The IRS revealed in a statement on Monday that the number of users affected by the data breach in its “Get Transcript” Web app is far greater than initially reported.
When word of the breach first broke in May, it was initially thought to have compromised the personal information of roughly 114,000 taxpayers whose accounts were accessed and, potentially, an additional 111,000 where infiltration attempts failed at the final verification step (the IRS uses multi-factor verification, so in these cases, the thieves bypassed some, but not all of the security measures).
However, the IRS has conducted further review of the incident over the past few months and found additional breaches. As a result, will be sending out letters to a further 220,000 taxpayers whose account information may have been improperly accessed via "Get Transcript." In addition, the IRS will be sending about 170,000 letters to other households whose information may have been compromised even though potential identity thieves failed to access the system. These additions bring the total affected up to an estimated 600,000 people.
On top of the mailings, the IRS claims that it’s taking extra measures to protect those who made use of the "Get Transcript" application, mainly by offering taxpayers free credit protection and issuing them identity protecting PINs. The app was shut down in May, but the IRS plans to keep it in service, so they’re continuing to work to strengthen the system. No prospective date for its return has been given.
The IRS is quick to stress that the breach began with unauthorized third parties gathering sufficient personal information about taxpayers from sources outside of the IRS system (presumably through the typical avenues of identity theft, though the IRS doesn’t hazard a guess) to allow them to clear "Get Transcript's" security. Further, given the uncertainty of determining whether access was fraudulent or not, a number of these results may be false positives and simply reflect a taxpayer accessing his own account under unusual circumstances.
Finally, the statement urges vigilance, as the IRS believes some of the stolen information was gathered with the intention of using it to file fraudulent returns during the upcoming 2016 filing season. So, anyone receiving a letter should pursue every possible avenue to insulate against the possibility of such a wrongful filing, including availing themselves of the aforementioned identity verification tools.
The true consequences of this breach have yet to be seen.