Hack Brief: Last Year's IRS Hack Was Way Worse Than We Realized

Last May, the IRS said 114,000 accounts were compromised. Now it's revealed that the real number is actually over 700,000.
The IRS building in Washington May 2015.
Jonathan Ernst/Reuters

When the IRS first reported a hack that exposed taxpayer accounts' vulnerable information, it pegged the number of affected people at a little over 100,000. Today, in its second upward revision, the number of affected people now stands at over 700,000.

The Hack

As WIRED originally reported last spring, the hack gave attackers access to entire tax returns, which means people's social security numbers, address, and incomes were all compromised. The hackers used personal information already in hand to get unauthorized access through an IRS application called “Get Transcript.”

In other words, much of the information had already been acquired, including SSNs and dates of birth. “Get Transcript” has been offline since the first indications of a breach last May.

Who’s Affected

The initial IRS report indicated that 114,000 accounts had been compromised. It revised that number last August, raising it to 334,000. On Friday, the IRS added another 390,000 accounts to the pile, for a total of well over 700,000 people. There have also been a total of 500,000 targeted, but failed, attempts at access.

The IRS will begin mailing affected taxpayers from this most recent batch starting February 29th. If you’re one of them, you also qualify for free Equifax identity theft protection for one year, and “extra scrutiny” on tax returns associated with your SSN.

How Serious Is This?

In terms of the type of information that’s been compromised, it’s no worse than it was last May. That’s still plenty bad, though; if there’s information about yourself you might consider sensitive, it’s probably on your tax return somewhere.

What’s more serious at this point is the extent to which the IRS underestimated the severity of the breach. It’s been nearly a year. That’s a long time for 390,000 people to have been vulnerable but not know it.

The revelations come at the end of a nine-month investigation by the Treasury Inspector General for Tax Administration, which hopefully means that it’s the last of upward revisions. The IRS also notes that not all of these cases necessarily involve malevolent actors.

“TIGTA investigators identified suspicious email addresses that made multiple attempts to access accounts,” the agency said in a statement today. “It is possible that some of those identified may be family members, tax return preparers, or financial institutions using a single email address to attempt to access more than one account.”

For now, just keep an eye on your mailbox next week. And if you have a notice from the IRS, brace yourself for the very real possibility of identity theft.