And you thought tax season was stressful.
This week the IRS discovered it had experienced a data breach,according to the AP. Hackers stole the information of more than 100,000 people through online system provided by the agency called "Get Transcript" that lets users view their previous tax returns and other filings. The system was targeted from February to May of this year, with about 200,000 attempts made by the hackers to get the information from the system.
Related: 6 Surprising Places Hackers Hide
To get into the system, the hackers had to know taxpayer's birthdates, tax filing status, address, Social Security numbers and additional personal security questions. Tax returns often have the information of not only the person filing but of their dependents as well.
“We’re confident that these are not amateurs but organized crime syndicates that not only we, but others in the financial industry are dealing with" said IRS Commissioner John Koskinen.
Related: 8 Ways to Build a Better Password
Koskinen said in a press conference this week that the "Get Transcript" system had been shuttered for the time being. While this application was hacked, the agency's main computer wasn't affected. The organization estimates that it has processed "fewer than $15,000" of the fraudulent tax returns filled out with this stolen information, leading to $50 million in refunds.
In a statement yesterday, the agency said that it will be sending letters to all 200,000 people involved in the hack (whether the account was breached or it was attempted to be accessed). It is also offering free credit monitoring for those whose information was stolen. The IRS' criminal investigation unit and the treasury inspector general for tax administration are conducting investigations into the breach, and Congress will likely begin holding hearings soon.
You’ve heard the expression, “Locks were made to keep honest people honest.” The same may be said for identity theft protection.
Related: IRS Hack Affects More Than 100,000 Taxpayers
You can do everything within your power to keep your information private, but hackers and criminals intent on stealing and using your identity are also intent on finding a way to make it happen. They’re crafty. They're persistent.
That doesn’t mean you shouldn’t take steps to protect your personal information. It just means you also need to be persistent about protecting your information and become aware of the steps to take if your information is compromised. Such knowledge will allow you to act quickly, and possibly stem the damage.
1. Shred old tax records.Tax records should be kept for at least three years in a secure location inside the home. When disposing a tax return, be sure to use a paper shredder. Also, if you plan to sell or discard your computer, keep in mind that electronic files may remain on the computer’s hard drive even after you have deleted them.
2. Be suspicious of “IRS” phone calls.The IRS has warned repeatedly about pervasive phone scams. Do not fall victim by giving out personal information over the phone, even if the caller seems legitimate. Take a phone number, then contact the IRS on your own or have your tax preparer check with the IRS on your behalf.
3. Be wary of phishing scams.Emails claiming to come from the IRS and requesting personal information likely are fraudulent. The IRS typically initiates contact with taxpayers via U.S. mail. If you receive an email alleging that it comes from the IRS, don’t click the link. Call the IRS and verify the communication yourself, or have your tax preparer check on your behalf.
Related: How You Can Better Protect Your Privacy
4. Check your credit.Review your credit report at least once a year. There are many sites that promise to give you a credit report, but www.annualcreditreport.com is the only site authorized by federal law that provides a free report annually.
5. Protect your electronic information.If you do your taxes online, make sure your home computers have security software, with firewalls and other protections, that updates regularly. Use strong passwords and change them regularly. Resist the urge to use a public computer or public Wi-Fi when dealing with sensitive personal data.
If you fear that your personal information has been compromised, the first step to take is to submit an identity theft affidavit. By submitting this affidavit, also known as Form 14039, you'll be helping the IRS mark your account to identify questionable activity. This is a good choice if your personal information, such as your Social Security number and birthdate, has been revealed as part of a data breach.
The next step will be to request a fraud alert, which lasts 90 days. An alert allows creditors to access your credit report only if they can verify your identity. The alert is a free service. Once you’ve placed one, you are entitled to a free credit report from each of the three credit reporting companies. Review your reports and, if you see issues, contact the businesses where the fraud has taken place. Then follow up with a letter sent by certified mail, in line with the Federal Trade Commission's advice.
If you know your personal information has been compromised, see if you are eligible for an Identity Protection PIN (IP PIN). The IRS has limits on who can obtain an IP PIN, according to specific criteria. For example, you must have received an IP PIN in the past, or received IRS notice CP01A or CP01F or filed your last tax return as a resident of Florida, Georgia or Washington, D.C.
If you cannot receive an IP PIN, submit an Identity Theft Affidavit. The IRS recommends that you then file a police report, or an FTC complaint or contact one of the three credit bureaus, as well as contact your bank to close any and all accounts.
Don’t forget that your tax preparer can assist you, if you do become a victim of identity theft. Your preparer should be able to provide you with copies of your past tax returns to help you prove your identity, as well as help you manage any IRS correspondence and work with you through this long and sometimes difficult process.
CBS News (06/24/15) Schupak, Amanda
FBI investigators have been looking into a hack of the Houston Astros' internal database and have focused on a group of employees from the St. Louis Cardinals front office. The New York Times reported that whoever accessed the network appeared to have done so by logging in as either Astros general manager Jeff Luhnow or one of his top advisers, Sig Mejdal, both of whom were previously with the Cardinals. The Times stated that the intruder or intruders "examined the Cardinals' network and determined the passwords that Luhnow and Mejdal had used when they were with the Cardinals. Using those passwords, they gained access to the Astros' network." Using the same password to log into different sites means that a hacker only has to guess a password once to gain access to multiple accounts. Michael DeCesare, president and CEO of ForeScout Technologies, said consumers must understand that hackers that try "to steal our identity are looking for the weakest link." He added that if you are on a public Wi-Fi, do not go onto your bank account, check Facebook or Twitter, but stay away from sensitive accounts. #houstonastros #cybersecurity #identitytheft #wifi
Help Net Security (07/27/15)
Fujitsu recently found only 7 percent of employees rate their business data higher than their personal information, highlighting the fact that employees do not understand the value of data. The report estimated 52 percent of employees admitted they value their own data more than their work data, and 43 percent either somewhat or completely agree they have no idea of the value of business data. In addition, 89 percent of consumers trust the security of personal emails over work emails. Although 58 percent of employees understand the risks associated with identity theft, more needs to be done from both organizations and employees, according to the report. "With one in three [30 percent] employees agreeing that they worry more about losing personal data than business data organizations have a challenge on their hands," says Fujitsu's Andy Herrington. He notes educating employees about the value of and how to protect their personal data is a good starting point for organizations.
Wall Street Journal (07/29/15) Simon, Ruth
In what is known as “corporate account takeover” or “business email fraud,” many cybercriminals use publicly available information and flawed email systems to trick businesses into transferring money into fraudulent bank accounts. Malicious computer software can allow criminals to collect passwords to email systems, and then to falsify wire-transfer instructions. Although companies of all sizes have been targeted by these scams, small businesses are especially vulnerable because they lack the budget for security and investigations. Some insurers now offer “social engineering fraud” coverage as an add-on to standard crime policies. The schemes cost companies more than $1 billion from October 2013 through June 2015, the FBI reports, based on complaints from businesses in 64 countries. A recent advisory says that the FBI's Dallas office identified six Nigerians who had targeted about 25 local companies with emails that appeared to come from the companies' high-level executives. A spokeswoman for Nacha, the industry-run group overseeing ACH transactions, says that businesses are strongly advised to “work together with their financial institutions to understand and use sound business practices to prevent and mitigate the risk of corporate account takeover.”