IRS: Breach affected 2x as many taxpayers as expected

If you thought your tax information wasn’t compromised in the recent IRS breach, think again. The impact, the agency now says, was broader than initially reported.

The IRS said Monday that an additional 220,000 taxpayers had their information stolen through an IRS record-keeping application. When the agency first disclosed the breach in May, it estimated more than 100,000 individuals were affected. The number of potential victims now stands at more than 334,000.

In the breach, criminals used data stolen from other sources—including Social Security numbers, birth dates and mortgage payment details—to gain access to taxpayers’ past returns through the IRS Get Transcript application, which consumers typically use to obtain previous returns for mortgage and college loan applications. The breached records were used to file fraudulent tax returns, the IRS said in May, with nearly $50 million in refunds stolen before the agency spotted the problem.

In all, more than 610,000 fraudulent attempts were made to access consumer records through Get Transcript from February through mid-May, the IRS now says.

“The clear risk is that of identity theft,” Kevin Epstein, vice president of advanced security and governance for security management firm Proofpoint, told CNBC when the breach was first announced in late May. A tax return is a treasure trove of information that could easily be used to set up new lines of credit and other accounts in the victims’ names—and of course, to file fraudulent tax returns.

“If somebody has all this information … we may see [a] resurgence next year of fraudulent tax returns,” Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, told CNBC earlier this year.

The IRS has said it will be mailing letters to the additional 220,000 taxpayers whom criminals targeted to attempt access—an important warning, since the attempt means the would-be thieves had at least some sensitive financial information. “These hackers already had access to Social Security numbers, birth dates and identity verification information like former addresses and phone numbers,” Aaron Blau, a certified public account, said via email earlier this year. “They did not steal this information from Get Transcript; they already had it.”

The agency will provide free credit monitoring services for the additional 220,000 taxpayers. Those taxpayers’ accounts will also be flagged for potential identity theft in this tax year and future tax years, which could qualify them to use a six-digit idenitity protection PIN to verify their identity when filing.

Consumers whose accounts were involved in the attempt will need to remain vigilant, Morey Haber, vice president of technology for security management firm BeyondTrust, told CNBC earlier this year. “There are some things about your likeness that you can’t change if it’s compromised,” he said—including your Social Security number and birth date. Affected taxpayers should take advantage of the free credit monitoring offered, and watch their accounts for potential fraud.

Even if you’re not affected by this breach, signing up for a paid monitoring service is becoming a smarter move, said Epstein. Consumers might also consider reaching out to the three major credit bureaus—Equifax, Experian and TransUnion—to have a 90-day fraud alert placed on their file. That red flag requires lenders to take extra steps before opening new loans or lines of credit, although it’s not foolproof.

The more extreme action: requesting a credit freeze. That prevents anyone (including you) from opening new lines of credit. You’ll need to notify the bureaus first if you later want to apply for a new loan or credit card. “Unless you are someone who is actively, frequently applying for credit, it’s a fairly easy thing to initiate,” said Epstein. “From a security standpoint, it’s always better to have something locked and unlock it when you need it, than to leave a door unlocked.”

Another immediate risk to taxpayers at large is phishing, if other criminals take advantage of the news to send out emails telling people they’re among those compromised and asking for personal data, said Stephens. Keep in mind the IRS won’t email victims, but rather, send a letter via mail. “Taxpayers will receive specific instructions so they can sign up for the credit monitoring,” the IRS said in its announcement. “These outreach letters will not request any personal identification information from taxpayers.”

In coming years, affected taxpayers should make an effort to file their returns early, to limit the possibility of a fraudulent return being filed first, said Haber. “It just goes to diligence,” he said. “Don’t always wait until the last minute.”

While the fraud is investigated, the IRS has shut down the Get Transcript application. In the meantime, consumers who need such records can request them online to arrive via mail in five to 10 calendar days.

That could pose a slight hurdle for consumers in the process of applying for a mortgage. “It’s certainly something you’re going to want to discuss with your mortgage lender, whether this particular instance will affect your application,” Keith Gumbinger, vice president at mortgage data site, told CNBC earlier this year. Some lenders may want that IRS-confirmed tax return rather than one copied from your own records. If that’s the case, he said, consider whether you’ll need to lock in your rate for a longer period to allow time for those records to arrive through the mail.