Cyberattackers Gain Access to IRS Tax Returns

On May 26, 2015, the Internal Revenue Service (“IRS”) announced that criminals illegally accessed data to retrieve the past tax returns of approximately 100,000 individuals through the IRS website. The criminals managed to use social security numbers, birth dates, street addresses, and “out of wallet” data (e.g., person’s first car, high school mascot.)

How was the personal information accessed?

During the months of February to May, attackers attempted to get access to tax information over 200,000 times through the IRS “Get Transcript” online application, which allows for viewing information from previous returns. The criminals managed to go through many steps of an authentication process to view these previous returns, exploiting data from breaches in the past. Recent breaches of companies like Target, Home Depot, JP Morgan Chase, Sony, and Anthem have allowed for personal information to be easily accessible to hackers. In addition, it is possible for identity thieves to get basic answers to security questions from individuals’ social media accounts and search databases. The IRS proceeded to send $50 million in refunds before detecting the criminal activity.

What makes the breach so dangerous?

In general, security and protection are crucial since every company counts on the IRS to protect its confidential information. The issue of privacy has been dealt with by state and federal courts. However, the guidelines are not uniform on every level. The recent breach has been traced to criminals from inside and outside of the country, attacking both private actors and business owners. So, jurisdictional issues will arise since the crimes were committed in a different nation. In addition, both courts and victims face the inevitable fact that the leaked data could be used for many years. So, the victims must protect themselves against current and future risks.

What efforts are being made to protect against breaches?

The breach may cause the White House to make efforts to increase the IRS’s budget. The budget has been cut 18% since 2010 to adjust for inflation. Many representatives think it is important for Congress to work with the IRS to ensure that taxpayers are offered free credit monitoring. In the past, keeping data breaches secret from consumers was a corporate strategy. Today, state regulators have begun to demand disclosure, which is why all but three states now have disclosure laws. There is new legislation pending in Congress, which includes HR 1770  a/k/a the Data Security and Breach Notification Act of 2015.  This legislation addresses consumer notification, but at the same time might weaken state-level laws. It brings into question what data privacy practices should be in place to prevent the breaches in the first place, and the appropriate penalties for breaches. With crossroads of commerce, access between nations, and difficulty of prioritizing data-protection concerns, consumers and businesses alike are at risk when it comes to protecting their confidential information.

At our law firm, we assist clients in legal issues related to cyber security, cyber attacks, and data breaches. You may contact us in order to setup an initial consultation.