John Koskinen, IRS chief, says 100,000 taxpayers potentially compromised in online data breach

Upwards of 100,000 taxpayers may have had their personal information compromised by an online security breach, the head of the IRS said.

Testifying Thursday before the Senate Finance Committee, IRS Commissioner John Koskinen said identity thieves exploited a bug within one of its web-based data tools to file millions of dollars’ worth of fraudulent tax returns.

“Fortunately we caught this at the front end,” Mr. Koskinen said at the hearing. “Our highest priority is making sure that we protect taxpayers and their identity.”

The agency’s “data retrieval tool” is designed to import financial records between the IRS and the Department of Education’s website to help taxpayers completing a lengthy college financial aid form know as the Free Application for Federal Student Aid, or FAFSA. According to the commissioner, however, criminals harnessed a security flaw within the tool to steal other people’s data and then file and collect false tax returns.

The IRS disabled the tool last month, Mr. Koskinen said Thursday, but not before the agency issued about 8,000 fraudulent tax returns totaling roughly $30 million. Another 14,000 bogus returns were spotted by investigators before refunds were issued, and another 52,000 filings were halted altogether, he said.

“We caught it early enough that there’s not a significant volume of money out the door,” he added.

Nonetheless, the IRS chief acknowledged that up to 100,000 taxpayers may have had their personally identifiable information compromised during the course of the security breach.

Individuals were able to scheme the IRS because the data retrieval tool required relatively little information from users before it began auto-populating personalized tax data. Armed with only a limited amount of information, a criminal could harness the flaw by beginning to fill out an online FAFSA form under another person’s identity before ultimately gaining access to the victim’s legitimate tax filings.

The IRS learned of the issue in October, but were hesitant to remove a tool that served a legitimate purpose for most users.

“To shut it down without a clear indication of criminals actually using it seemed to us that it was going to unnecessarily disadvantage millions of people who used it,” he testified.

By February, Mr. Koskinen said a pattern of activity had emerged “that was clearly not consistent with people going on to actually apply for student loans.”

The IRS has begun contacting potential victims and intends to notify 100,000 people possibly affected by the data breach, Mr. Koskinen said, though the full scope of the incident remains yet to be seen.

Fifteen members of the House Ways and Means Committee sent a letter to President Trump this week that said Mr. Koskinen has “lost the trust of the American people” and needs to be replaced.

“I have lost all faith in Commissioner Koskinen’s ability to lead the IRS,” Committee Chairman Kevin Brady, Texas Republican, said Wednesday. “He has been dishonest with Congress, and the IRS — under his watch — has continuously violated taxpayer rights. He has to go.”