Using stolen data, cyber-criminals have accesses past tax returns for more than 100,000 people. How did they do it? They gained access to IRS records through an application on the IRS website. The IRS sent the criminals about $50 million in refunds before it detected the fraud.
Cybercrime related to falsified tax claims is a growing challenge for the IRS. In 2013, the IRS paid $5.8 billion in fraudulent refunds.
"We're confident that these are not amateurs," John Koskinen, the IRS commissioner, told the New York Times. "These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with." It is not clear if the criminals were working from inside the US or outside.
The cyber-criminals completed a multistep authentication process to request tax information. To get through the authentication process, they used social security numbers, birth dates, and addresses.
The "Get Transcript" application on the IRS website has been temporary suspended while the IRS investigates the breach. Taxpayers can still access old tax record by mail.
The IRS has sent letters to those whose accounts have been compromised by the recent breach and is offering free credit monitoring.
What can an average person do to protect themselves? Some experts feel that it is a losing battle.
"Your information has already been out there for years, available to anyone who wants to pay a couple dollars," Brian Krebs, a security blogger, told the New York Times.
Others suggest a few strategies to make things a little harder for cybercriminals:
1. Turn on multifactor authentication.
2. Change your passwords again.
3. Forget about security questions. They are easy for hackers to guess. Use alternative passwords instead.
4. Monitor your credit.
5. Freeze your credit if you think your identity may have been compromised.