A bug within one of the Internal Revenue Service’s web-based data retrieval tools is to blame for a recent security breach.
Upwards of 100,000 taxpayers may have had their personally identifiable information compromised as a result, according to IRS Commissioner John Koskinen who testified before the Senate Finance Committee about the incident on April 6.
Cyberthieves used a bug in the IRS Data Retrieval Tool to steal people’s data and then turned around and filed millions of dollars’ in fraudulent tax returns before the tool was disabled in early March as a “precautionary step.”
As Koskinen testified, “it was possible, with relatively little stolen information, to pretend you’re a student, go online, start to fill out an application, give permission for us to populate that application with tax data — most importantly, the adjusted gross income — and then complete the application.”
The tool has been in use for the last eight years, according to FinAid.org. It allows students to transfer data from their federal income tax returns to fill in some information on the Free Application for Federal Student Aid, commonly known as the FAFSA.
While it was meant to save people time, you can bet those affected by the breach will now be spending significant amounts of their life cleaning up the mess.
Although Koskinen didn’t find it to be a “significant volume of money,” the agency issued about 8,000 fraudulent tax returns totaling somewhere in the neighborhood of $30 million. According to Koskinen, 52,000 returns were stopped, preventing 14,000 illegal refund claims from being processed.
Apparently the IRS learned of the issue this past fall, “but were hesitant to remove a tool that served a legitimate purpose for most users,” according to this Washington Times story.
On March 30, 2017, the U.S. Department of Education and the IRS issued a joint press release saying the Data Retrieval Tool on fafsa.gov and studentloans.gov would be “unavailable until extra security protections can be added.”
The release went on to say:
“The IRS is working to identify the number of taxpayers affected by questionable use of the Data Retrieval Tool. Identity thieves may have used personal information obtained outside the tax system to access the FAFSA form in an attempt to secure tax information through the DRT. The IRS continues to review the extent to which this contributed to fraudulently filed tax returns.”
According to this Forbes.com story about the incident, letters have already gone out to around 35,000 taxpayers.
You can still fill out the FAFSA online, you’ll just have to manually enter the 2015 tax information.
A criminal investigation into the breach is ongoing.
Are you covered for identity theft?
Get Covered
Image: Pexels