The plot to steal information on 100,000 taxpayers from the Internal Revenue Service and hijack nearly $ 50 million in refunds not only reveals a previous security breach but hints at a wider fraud that may bedevil Americans in the future.
Some security and tax experts warned that this latest data theft might be a prelude to more targeted schemes aimed at duping taxpayers into handing millions of dollars over to criminals or to help thieves circumvent the agency's security filters next year and beyond.
"This breach is not just about what this single group is going to do with the information, but what happens when this information gets sold on the black market," said Peter Warren Singer, the author of "Cybersecurity and Cyberwar: What Everyone Needs to Know." "It's rare for the actual attackers to turn the information directly into money. They're stealing the data and selling it off to other people."
It is almost impossible to find a business or government agency that has not had some kind of security breach, he noted. Millions of customers at companies like Target and the private insurer Anthem have had data compromised. And this year, TurboTax temporarily halted electronic filing of state income tax returns after seeing an uptick in attempts to use stolen information to file fraudulent returns and wrongly claim tax refunds.
How to Create a Secure Password
Four easy tips to protect your digital accounts from the next breach.
Photo by Mel Evans/Associated Press.
With the I.R.S., it was not the agency's own system that was hacked. Criminals had already obtained individuals' Social Security numbers, addresses and birth dates and then used the information to trick the network and gain access to taxpayers' returns and filings through an application on the I.R.S. website.
"There was no identity theft within the I.R.S.'s actual system," said Aaron Blau, a tax expert in Tempe, Ariz. "These people already had all of this data. They could have used this information to call your bank, your doctor, your insurance carrier, and they would have gotten through 100 percent of the time. In this case they chose to use the I.R.S."
Many Americans are being attacked more directly, Mr. Blau said. One popular scheme is to cold-call taxpayers and threaten them with prosecution if they do not immediately pay money supposedly owed to the I.R.S. by directing them to purchase a prepaid debit card and then transfer the money. Now, with more detailed information from returns, criminals could better target potential victims, and bolster their credibility with information stolen from taxpayer filings, Mr. Blau said.
Reusable prepaid cards have become a magnet for fraud, according to law enforcement officials, with criminals often posing as bill collectors, government agents and others.
Without more information about the individuals who were targeted, it is hard to know the endgame, said Marc Goodman, the author of "Future Crimes." Mr. Goodman noted that previous security breaches had sometimes been used to embarrass politicians, celebrities or corporate figures, and tax returns would provide a rich source of personal information.
Although some critics have been quick to condemn the I.R.S., several tax experts said using this episode to vilify the agency was unfair.
"The I.R.S. takes data, privacy and data security extremely seriously," said Edward Kleinbard, a professor of law at the University of Southern California and former staff director of the Joint Tax Committee of Congress. "They do their best, but the resources arrayed against it have become increasingly well-funded and sophisticated, and the problems will only compound over time."
William Gale, co-director of the tax policy center at the Brookings Institution, agreed that the issue extended beyond a single agency. "I don't think this is an I.R.S. problem per se. It is facing the same problems that all the major data providers have."
The I.R.S. has repeatedly said that protecting taxpayer information and combating fraud were priorities. Half of the attempted information thefts were rebuffed through a system of filters that are used to detect fraud, the agency said.
9 Recent Cyberattacks Against Big Businesses
Cyberattacks have become an ever-increasing threat, and the F.B.I. now ranks cybercrime as one of its top law enforcement activities. Here are some of the major attacks on United States businesses in recent years.
Still, there is little debate that its efforts have been hampered by budget cuts. Just two months ago, an agency overseer issued what now seems to be a prescient warning.
"Resources have not been sufficient for the I.R.S. to work identity theft cases dealing with refund fraud, which continues to be a concern," J. Russell George, the Treasury inspector general for tax administration, testified before a Senate subcommittee.
The agency's budget has been cut by 17 percent over the last four years after taking inflation into account, and its work force, now at roughly 83,000, has been reduced by 12,000. This year, John A. Koskinen, the I.R.S. commissioner, warned that impending budget cuts would have devastating effects, including the delay of new protections against identity theft and refund fraud.
Chuck Marr, director of federal tax policy at the Center on Budget and Policy Priorities in Washington, said that the agency has been starved for funds: "The Congress has been targeting the I.R.S. for years."
Nina E. Olson, who leads the Taxpayer Advocate Service, an independent office at the I.R.S., has criticized the agency for its handling of identity theft cases.
In her annual report, she noted that victims often must "navigate a labyrinth of I.R.S. operations and recount their experience time and again to different employees. Even when cases remain in one I.R.S. function, they may be transferred from one assistor to another with significant periods of non-activity." On average, the agency took nearly six months to resolve cases.
She added that cases were also frequently closed prematurely, "before all related issues have been fully addressed."
Her office recommended that a single officer be assigned to handle each case.
In an email, she spoke to a broader issue: "While granting taxpayers enhanced access to their tax information remains a laudable goal, the overriding priority must be to protect taxpayers' confidential tax information from exposure."
As for this most recent data theft, the I.R.S. urged taxpayers not to contact the agency, saying it would only delay the already overburdened staff. Anyone whose information was stolen will be contacted, the agency said.
The best advice at this stage, Mr. Blau, the tax expert, said, is, "Hurry up and wait."
No comments:
Post a Comment