A "sophisticated" organized crime syndicate used the IRS website to steal tax forms full of personal financial information on 104,000 taxpayers, the agency said Tuesday.
Until the IRS discovered this latest data leak, its website provided a service called "Get Transcript." It's an easy way to download several years of tax forms for tasks like applying for a mortgage, or college financial aid.
An unnamed cybermafia used this app to download forms full of personal information. They posed as legitimate taxpayers, and tried to download forms on 200,000 people between February and May. They got away with half of them, the IRS said.
The crooks used about 15,000 of them to claim tax refunds in other people's names.
But the potential damage is worse. IRS Commissioner John Koskinen said he believes the criminals' true mission was to gather vast amounts of personal information. Armed with that info, fraudsters can open bank accounts, credit lines and steal tax refunds in the future.
"This is just the latest manifestation of people getting enough data to masquerade as a taxpayer," Koskinen said.
Last week, the IRS spotted an odd flood of computer traffic and initially thought its website was facing a cyberattack to block its services. But on further investigation, it discovered that the slew of requests were pulling data from its "Get Transcript" service and the agency immediately cut off communication.
This cyberattack wasn't a hack in the traditional sense. The IRS said criminals were able to use the Get Transcript service, because they plugged in personal data they had already stolen: Social Security numbers, birthdays, physical addresses and more. They even answered correctly those personal identity verification questions -- the ones we all know as being too specific, annoying and difficult to answer ourselves.
This shows their intent was to gain even more personal data: accurate salary information, and details on specific tax deductions people take.
It was an attack the agency wasn't well suited to combat, Koskinen said. "We're dealing with criminals with a lot of money and using expensive equipment and hiring a lot of smart people," he said during a conference call Tuesday.
The IRS has temporarily disabled the "Get Transcript" service. It was too easy to game, Koskinen said. The agency had tried to make the service difficult for fraudsters -- but not too burdensome for the average person trying to get a hold of previous years' tax returns.
The agency is now trying to increase the security on the app -- and figure out the right balance, Koskinen said.
This is a popular tool. In recent months, Americans used it to download 23 million transcripts, the agency said. Taxpayers can still request previous years' documents, but they'll have to do it via the older and slower process -- by paper.
The IRS said it will notify by mail all 200,000 people who might be affected by this. They will all be placed on a list of Americans whose tax profiles are more closely monitored next year. To assist the victims, the IRS is also offering paid credit protection programs for them.
The agency is offering a secure PIN to the 104,000 whose tax forms the IRS is sure were exposed. It's not offering that protection to the other 100,000 people -- even though they arguably need it too (given that criminals already have their Social Security numbers and can already claim tax refunds in their names).
The PIN program is a permanent security feature that requires taxpayers to use a six-digit passcode when filing taxes. Currently, all that is required is a Social Security number.
PINs are currently only available to tax fraud victims and residents of Florida, Georgia and Washington. The agency wants to take this pilot program nationwide.
Koskinen said there is "no indication there is any connection" to the recent wave of fraud involving TurboTax preparation software.
But he said this is just more proof criminals are ramping up their theft of personal data for illicit gain.
"These guys are very good at data analytics. They have volumes of data available they can match up," he said. "The criminals can answer questions better than you can."
IRS law enforcement agents are now hunting for the fraudsters who did this, and the agency's own internal investigator is looking into how this happened.