Additional 220,000 IRS Tax Records Stolen through Get Transcript

[audreyh1]

The IRS disclosed May 26, 2015, that over 100,000 tax records had been fraudulently accessed through the online Get Transcript mechanism. Today they disclosed that an additional 220,000 records had be stolen bringing the total of potential victims to around 334,000.

If you are one of the victims who's accounts may be been accessed, you will get a letter from the IRS. They will begin mailing the letters in the next few days.

In all, the thieves used personal information from about 610,000 taxpayers in an effort to access old tax returns. They were successful in getting information from about 334,000 taxpayers.

IRS Says Thieves Stole Tax Info From Additional 220,000 - AP

The online Get Transcript mechanism has been turned off for a while now.

The identity verification mechanism they were using, which is a fairly standard one, relied on someone's credit report history. Unfortunately, that information is not hard to dig up on an individual if someone goes looking, so it was too easy for other people to access someone's tax records.

Through "Get Transcript" you could access copies of old tax returns, amounts paid in estimated taxes, and the current account status (paid, owed, etc.).

The Get Transcript by Mail mechanism is still available. This method will only send the transcripts to the address on the last tax return, making it more secure than the online method was.

We created accounts earlier this year (one for each of us) and got copies of our information at that time. But we are locked out now as is everyone.

Unfortunately, creating an account to access transcripts online did not protect you from thieves in the past, because anyone could start over the identity verification process to access information.

I think the Social Security mechanism is a little more robust in that if an account has been created, users are notified by email if someone else accesses your account.

 

[audreyh1]

Here is additional info on the breach announced near the end of May. I missed this as we were traveling at the time.

Interestingly - the accesses were from Feb through mid-May. End of March is when I created accounts and got my data - right in the middle of this mess.

When I signed up for my account, they asked me for a couple of pieces of info that were pretty obscure. But the questions are random and taken from your credit file. For DH on the other hand - the questions were all about the same and all anyone would need to know was when we bought our house and where it was. That would be easy to find. Since we file jointly, impersonating either one of us would get the same records.

IRS system mined for over 100,000 taxpayer records by fraudsters [Updated] | Ars Technica

IRS Statement on the "Get Transcript" Application

 

[audreyh1]

Krebs on Security now has a write up on this latest development.

IRS: 330K Taxpayers Hit by ‘Get Transcript’ Scam
http://krebsonsecurity.com/2015/08/irs-330k-taxpayers-hit-by-get-transcript-scam/#more-31988

 

[easysurfer]

I just got a notification letter from the IRS today .

I guess the sliver lining is if my info appears on Ashley Madison, my alibi is that's the imposters and not me. I have an IRS letter to prove that.

The price we pay for a immediate information .

 

[mickeyd]

Thanks for that audreyh1. I never have asked for a transcript so I assume (?) that I am not in that batch of data. What else is out there?

drip, drip, drip

 

[easysurfer]

Thanks for that audreyh1. I never have asked for a transcript so I assume (?) that I am not in that batch of data. What else is out there?

drip, drip, drip

I'm trying to recall if I ever asked for a transcript of my taxes and am not sure. My memory says I never asked for a transcript, but I don't trust my memory 100%. I'd think if you never have, then you are still not out in the woods as a crook could troll for your info via social media or buy from underground market then apply for your tax info via the Get Transcript.

 

[sengsational]

Most of us have already frozen, but if not, now would be a good time.

Credit Freeze and Thaw Guide | Clark Howard

 

[audreyh1]

I just got a notification letter from the IRS today .

I guess the sliver lining is if my info appears on Ashley Madison, my alibi is that's the imposters and not me. I have an IRS letter to prove that.

The price we pay for a immediate information .

Oh no! Dang!!!!!

This thread didn't get any comments when I first posted the info. It's too bad this is the reason it came back to life!!

 

[audreyh1]

Thanks for that audreyh1. I never have asked for a transcript so I assume (?) that I am not in that batch of data. What else is out there?

drip, drip, drip

No - you can't assume that unfortunately. Just the opposite.

If you had created an online account to access a transcript, that in fact protected you from the fraudsters to some extent as the fraudster would be initially blocked because an account already existed for a given SS#.

It's folks who never created an account that are vulnerable.

Some folks tried to create accounts, but couldn't because someone else already had!!!

 

[easysurfer]

Oh no! Dang!!!!!

This thread didn't get any comments when I first posted the info. It's too bad this is the reason it came back to life!!

Thanks for the empathy. I'm glad that I already have a social security account opened online (to see the annual benefits) so hopefully, all that happened is the crooks tried to file a bogus return, but couldn't. (I e-filed without issue for tax year 2014).

Of course, I won't know the extent (the most I could know) until I do the credit monitoring for one year.

 

[zinger1457]

Most of us have already frozen, but if not, now would be a good time.

Sounds like the cost to freeze/thaw your credit is free if you're an ID theft victim. Does the fact that you received a notice that your personal information was hacked, like easysurfer received from the IRS, make you an ID theft victim or is there more to it?

 

[audreyh1]

Thanks for the empathy. I'm glad that I already have a social security account opened online (to see the annual benefits) so hopefully, all that happened is the crooks tried to file a bogus return, but couldn't. (I e-filed without issue for tax year 2014).

Of course, I won't know the extent (the most I could know) until I do the credit monitoring for one year.

Right - at least you are set up at SSA.gov.

And since you were able to e-file they hadn't used your information to try to file, or were blocked because you already had.

It's still really stinks though. I consider my tax return information to be some of the most sensitive data we have.

 

[Fermion]

I wonder if you could convince a federal judge you don't want to file your taxes because of the ineptitude of the IRS with your personal data? Unlikely, but it would be hilarious if a judge agreed with a case like this.

 

[samclem]

Sounds like the cost to freeze/thaw your credit is free if you're an ID theft victim. Does the fact that you received a notice that your personal information was hacked, like easysurfer received from the IRS, make you an ID theft victim or is there more to it?

I believe it varies by state. In Ohio, to get a free "freeze" somebody has to steal your data AND try to use it to rip you off--and you have to file a police report. In some states is is free for everyone.

(More on here on Ohio procedures but also some good general info from the Cleveland Plain Dealer).

 

[easysurfer]

Been working on this cr*p for the past few hours and have a question maybe someone here with experience might know.

If I have a credit monitoring service, but then have a "freeze" in place, will that still work? Or will the "freeze" make the monitoring not doable?

As part of the IRS hack, I get a free monitoring service for a year. So, I tried to sign up but upon doing so, first got rejected online, then talked to a live person. While talking she said, the product (the initial sign up for the monitoring) won't process if you have a freeze in place. So, I ended up temporarily unfreezing (one won't be in effect until tomorrow). But now I'm thinking, once the temporary lift expires, will the monitoring still work?

 

[audreyh1]

Credit monitoring does work with a freeze. It's one of the exceptions.

https://help.equifax.com/app/answers/detail/a_id/19/~/security-freeze-exceptions

 

[unno2002]

I’m not certain I’d trust that the IRS will send “notification”. Both the wife and I were victims in the Office of Personnel Management (OPM) hacking / theft of employee information, and neither of us received any notice. It took us each calling and asking, to receive a “oh, you should have already gotten notice” response.

 

[easysurfer]

Credit monitoring does work with a freeze. It's one of the exceptions.

https://help.equifax.com/app/answers/detail/a_id/19/~/security-freeze-exceptions

Thanks for the info Audrey. That's the answer I wanted too .

 

[easysurfer]

I’m not certain I’d trust that the IRS will send “notification”. Both the wife and I were victims in the Office of Personnel Management (OPM) hacking / theft of employee information, and neither of us received any notice. It took us each calling and asking, to receive a “oh, you should have already gotten notice” response.

Are you thinking the IRS letter may not be legit? That did cross my mind. But all the links that refer to the IRS site are to irs.gov. The mailing address is the same as that of in an affidavit form to fill out (to get a 6 digit PIN for future tax filing since now my ssn is tainted ) and the credit monitoring code for the 1 year of monitoring is valid. Plus, no where in the letter does it ask for personal info such as SSN. So, unfortunately, I say the letter is legit. I did have the same thought though.

 

[audreyh1]

He was just questioning whether everyone would be notified, I think.

 

[mickeyd]

As always, the IRS takes the security of taxpayer data extremely seriously,
and we are working aggressively to protect affected taxpayers and continue to strengthen our protocols.

Isn't this the same outfit that Lois Lerner used to work for?

 

[easysurfer]

He was just questioning whether everyone would be notified, I think.

I see. That's a very good point.

 

[easysurfer]

I got the free credit monitoring for a year from Equifax as a result of the IRS hack. The good news is looking at my credit reports, there isn't anything suspicious like new credit accounts or strange charges. So, at first inspection, besides just the letter that my info got compromised, I don't see any damage.

 

[MichaelB]

I got the free credit monitoring for a year from Equifax as a result of the IRS hack. The good news is looking at my credit reports, there isn't anything suspicious like new credit accounts or strange charges. So, at first inspection, besides just the letter that my info got compromised, I don't see any damage.

I think it's time to give everyone free lifetime access to their credit report. This "one free year" is a giveaway for the credit agencies, it's better marketing and lead generation than anything they could do.

 

[samclem]

I think it's time to give everyone free lifetime access to their credit report.

+1. And unlimited "freeze on/freeze off" toggles. If the potential victim is willing to do their part to limit the damage from ID theft, the credit agencies (and merchants) should make it easy, and shouldn't charge them for it.