(Bloomberg) -- Identity thieves stole information on 104,000 U.S. taxpayers from the IRS website and used the data to file fake tax returns that yielded as much as $50 million in refunds, agency Commissioner John Koskinen said.

The thieves had enough personal information on the taxpayers to get past security filters on the “Get Transcript” function on the Internal Revenue Service’s website, Koskinen said Tuesday on a conference call with reporters.

That allowed them to gain access to past tax returns, which contain the information they would need to file convincing fake returns.

“We’re confident that these are not amateurs, that these actually are organized crime syndicates,” Koskinen said.

The problem is another setback for the beleaguered tax agency, which had been encouraging taxpayers to use its online services to relieve the burden on its jammed toll-free telephone lines.

The amount stolen relatively small compared with the broader wave of tax-refund identity theft the IRS has fought for several years. In 2011 alone, the IRS paid out $3.6 billion in potentially fraudulent refunds, according to its inspector general.

Still, the breach unusual because the thieves gained access directly through the IRS.

The activity occurred from mid-February through May. The IRS removed the Get Transcript function from its website last week and started a criminal investigation.

“We won’t put it back up until we’re satisfied that we’ve improved the security,” Koskinen said.

School Mascot

The Get Transcript function allowed taxpayers who provided identifying information to access their past tax returns without calling the IRS or visiting the agency in person. In addition to Social Security numbers and addresses, they had to provide “out-of-wallet” information, such as their high school mascot or the type of car they once owned, Koskinen said.

Some of that information is widely available on social media, Koskinen said, adding that investigators are still examining exactly what happened.

The transcript is particularly valuable for identity thieves trying to steal a tax refund, because they can file a fake return that mimics the real taxpayer’s income and deductions and directs a refund to their own debit card. Such a return, Koskinen said, has a better chance of skating past the agency’s computerized filters that flag anomalies.

Even with Social Security numbers, he said, “What you don’t have is enough data to make the false data look like what the real return would be.”

‘Devastating Breach’

Senate Finance Committee Chairman Orrin Hatch, a Utah Republican, said his panel is working with the IRS to determine how the “devastating breach” could occur.

“That the IRS -- home to highly sensitive information on every single American and every single company doing business here at home -- was vulnerable to this attack is simply unacceptable,” Hatch said in a statement. “This agency has been repeatedly warned by top government watchdogs that its data security systems are inadequate against the growing threat of international hackers and data thieves.”

The IRS didn’t provide a minimum amount that the identity thieves received in refunds.

The IRS is providing credit-monitoring services to the people affected. Those taxpayers, along with another 100,000 taxpayers whose data the thieves tried and failed to breach, will receive letters from the IRS explaining what happened.

Copyright 2018 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.