The Equifax data hack impacted more than 145 million people and potentially put 209,000 Social Security numbers at a higher risk for identity fraud, but the breach is the least of the Internal Revenue Service’s worries as the tax agency gears up for the 2018 filing season.
IRS Commissioner John Koskinen told reporters Tuesday he didn’t think the breach would make any significant or noticeable difference during next year’s filing.
“Unfortunately, as a result of all the previous breaches that have gone on over the last two or three years, in both the public and private sector, our estimate is a significant percentage of those taxpayers already had their personal information in the hands of criminals,” Koskinen said during a press call. “Our estimate has been before that breach, that information on over 100 million Americans was already in the hands of criminals.”
The lesson to learn from the breach, the commissioner added, is that everyone — including businesses and state and local governments — should take steps to protect personal information.
“My advice to people is to assume your name, Social Security number and address are already in the hands of criminals, and then act accordingly,” Koskinen said.
For its part, the IRS is taking steps to prepare for the 2018 filing season, and strengthening securities around taxpayer data.
Koskinen announced the expansion of IRS’ W-2 verification code pilot program to an additional 66 million forms, and the continued practice of sharing data points among Security Summit partners.
The summit is a partnership between IRS, states and tax professionals that Koskinen organized and convened for the first time in March 2015.
“We will also increase our focus on protecting business returns from tax-related identity theft,” Koskinen said. “One way we plan to do this is by asking tax professionals to obtain more key information on their business clients, such as the client’s tax payment history and parent company information. This will help us ensure that the returns we receive are from a legitimate filer and not an identity thief.”
The commissioner tipped his hat to the summit’s work, which helped IRS stop 883,000 confirmed identity theft returns in calendar 2016. Through August 2017, IRS stopped 443,000 confirmed identity returns, a 30 percent decline from last year.
“This reflects the fact that we’ve made it harder for criminals to file false returns in volume, so they have to work more on an individual, return-by-return basis,” Koskinen said. “Another important sign involves the number of people reporting to us that they were victims of identity theft. In 2016, the number of victim reports was 376,000, a drop of 46 percent from the prior year. This year through August, 189,000 taxpayers filed victim reports, an additional drop of about 40 percent from the same period last year.”
Koskinen’s term as commissioner ends in November, and he said he was confident there would be a continuity of effort for the summit after he left, thanks in part to rolling the summit’s oversight and coordination into the Electronic Tax Administration Advisory Committee (ETAAC).
“It’s hard to imagine anyone — the president, secretary, commissioner — unwinding anything that’s been this important and this successful and this enthusiastically reported by states and the private sector,” Koskinen said. “My hope and goal is we will continue to have the great support we’ve had at the senior levels of all of these organizations, as well as at the operating and analytical level.”
Management challenges, ID theft
The update comes just after the Treasury Inspector General for Tax Administration (TIGTA) released its management and performance challenges report for IRS for fiscal 2018.
Of the 10 challenges, the top three in order of priority are:
security over taxpayer data and protection of IRS resources.
identity theft and impersonation fraud.
providing quality taxpayer service and expanding online services.
Bad actors are continually learning and developing new ways to attack the IRS’ data, like using the IRS’ data retrieval tool to take the personal information of students applying for financial aid.
“The recent breach at Equifax that exposed sensitive personal information, including Social Security numbers, could increase the risk of identity theft,” TIGTA said in its report.
TIGTA recommended the IRS establish a “service-wide strategy that establishes consistent oversight of all authentication needs across IRS functions and programs, ensures that the level of authentication risk for all current and future online applications accurately reflects the risk, and ensures that the authentication processes meet Government Information Security Standards.”
Among other security concerns, TIGTA said IRS has not fully implemented network monitoring tools used for detecting automated attacks, it has not ensured the encryption of data shared with external parties, and the agency was not installing security patches on services used for external transmissions “in a timely manner.”
The inspector general also warned of internal threats.
“These threats may appear in the form of malicious insiders or disgruntled employees who seek to misuse their access to taxpayer data or sensitive IRS business practices for personal gain,” TIGTA said. “These threats may also come in the form of employees who unintentionally do something to create a security weakness that may be exploited by others or unnecessarily expose data to unauthorized disclosure.”
TIGTA acknowledged IRS was making progress in detecting individual ID theft, but the watchdog said the agency needs to improve how it protects businesses from ID theft.
“In June 2017, TIGTA concluded that IRS processes are still not sufficient to identify all employment identity theft victims,” TIGTA said. “Specifically, the IRS did not identify instances in which identity thieves electronically filed tax returns with evidence that the thieves had used the victims’ SSNs to gain employment.”
In fact, TIGTA said, IRS processes don’t identify employment ID theft when processing paper tax returns.
TIGTA recommended IRS work with the public to help them help themselves through education and knowing what to look for when it comes to ID theft schemes.