The IRS has announced that over 104,000 taxpayers have had their personal data stolen, including names, dates of birth, and social security numbers, as the result of a data breach last month. The repercussions of this data breach have been severe for those affected, as hackers have already been able to use the stolen past tax returns to submit fraudulent tax returns under their stolen identity and direct the tax refunds to prepaid debit cards. As a result of government data breaches, the IRS has announced that over 200,000 tax returns were received from “questionable” email domains, and it is estimated that 100,000 were able to clear the IRS’ authentication system.
Government data breaches have been a critical drawback to the IRS’ efforts to reduce administrative costs and clear their phone lines by offering taxpayers with an interactive online service known as their “Get Transcript” function. This feature allowed taxpayers to access their past tax returns without having to call the IRS or visit the agency in person. As a security measure, “Get Transcript” required users to disclose sensitive information such as their date of birth, Social Security Number, and tax filing status. The breached accounts occurred from mid-February through May, and the “Get Transcript” feature has since been removed from the IRS’ website.
This attack demonstrates how unrelated data breaches can result in your most sensitive information being stolen. The IRS has stated that the cybercriminals used taxpayer specific information from non-IRS sources to gain access to the victims’ accounts. This means that they were able to gather extensive personal information about the victims from social media and other third party websites, and use it for government data breaches to bypass the IRS’ multi-step authentication system, which includes several personal verification questions, and gain access to the breached IRS accounts.
This is alarming because it illustrates how easily one data breach can lead to another, especially if you use the same password for multiple accounts. When it comes to protecting your sensitive information online, you are only as strong as your weakest link. As we become more dependent on the internet, more of our personal information is available online and the stakes of data breaches become even higher. This is why it is important to take every precaution and limit the personal information that you post online, change your passwords frequently, use a unique and complex password for each log-in, and use professional identity and credit monitoring to catch any changes to your identity. Your ability to safeguard and proactively monitor your Personally Identifiable Information can make a huge difference in remediating and restoring any damage caused by cyber theft.
