Most Recent IRS International Hacking Reveals Vulnerability

0 Flares 0 Flares ×

As I discussed in yesterday’s post on proposals to expand the EITC, identity theft is a growing problem for IRS and the economy overall. In today’s guest post we hear from Justin Gelfand.  

Justin is a former federal prosecutor who is currently in private practice at the Capes Sokol Goodman and Sarachan law firm in in St. Louis, Missouri.  In 2013, Gelfand received the Attorney General’s Award for Fraud Prevention for his work on stolen identity tax refund fraud.  Justin has both prosecuted and defended criminal tax cases in districts throughout the United States. I heard Justin’s thoughtful presentation on the topic of identity theft at the recent ABA Tax Section meeting and asked him if he would share his views with our readers. Justin intends to discuss this growing problem and his ideas regarding solutions in greater detail in future posts. Les

According to national reports, hackers allegedly stole the personal data of approximately 100,000 taxpayers from the IRS’s computer system.  The most recent investigative report from CNN reveals the IRS believes the cyber-attack has links to Russia.  In the coming days, weeks and months, federal law enforcement will no doubt do everything it can to detect who is behind this alleged cybercrime and, if possible, to bring charges against those allegedly responsible.

As the IRS continues to combat stolen identity tax refund fraud, an epidemic that costs the Government more than $5 billion per year, the significance of this cyber-attack cannot be overstated: it is game-changing.  At a minimum, if the latest news coverage is accurate, it is crystal clear that international hackers successfully infiltrated the IRS’s computer system to steal legally-protected and extremely sensitive taxpayer information.  This information must inevitably threaten the IRS’s filters in place to detect fraudulent tax returns filed in the names of stolen identities.  After all, if the IRS is looking at a taxpayer’s prior tax returns, the hackers now have that information.


The IRS’s response: “We’re confident that these are not amateurs,” IRS Commissioner John Koskinen said.  “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

The IRS’s response is fair in some respects – cybercriminals have perpetrated attacks against large retail stores and small businesses.  But the difference between the IRS’s identity theft epidemic and the private sector is that no other private company or government agency continues to lose more than $5 billion year after year to the same crime.  That the IRS’s data security systems did not shield the agency – and taxpayers – from an international hack of this caliber is as frightening as it is reflective of the fact that the agency’s systems are simply vulnerable.  What Commissioner Koskinen should understand is that if a large bank were losing billions of dollars year after year to the same brand of fraud, the bank would do something about it to stop the bleeding.

Perhaps more than anything else, this cyber-attack reveals that stolen identity tax refund fraud is not a problem the Government can prosecute its way out of.  Resources are limited and the IRS should spend every last dime on making it harder to steal money from the Treasury by improving filters, enhancing its data security systems, and protecting taxpayers from becoming victims of identity theft – not on seeking long prison sentences for the less sophisticated identity thieves the Government can actually catch.  If resources are the issue, the IRS should ask Congress to reallocate funding to cyber-infrastructure improvements and retain a company like Google to help.

Ultimately, this may be an embarrassment to the IRS – but perhaps it can also be the beginning of improved technology, improved policies and procedures, and improved perspectives on how to combat the identity theft tax fraud epidemic.

Editor Update: TIGTA released a report today called Efforts Are Resulting in the Improved Identification of Fraudulent Tax Returns Involving Identity Theft. It discusses IRS efforts to combat identity theft.

From its press release:

TIGTA recommended that the IRS continue to evaluate clustering filters to ensure that they properly identify tax returns with multiple uses of addresses and/or bank accounts; expand identity theft filters to address filing patterns that may indicate that a tax return is related to identity theft; and outline specific actions and time frames for implementation of a process to deactivate ITINs assigned prior to Jan. 1, 2013, including ITINs assigned to individuals who are now deceased.



  1. Bob Kamman says

    Let’s be clear on the definition of “hack” and who is being hacked. There is no evidence that IRS computers have been hacked. A greater concern, to me, are the computers of the third-party software companies – some of them headquartered offshore – who collect electronic-filing data from practitioners and forward it to IRS.

    Rather, the evidence points to taxpayer identity information being “hacked” from public or less-secure private sources (like those software vendors), and then used to access IRS files. IRS allows online requests for transcripts. Nothing wrong with that. But then they deliver the information online. Why? Is there any good reason for not mailing it to the taxpayer’s last known address? If shipping and handling is a problem, charge a fee to cover expenses. It might encourage people to take better care of their tax records. And when IRS receives an address change from me — or eVerify is told that I have started a new job somewhere — send a notice to my old address to confirm it, like banks do.

    Everyone talks about IRS, but no one mentions Social Security. It’s incredibly easy to enroll in their online system. I advise my clients to enroll and create a password, just to select the option of forbidding online changes to such information as which bank account receives the monthly payment.

    For decades I was required to enter my SSN on every tax return I prepared. Eventually the IRS figured out this might be a privacy issue, and a few years later they instituted a PTIN alternative. But some of those older tax returns are still in client files, and may end up like the 1996 Target W-2 I recently found as a bookmark in a used book I bought. And how recently did IRS decide that printing full SSN’s on tax package mailing labels and 1099’s might not be such a good idea? IRS comes late to the table of privacy protection, but its computers are remarkably secure, considering the problems other federal agencies have encountered.

    I hear every two or three weeks from clients who have received phone messages from callers impersonating IRS agents. Call back, and not only money but identity information is requested. One client even received a phony notice in the mail that was an excellent counterfeit of something IRS would produce. Of course, this is not hacking. The fault lies not within IRS, but in ourselves.

  2. Virginia La Torre Jeker, J.D. says

    I understand from other readings that a private contractor was handling the website. I read a comment on this issue and felt it was worthy of repeating. I’ve paraphrased it — The contracting out of government services has gone on for years, but anecdotal evidence implicates private contractors in most cases of data breaches. Two specific examples were cited — Some years back private contractors who were supposed to input data on tax returns were shredding the returns instead (reminded me of the mailmen who dumped advertising circulars sent in the mail because it made their load too heavy to carry….). Another example was given — The website that processes 990-Ns, which is not an IRS website, was just recently compromised. The person who originally posted the comment stated her belief that it’s time Congress stopped hiding the true cost of government services by requiring they be contracted out.

Comment Policy: While we all have years of experience as practitioners and attorneys, and while Keith and Les have taught for many years, we think our work is better when we generate input from others. That is one of the reasons we solicit guest posts (and also because of the time it takes to write what we think are high quality posts). Involvement from others makes our site better. That is why we have kept our site open to comments.

If you want to make a public comment, you must identify yourself (using your first and last name) and register by including your email. If you do not, we will remove your comment. In a comment, if you disagree with or intend to criticize someone (such as the poster, another commenter, a party or counsel in a case), you must do so in a respectful manner. We reserve the right to delete comments. If your comment is obnoxious, mean-spirited or violates our sense of decency we will remove the comment. While you have the right to say what you want, you do not have the right to say what you want on our blog.

Speak Your Mind