IRS data thieves said based in Russia

Senate panel to hold hearing on breach affecting more than 100,000 taxpayers

WASHINGTON -- IRS investigators believe the identity thieves who stole the personal tax information of more than 100,000 taxpayers from an IRS website are part of a sophisticated criminal operation based in Russia, two officials said Wednesday.

The information was stolen as part of an elaborate scheme to claim fraudulent tax refunds, IRS Commissioner John Koskinen said. Koskinen declined to say where the crime originated.

But two officials briefed on the matter said Wednesday that the IRS believes the criminals were in Russia, based on computer data about who accessed the information. The officials spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing criminal investigation.

An IRS spokesman said Wednesday that the agency couldn't comment on the investigation.

The revelation highlights the global reach of many cybercriminals. And it's not the first time the IRS has been targeted by identity thieves based overseas.

In 2012, the IRS sent 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency's inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.

The information was taken from an IRS website called Get Transcript, on which taxpayers can get tax returns and other tax filings from previous years. In order to access the information, the thieves required detailed knowledge about each taxpayer, including the Social Security number, date of birth, tax-filing status and street address.

Through the tool, about 200,000 attempts were made to steal taxpayers' previous tax returns between February and mid-May. About half of those attempts were successful, giving criminals enough details to file fraudulent tax returns that look much more like one the taxpayer would file.

The thieves have already used some of the information to claim as much as $50 million in fraudulent tax refunds, Koskinen said.

The IRS believes the thieves started targeting the website in February. Technicians discovered the breach about two weeks ago, when they noticed an increase in the number of taxpayers seeking transcripts. The website was shut down last week.

Congress is demanding answers about how identity thieves were able to steal the information.

The Senate Finance Committee has scheduled a hearing Tuesday. Koskinen and J. Russell George, the Treasury inspector general for tax administration, are scheduled to testify.

"When the federal government fails to protect private and confidential taxpayer information, Congress must act," said Sen. Orrin Hatch, R-Utah, chairman of the Finance Committee. "Taxpayers deserve to know what happened at the IRS regarding the data theft, and this hearing will be the first step of many that the committee takes to determine what happened and how the government can prevent such attacks from happening again."

Hatch also requested a confidential briefing by IRS officials. He said he wants to know where the scheme originated and whether the IRS can link it to any other breaches at other organizations.

Identity thieves, both foreign and domestic, have stepped up their efforts in recent years to claim fraudulent tax refunds. The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013.

The IRS said it would notify taxpayers by mail if it appeared that criminals downloaded, or attempted to download, their tax transcripts. Anyone whose files were accessed would be offered a year of credit-monitoring services by the agency.

The IRS has started a criminal investigation, and the inspector general is also investigating.

Some of the identity-theft victims from the most recent IRS hack are being offered a secure PIN from the agency that they will need to use to file their returns going forward. The PINs, normally offered to people whose tax refunds have been stolen, are given to taxpayers after their identities have been verified.

Information for this article was contributed by Stephen Ohlemacher of The Associated Press and by Jonnelle Marte of The Washington Post.

A Section on 05/28/2015

Upcoming Events