(Bloomberg) — The IRS's initiative to expand online services for taxpayers makes it more likely the U.S. tax agency will be hit by "hackers and other fraudsters," the agency's inspector general said Tuesday.
One of the Internal Revenue Service's early forays into interactive service was halted last month after the agency said identity thieves had accessed past tax returns of 104,000.
The IRS provided updated numbers Tuesday, showing that about 13,000 fake tax returns have been filed using that information, with an estimated loss of $39 million to the government.
Recommended For You
Though the data breach didn't compromise the IRS's core systems, it marked a significant setback for the agency's efforts to cut costs and mimic financial services companies.
"Providing taxpayers more avenues to obtain answers to their tax questions or to access their own tax records online also creates greater risk to an organization and provides more opportunities for exploitation," Russell George, the inspector general, said in prepared remarks for a Senate Finance Committee hearing on Tuesday.
The data breach involved a "get transcript" function on the IRS's website. Taxpayers had to submit personal information, such as their Social Security number, date of birth and tax filing status. Then they had to authenticate that information with so-called out-of-wallet information, such as their monthly mortgage or car payment, according to IRS Commissioner John Koskinen.
Identity thieves
Past tax returns are especially valuable to identity thieves because they allow them to create plausible fake tax returns that mimic a real return, evade computerized anti-fraud filters and then direct the refund to a prepaid debit card.
The identity thieves were able to bypass the safeguards repeatedly and the IRS stopped the application on May 21. Several agencies are investigating the incident and the IRS is contacting the affected taxpayers.
"Your agency has failed these taxpayers," Senate Finance Chairman Orrin Hatch, a Utah Republican, said to Koskinen.
Not all 104,000 thefts led to fake tax returns because some of the legitimate taxpayers had already filed returns or because IRS computers rejected the returns as suspicious.
"The IRS is not and will never be exempted from this constant threat," Hatch said. "In fact, there is reason to believe the IRS will be more frequently targeted in the future."
$5 billion
The most recent data breach is a fraction of the identity theft problem facing the IRS. According to George's testimony, the IRS lost more than $5 billion to refund fraud in 2013.
George's prepared testimony questioned the IRS's data- security efforts and said the agency hasn't implemented 44 recommendations from his office. For example, he said the agency could do a better job terminating unused accounts and limiting shared accounts.
Data security is especially important, he said, as the IRS expands its online efforts. According to George's statement, the IRS is planning a secure messaging pilot program in 2016 "that will lay the foundation for a broader taxpayer digital communication rollout in the future."
Congress has been cutting the IRS budget, and Koskinen has pitched expanded online services as a way the agency can conserve resources and serve taxpayers.
'Less efficient'
The get-transcript application served 23 million taxpayers this year and the agency would have been "much less efficient" without it, Koskinen said. IRS call centers and walk-in offices were jammed during the 2015 tax filing season.
In his testimony Tuesday, Koskinen showed few signs of veering from that path.
"We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online," Koskinen said in his written statement. "The challenge will always be to keep up with, if not get ahead of, our enemies in this area."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
