Most Recent IRS International Hacking Reveals Vulnerability

As I discussed in yesterday’s post on proposals to expand the EITC, identity theft is a growing problem for IRS and the economy overall. In today’s guest post we hear from Justin Gelfand.  

Justin is a former federal prosecutor who is currently in private practice at the Capes Sokol Goodman and Sarachan law firm in in St. Louis, Missouri.  In 2013, Gelfand received the Attorney General’s Award for Fraud Prevention for his work on stolen identity tax refund fraud.  Justin has both prosecuted and defended criminal tax cases in districts throughout the United States. I heard Justin’s thoughtful presentation on the topic of identity theft at the recent ABA Tax Section meeting and asked him if he would share his views with our readers. Justin intends to discuss this growing problem and his ideas regarding solutions in greater detail in future posts. Les

According to national reports, hackers allegedly stole the personal data of approximately 100,000 taxpayers from the IRS’s computer system.  The most recent investigative report from CNN reveals the IRS believes the cyber-attack has links to Russia.  In the coming days, weeks and months, federal law enforcement will no doubt do everything it can to detect who is behind this alleged cybercrime and, if possible, to bring charges against those allegedly responsible.

As the IRS continues to combat stolen identity tax refund fraud, an epidemic that costs the Government more than $5 billion per year, the significance of this cyber-attack cannot be overstated: it is game-changing.  At a minimum, if the latest news coverage is accurate, it is crystal clear that international hackers successfully infiltrated the IRS’s computer system to steal legally-protected and extremely sensitive taxpayer information.  This information must inevitably threaten the IRS’s filters in place to detect fraudulent tax returns filed in the names of stolen identities.  After all, if the IRS is looking at a taxpayer’s prior tax returns, the hackers now have that information.


The IRS’s response: “We’re confident that these are not amateurs,” IRS Commissioner John Koskinen said.  “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

The IRS’s response is fair in some respects – cybercriminals have perpetrated attacks against large retail stores and small businesses.  But the difference between the IRS’s identity theft epidemic and the private sector is that no other private company or government agency continues to lose more than $5 billion year after year to the same crime.  That the IRS’s data security systems did not shield the agency – and taxpayers – from an international hack of this caliber is as frightening as it is reflective of the fact that the agency’s systems are simply vulnerable.  What Commissioner Koskinen should understand is that if a large bank were losing billions of dollars year after year to the same brand of fraud, the bank would do something about it to stop the bleeding.

Perhaps more than anything else, this cyber-attack reveals that stolen identity tax refund fraud is not a problem the Government can prosecute its way out of.  Resources are limited and the IRS should spend every last dime on making it harder to steal money from the Treasury by improving filters, enhancing its data security systems, and protecting taxpayers from becoming victims of identity theft – not on seeking long prison sentences for the less sophisticated identity thieves the Government can actually catch.  If resources are the issue, the IRS should ask Congress to reallocate funding to cyber-infrastructure improvements and retain a company like Google to help.

Ultimately, this may be an embarrassment to the IRS – but perhaps it can also be the beginning of improved technology, improved policies and procedures, and improved perspectives on how to combat the identity theft tax fraud epidemic.

Editor Update: TIGTA released a report today called Efforts Are Resulting in the Improved Identification of Fraudulent Tax Returns Involving Identity Theft. It discusses IRS efforts to combat identity theft.

From its press release:

TIGTA recommended that the IRS continue to evaluate clustering filters to ensure that they properly identify tax returns with multiple uses of addresses and/or bank accounts; expand identity theft filters to address filing patterns that may indicate that a tax return is related to identity theft; and outline specific actions and time frames for implementation of a process to deactivate ITINs assigned prior to Jan. 1, 2013, including ITINs assigned to individuals who are now deceased.