Identity thieves stole information on 104,000 U.S. taxpayers from the IRS website and used the data to file fake tax returns that yielded as much as $50 million in refunds, agency Commissioner John Koskinen said.
The thieves had enough personal information on the taxpayers to get past security filters on the "Get Transcript" function on the Internal Revenue Service's website, Koskinen said Tuesday on a conference call with reporters.
That allowed them to gain access to past tax returns, which contain the information they would need to file convincing fake returns.
"We're confident that these are not amateurs, that these actually are organized crime syndicates," Koskinen said. He said the breach resulted in the filing of fewer than 15,000 fake returns.
The problem is another setback for the beleaguered tax agency, which had been encouraging taxpayers to use its online services to relieve the burden on its jammed toll-free telephone lines.
"This is a wakeup call that breaches have a compounding effect and the stakes are getting higher," said Eric Chiu, president and co-founder of HyTrust Inc., a data-security company. "Attackers are on the hunt for our personal and financial information using data stolen from other breaches to gain a larger amount of information on those same individuals. The outcome of this could be devastating to consumers."
The amount stolen is relatively small compared with the broader wave of tax-refund identity theft the IRS has fought for several years. In 2011 alone, the IRS paid out $3.6 billion in potentially fraudulent refunds, according to its inspector general. That money is a loss for the Treasury, except to the extent that the government can get it back through prosecutions.
The breach was unusual because the thieves gained access directly through the IRS.
The activity occurred from mid-February through May. The IRS removed the Get Transcript function from its website last week and started a criminal investigation.
"We won't put it back up until we're satisfied that we've improved the security," Koskinen said.
The Get Transcript function allowed taxpayers who provided identifying information to access their past tax returns without calling the IRS or visiting the agency in person. In addition to Social Security numbers and addresses, they had to provide "out-of-wallet" information, such as their high school mascot or the type of car they once owned, Koskinen said.
Some of that information is widely available on social media, Koskinen said, adding that investigators are still examining exactly what happened.
The transcript is particularly valuable for identity thieves trying to steal a tax refund, because they can file a fake return that mimics the real taxpayer's income and deductions and directs a refund to their own debit card. Such a return, Koskinen said, has a better chance of skating past the agency's computerized filters that flag anomalies.
Even with Social Security numbers, he said, "What you don't have is enough data to make the false data look like what the real return would be."
Senate Finance Committee Chairman Orrin Hatch, a Utah Republican, said his panel is working with the IRS to determine how the "devastating breach" could occur.
"That the IRS home to highly sensitive information on every single American and every single company doing business here at home was vulnerable to this attack is simply unacceptable," Hatch said in a statement. "This agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves."
The IRS didn't provide a minimum amount that the identity thieves received in refunds.
The IRS is providing credit-monitoring services to the people affected. Those taxpayers, along with another 100,000 whose data the thieves tried and failed to breach, will receive letters from the IRS explaining what happened.