disable its application upon learning of the data breach, our auditors found that it did not identify all taxpayers who were potentially affected, and whose tax information was at risk of being used by unauthorized individuals,” said J. Russell George, the Treasury Inspector General for Tax Administration.

He said the IRS did notify the taxpayers after the inspector general pointed out the botch.

The hack hit the tax agency’s Get Transcript application, which allows taxpayers to look at some of their most personal financial information they file as part of their annual returns. Hackers managed to impersonate hundreds of thousands of taxpayers, giving answers to background questions to gain access to their records.

IRS officials shut down the online Get Transcript function last year after the hack, and only reopened it this week, saying they’d finally imposed stricter identity checks to make sure taxpayers weren’t being hacked.

Now, in order to get a transcript online, taxpayers must be able to answer more personal questions, have a valid email address and a mobile phone number with text capabilities tied to their own name and be able to give details of a credit card or loan account.

The agency said it knows some people will have a tougher time using the service, but after last year’s embarrassing botch, the changes had to be made to ensure security. Customers can still request a mailed copy of their transcript without having to give all the extra information online.

The inspector general on Wednesday said the IRS must do more to assist those who got caught in the agency’s hack, including alerting all of those who were snared, making sure the agency flagged all accounts of taxpayers who were hacked to be on the lookout for repeat attempts, and providing credit monitoring for those who were targeted.

IRS officials agreed with all of the recommendations save for the last.

Debra Holland, commissioner of the IRS’ wage and investment division, said the tens of thousands of accounts hackers tried but failed to gain access to did not need the extra precautions.

“The attempt to access transcripts was unsuccessful and, consequently, IRS held data was not compromised,” she wrote in the official reply to the report.