IRS Turns Hacked Application Back On -- This Time with Added Security Features

The Internal Revenue Service headquarters building in Washington.

The Internal Revenue Service headquarters building in Washington. J. David Ake/AP File Photo

The announcement came just a day before the release of a new report that revealed the IRS did not identify all taxpayers whose sensitive tax information may have been improperly accessed by cybercriminals.

The Internal Revenue Service announced Tuesday that an online application exploited by fraudsters last year and yanked offline is available again -- with added security features.

If taxpayers want to use the “Get Transcript” feature to download prior years’ tax returns, they’ll have to provide more detailed financial information -- such as a credit card number in their name -- and they’ll receive codes texted to their cellphones to confirm their identities.

The announcement came just a day before the release of a new report from the agency’s inspector general, which revealed the IRS did not identify or offer assistance to all taxpayers whose sensitive tax information may have been improperly accessed by cybercriminals.

All told, tax information on 390,000 taxpayers was potentially exposed to hackers, the IRS has said, while hundreds of thousands of additional accounts were targeted.

Taxpayers who want to use the revamped application to download tax transcripts will now receive email confirmation codes, which they’ll have to enter along with their Social Security number, date of birth and some tax-related questions. Taxpayers will have to provide some financial account information, such as the last eight digits of a credit card number or a home mortgage account number. Users will also have to provide a cellphone number to receive a six-digit activation code via text message to activate their accounts.

The IRS worked with the U.S. Digital Service to patch up the security of the application. The White House’s tech fix-it squad was created in 2014 in the aftermath of the debacle to help turn around bungled federal IT projects. The IRS says the new sign-on measures meet security standards developed by the National Institute of Standards and Technology.

Part of the problem with the old system was that it used what is known as “knowledge-based authentication” -- asking your mother’s maiden name, for example, or the street you grew up on or your favorite movie. The answers to those questions can frequently be found by savvy hackers on social media or simply guessed, especially as they amass tons of information from previous hacks.

“Criminals are becoming increasingly sophisticated and continue to gather vast amounts of personal information as the result of data breaches at sources outside the IRS,” IRS Commissioner John Koskinen said in a statement. "In the face of that threat, we must provide the strongest possible authentication processes, while trying to enhance the ability of taxpayers to legitimately access their data and use IRS services online.”

However, because of the enhanced security features, some legitimate users may find it more difficult to access the service, the agency acknowledged. Taxpayers can still order copies of their transcripts via phone or online.

“The incident with Get Transcript Online illustrates a wider truth about identity theft in general, which is that there are no perfect systems,” Koskinen said. “No one, either in the public or private sector, can give an absolute guarantee that a system will never be compromised.”

In a May 16 IG report, publicly posted online today, auditors say the IRS botched initial efforts to identify and offer assistance to taxpayers affected by the Get Transcript breach.

After initially estimating information from 100,000 taxpayer accounts had been exposed, the IRS repeatedly revised the estimate upward. Earlier this year, based on input from a preliminary IG audit, the agency acknowledged fraudsters had actually potentially accessed some 390,000 taxpayer accounts. An additional 295,000 accounts were targeted but not successfully downloaded.

Overall, the IG’s review, which was conducted between June 2015 and January of this year, uncovered about 620,000 users whose tax information involved potentially unauthorized access not previously identified by the IRS.

The IG also said the agency didn’t place “identity theft markers” on the tax accounts of some 3,200 of the taxpayers initially identified as victims of the breach. Those markers would have alerted IRS employees assisting taxpayers those accounts were affected by the breach.

In a response to the audit, Debra Holland, commissioner of the agency’s wage and investment division, thanked the IG for helping identify all affected taxpayers, noting IRS resources at the time “were stretched thin in identifying and assisting the affected taxpayers.”