Massive IRS data breach much bigger than first thought

Daily News Article   —   Posted on March 2, 2016

(CBS News) — A massive data breach at the IRS was much bigger than was first realized. The agency now says more than 700,000 social security numbers and other sensitive information may have been stolen.

Hackers used the “Get Transcript” program, which allows you to check your tax history online. The IRS began the online program two years ago, allowing taxpayers to request their tax history over the Internet, in addition to the post office. But following a nine-month investigation by the Treasury inspector general for tax administration, the IRS says its online service has put hundreds of thousands of more taxpayers at risk of identify theft, reports CBS News correspondent Jan Crawford.

Not even Virginia-based tax attorney, Wayne Zell, was protected from hackers.

“Somebody was trying to claim a refund using my social security number and I knew something was wrong,” Zell said. “I got a form earlier this week stating that somebody had recovered my E-File personal identification number. I don’t have an E-File personal identification number.”

The IRS’s data dump is the latest in a series of disclosures. [A data dump is a large amount of data transferred from one system or location to another.] In May 2015, the agency reported cyber criminals accessed approximately 114,000 taxpayer accounts. Three months later, that number grew to as many as 334,000. This month, the IRS said there are as many as 724,000 victims.

“The IRS is frankly not doing enough to protect us,” said Steve Weisman, a senior lecturer at Bentley University and an expert in identity theft. “The very fact that it takes them so many months to even analyze the depth of the problem shows you that there are probably more identity theft that is going on.”

The IRS said hackers used personal information gathered from other online sources – like bank accounts – to answer personal identity questions on the “Get Transcript” forms.

One possible culprit is the IRS-approved tax preparers. According to an audit conducted by the non-profit online trust alliance, six out of 13 IRS-approved companies failed at providing adequate security to customers.

“We’re often our own worst enemies because there are times that we don’t use proper passwords, we don’t use proper security,” Weisman said.

The IRS said they are notifying the hacked taxpayers by mail, as well as offering free identity protection for a year.

In a statement, the agency said it’s “committed to protecting taxpayers on multiple fronts against tax-related identity theft… We are moving quickly to help these taxpayers.”

“Short of changing your social security number, which I understand only witness protection program victims can do, I don’t really we have a solution yet, but I think we need to search for one,” Zell said.

The online viewing and download feature of “Get Transcript” has been suspended since May 2015. The IRS is working to restore that part of the service with enhanced security to protect taxpayer identities.

Reprinted here for educational purposes only. May not be reproduced on other websites without permission from CBSNews. Visit the website at cbsnews .com.


Questions

1. The first paragraph of a news article should answer the questions who, what, where and when. List the who, what, where and when of this news item. (NOTE: The remainder of a news article provides details on the why and/or how.)

2. a) What is the “Get Transcript” program?
b) How did hackers use this program to steal taxpayers’ personal information?

3. How has the number of taxpayer accounts hacked by cyber criminals changed since first made public by the IRS in 2015?

4. What does identity expert Steve Weisman say about the IRS’s ability to protect taxpayers’ identity?

5. Why does CBS News suggest tax preparers could be to blame for hackers acquiring the personal information they needed to hack into taxpayers’ IRS accounts?

6. What has the IRS said/done in the wake of the hacking?

7. Per Wikipedia: The IRS Commissioner is appointed by the President, with the consent of the Senate, for a five-year term. Internal Revenue Code § 7803 requires that the appointment be made from individuals who, among other qualifications, have a demonstrated ability in management. By law, the Commissioner is also part of the "Federal law enforcement community."
a) What do you think? - should the IRS Commissioner be held responsible for this egregious fiasco? If so, how? Explain your answer.
b) How do you think President Obama should address this widespread hacking of taxpayer data? Explain your answer.

8. When the breach was originally announced in May 2015, IRS commissioner John Koskinen played down the data leak. “Our basic information is secure,” he said at a press conference. “This is just the latest manifestation of people getting enough data to masquerade as a taxpayer.”
Jeff Williams, chief technology officer at Contrast Security, said if hackers were able to figure out how to trick the IRS’ systems into thinking they were legitimate users, the tax agency should have, too.

Wikipedia notes, “The projected estimate of the budget for the IRS for fiscal year 2011 was $12.633 billion.”

a) What 2 adjectives do you think best describe the management of the IRS? Explain your answer.
b) Ask a parent the same question.
Answers vary.