Account information for another 220,000 U.S. taxpayers may have been compromised, on top of 114,000 already exposed, IRS says

Online account information for another 220,000 taxpayers in the United States may have been compromised, the Internal Revenue Service (IRS) said on Monday, just three months after criminals gained unauthorized access to information on approximately 114,000 tax accounts through the agency’s “Get Transcript” application.

In May, the IRS confirmed that “criminals used taxpayer-specific data acquired from non-IRS sources” to gain access to Social Security information, date of birth and street address.

“These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS said in a press release at the time. “The IRS will provide free credit monitoring services for the approximately 100,000 taxpayers whose accounts were accessed. In total, the IRS has identified 200,000 total attempts to access data and will be notifying all of these taxpayers about the incident.”

At the time, the IRS said that “these attempts were quite complex in nature and appear to have started in February and ran through mid-May.”

On Monday, the agency said in a statement that it had conducted an “extensive review covering the 2015 filing season” to assess whether further suspicious activity occurred. Following the review of more than 23 million uses of the Get Transcript system, the IRS identified more “questionable attempts to obtain transcripts using sensitive information already in the hands of criminals.”

The statement said that the IRS will begin mailing letters in the next few days to about 220,000 taxpayers “where there were instances of possible or potential access to ‘Get Transcript’ taxpayer account information.” As an additional protective step, the IRS will also be mailing letters to approximately 170,000 other households alerting them that their personal information could be at risk, even though identity thieves failed in efforts to clear the authentication processes, the statement said.

When the IRS first identified the problem in May, it determined that these third parties cleared the Get Transcript verification process on about 114,000 total attempts. In addition, third parties made another 111,000 attempts that failed to pass the final verification step, meaning they were unable to have access to account information through the Get Transcript service.

“The IRS believes some of this information may have been gathered for potentially filing fraudulent tax returns during the upcoming 2016 filing season, so anyone receiving a letter should take steps to protect themselves by taking advantage of the free credit monitoring and IP PIN which can be used to verify the authenticity of next year’s tax return,” the IRS advised.

The “Get Transcript” application was shut down in May, and the IRS continues to work on strengthening the system.

The matter remains under review by the Treasury Inspector General for Tax Administration as well as IRS’ Criminal Investigation Division.