The Internal Revenue Service (IRS) Monday revised its estimate of the number of taxpayer accounts hacked in May, and said it was more than twice the number initially reported. According to the agency, hackers gained access to 330,000 accounts and tried to break into another 280,000.
The agency had initially said in May that hackers used Social Security numbers and other data to gain access to tax returns filed for about 225,000 U.S. households. However, Monday’s revised statement said that a more thorough review of the data that dates back to November 2014 showed that additional 390,000 taxpayers were affected by the breach. The affected taxpayers included 220,000 accounts, where the hackers were able to breach an authentication process, and about 170,000 failed attempts, the Wall Street Journal reported.
“The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for ‘Get Transcript,’ including by enhancing taxpayer-identity authentication protocols,” the agency said, in the statement. The government, however, did not clarify who might be behind the attack. Government investigators initially believed, according to sources, that Russian hackers conducted the attacks.
The security breach happened in an online application called “Get Transcript,” which helped the attackers get information about previous-year tax returns. The hackers got nearly $50 million in refunds by filing fraudulent returns, using this data, the New York Times reported. Following the hack, the “Get Transcript” system was shut down.
The IRS also said Monday that it will send 220,000 letters to taxpayers whose accounts were probably hacked. The statement added that it will also inform 170,000 households, whose “personal information could be at risk even though identity thieves failed in efforts to access the IRS system."
“The I.R.S. conducted an extensive review covering the 2015 filing season to assess whether other suspicious activity occurred,” the statement said, adding: “The I.R.S. has identified more questionable attempts to obtain transcripts using sensitive information already in the hands of criminals. As a result, the I.R.S. is moving immediately to notify and help protect these taxpayers.”
The latest announcement is expected to add to the woes of the agency, as several lawmakers, mostly Republicans, are unhappy with its performance on various fronts. Officials reportedly estimate that the government paid $5.8 billion in false refunds in 2013 alone. They also believe that hackers tried to get information from previous attacks that could be used to commit fraud during the 2016 tax-filing season.
“Today’s revelation that the IRS didn’t fully understand this security breach for months is not confidence-inspiring,” Rep. Peter Roskam (R., Ill.), chairman of the House Ways and Means subcommittee that oversees the IRS, said, according to the Journal.
Neal O’Farrell, a cybersecurity specialist with the Identity Theft Council in Walnut Creek, California, said, according to the Journal: “It’s another reminder that we as a nation have been completely outgunned on cybersecurity,” adding: “Too often, organizations don’t know what they don’t know.”
Oscar Pressel, a certified public accountant, who files taxes for over 400 people, said that about eight of his clients were hit by tax ID theft. “It seems like everybody and their brother is having a problem getting tax ID thefts straightened out,” he reportedly said.
In May, the IRS announced that it would inform the taxpayers and take steps, including offering free credit protection and special identification numbers to reduce cases of tax-refund fraud.