IRS ‘Get Transcript’ Security Breach: What happened? Will it happen again?

TIGTA (the Treasury Inspector General for Tax Administration) was created in 1998. Their job is:

"To provide independent oversight of IRS activities. TIGTA promotes the economy, efficiency, and effectiveness in the administration of the internal revenue laws. It is also committed to the prevention and detection of fraud, waste, and abuse within the IRS and related entities."


Generally what they do is audit the IRS on a particular subject and report details on why they did the audit, what they found, the impact on taxpayers, and their recommendations to the IRS.


IRS Security Breach

Recently they released the findings from their investigation on the IRS "Get Transcript" security breach.


There was an application on the IRS website called “Get Transcript”, and it allowed taxpayers to view and download their tax info. On May 21, 2015, the IRS discovered that it was being used for unauthorized access to taxpayer data. People’s information was literally being stolen right off their website. One would hope that the largest collection agency in the world, located in the number one superpower country would have pretty tight security on their website. Not so.


Initially they believed that about 104,000 taxpayers were affected, but it was found that that number was closer to about 350,000.


The IRS correctly assumed that some of the stolen information was being used to file fraudulent tax returns.  So, what they decided to do was to send potential victims a notification letter and then mark their account with an ‘identity theft incident marker’. Helpful, right?


Well, it would have been, if they actually did what they said they were going to do. But in typical IRS fashion, they didn’t get it exactly right.


What did TIGTA dig up?

TIGTA’s auditors found that:

  • The IRS Failed to place identity theft application markers on all of the accounts
  • They also did not offer an Identity Protection Personal Identification Number (IP PIN) or free credit monitoring to all those affected
  • And finally, TIGTA was actually able to identify an additional 2,470 people that were affected by the breach that the IRS somehow missed in their investigation


As a result, TIGTA made the following recommendations to the IRS:

  • Implement additional evaluative methods to identify all individuals affected by the breach
  • Issue notification letters to 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts
  • Ensure that authentication system error codes are analyzed when responding to future data breaches
  • Notify the additional 2,470 taxpayers identified and place identity theft incident markers on their accounts
  • Place identity theft incident markers on the 3,206 taxpayer accounts that were missing them
  • Issue IP PINs to the 79,122 individuals whose personal information was used by unauthorized individuals


The IRS agreed with most of those recommendations, except for one. They didn’t feel it was necessary to issue IP Pins to the 79,122 individuals who had potentially had their info breached…but did acknowledge that was a ‘potentially inconsistent IP PIN issuance policy’ and would consider that inconsistency in future IP PIN policy decisions.


The IRS announced on Tuesday that it has re-launched the Get Transcript app with ‘improved authentication to safeguard against identity theft’…but personally I’d still be wary about using it.