The cyberattack on U.S. taxpayer data reported by the Internal Revenue Service earlier this year now appears to be much worse than originally thought, the agency announced Monday, with as many as 300,000 citizens now believed to be potential victims.
Whereas in May the IRS reported that sensitive information of about roughly 100,000 taxpayers had been stolen by thieves through its "Get Transcript" online application, its latest estimates more than double that number. It's now believed that the thieves potentially gained access to more than 300,000 taxpayer accounts after attempting to breach more than 600,000.
To gain access to the information, the thieves first stole information including Social Security details, dates of birth and street addresses from an outside, non-IRS source. They then used that information to clear a multistep authentication process in the app and access personal tax data on the IRS site.
The Get Transcript app was shut down in May.
In the next few days, the IRS will begin notifying the 220,000 or so newly affected taxpayers. It will also send notifications to approximately 170,000 other households whose personal information could be at risk even though the thieves apparently failed in their efforts to access it through the IRS system.
The IRS is offering free credit protection and "Identity Protection PINs" to those affected.
“The IRS takes the security of taxpayer data extremely seriously," the agency said. "We are working to continue to strengthen security for `Get Transcript,’ including by enhancing taxpayer-identity authentication protocols.”
The breach remains under review by the Treasury Inspector General for Tax Administration as well as the IRS Criminal Investigation unit.