One day after the IRS announced the reopening of the Get Transcript Online application site, the Treasury Inspector General for Tax Administration (TIGTA) released a report on the Get Transcript data breach that found that the IRS failed to identify 620,931 taxpayers whose tax account information was potentially unlawfully accessed. Of those, TIGTA found that 355,262 accounts were successfully accessed by the cybercriminals.
In addition, TIGTA identified 2,470 more taxpayers whose accounts were targeted in the Get Transcript breach that the IRS did not discover because it erroneously failed to look at three system error codes when trying to find victims.
TIGTA also criticized the IRS for failing to place markers for identity theft activity on the accounts of 3,206 taxpayers whose accounts were accessed in the breach.
The final TIGTA criticism was of the IRS’s failure to offer to issue an identity protection personal identification number (IP PIN) or to pay for credit monitoring for 79,122 taxpayers whom the IRS had identified as having their accounts unlawfully accessed.
In the report, The Internal Revenue Service Did Not Identify and Assist All Individuals Potentially Affected by the Get Transcript Application Data Breach (TIGTA Rep’t No. 2016-40-037), TIGTA recommended that the IRS:
- Use additional methods to identify all individuals affected by the breach;
- Send letters to the 620,931 taxpayers whose accounts were potentially targeted and place identity theft incident markers on their accounts;
- Be sure that all authentication system error codes are analyzed in future data breaches;
- Notify the additional 2,470 taxpayers identified in the report and place identity theft incident markers on their accounts;
- Place identity theft incident markers on the 3,206 taxpayer accounts; and
- Issue IP PINs to the 79,122 individuals whose personal information was accessed in the breach.
The IRS agreed with all the recommendations, except for issuing the IP PINs to the 79,122 taxpayers because the current policy is not to issue them in those situations. However, the IRS said it would reevaluate that policy.
—Sally P. Schreiber (firstname.lastname@example.org) is a JofA senior editor.