On Monday, the IRS revealed that a criminal syndicate's massive theft of American taxpayer data was much worse than originally thought.
In May, the government agency said criminals used a tool on the IRS website to steal the tax forms of 104,000 people. It has revised that number up to 330,000.
The tax-collection agency said it realized the total number of victims was twice as high after it conducted "an extensive review covering the 2015 filing season."
The IRS is now sending letters to those taxpayers to warn them about potential identity theft, offer free credit protection and give them an extra PIN to protect future tax filings.
Until this spring, the IRS website provided a tool called "Get Transcript." It was meant to help taxpayers who lose track of old tax documents. They could easily download several years of tax forms for tasks like applying for a mortgage or college financial aid.
It's a popular tool. Earlier this year, Americans used it to download 23 million transcripts, the agency said.
To keep out fraudsters, the "Get Transcript" tool asked for lots of personal information before granting access: Social Security numbers, birthdays, physical addresses and more.
But thanks to the many data breaches nowadays, much of this information is already online.
Apparently, an unnamed cybermafia used previously acquired stolen information to dupe the "Get Transcript" tool -- and downloaded millions of tax documents related to the 330,000 people whose tax forms had been stolen.
Tax forms contain much more sensitive information, including salary, family information, and property and investment values. With this additional stolen information, criminals can claim bogus tax refunds -- or open credit lines in your name.
The cybermafia members posed as legitimate taxpayers and tried to download forms between February and May, the IRS said.
The IRS now thinks this criminal operation was even bigger than previously believed.
New evidence shows that the criminals had access to the personal information of some 610,000 taxpayers. They managed to use the "Get Transcript" tool to access tax documents for about half of them.
Originally, IRS Commissioner John Koskinen said the crooks used 15,000 of them to claim tax refunds in other people's names. The agency said it hasn't yet conducted a review to see if that number is also going up.
The IRS has since disabled the online document tool to prevent further fraud.
This incident is a curious one. It wasn't a hack -- or even a data breach. These fraudsters didn't manage to break into IRS computers at all. They just turned a useful IRS feature into a leaky faucet -- by answering all the verification questions correctly.
This data leak shows how difficult it is nowadays to verify true identities.
That's one reason the IRS has started an experimental program in which it gives select taxpayers a six-digit PIN. It's an additional layer of protection, like a passcode.
PINs are currently only available to tax fraud victims and residents of Florida, Georgia and Washington. The agency wants to take this pilot program nationwide.
The IRS is extending this PIN to the 330,000 people whose tax documents were exposed in this incident. However, it's not offering that protection to the other 300,000 people -- even though they arguably need it too (given that criminals already have their Social Security numbers and can already claim tax refunds in their names).
IRS law enforcement agents are now hunting for the fraudsters who did this, and the agency's own internal investigator is looking into how this happened.