This is getting ridiculous.
The IRS was hacked again. This time, hackers were able to circumvent the security protocols used to prevent unauthorized use of the online system to get a tax transcript. For those of you that aren’t familiar with the concept, you can see a tax return transcript example. Basically, a tax transcript is like a school transcript. It shows a summary of all your dealings with the IRS.
It shows how much taxable income you had, what you paid in taxes, what, if anything, you owe, and so on and so forth. It also includes your name, address, and social security number. It also includes all your spouse’s information if you file jointly.
In this particular case, it seems that the hackers did not break into an IRS database, or use phony security logins. Instead, they used the online tax transcript ordering system to just order the transcripts. As the IRS notes, it does take a fair amount of personal information to be able to order a tax transcript in the first place. The gold mine for thieves might be the spousal information. Just because I have a bunch of info on one person, doesn’t necessarily mean I have the same info for their house.
The IRS has taken the ordering system offline while it tries to figure out what to do next.
The worst part of this data breach is that, unlike all those other big hacks of Home Depot, and the like that you heard about, the IRS is part of the government. As such, it has no need to offer you even the token identity theft monitoring service provided when a private company gets hacked.
People notified by the IRS that their information has been compromised will need to be extra vigilant about monitoring their credit report, which is tricky because you can only get one free credit report from each credit bureau per year. One trick is to use the system to space your credit report orders from each company by every 4 months. That way, you get some form of ongoing monitoring.
It can also be useful to sign up for a free credit monitoring service like the one provided by Credit Karma, or some credit cards or banks. These services don’t necessarily let you see your full credit report any more often, but they will send you an email alert if things start happening on your credit report. That way, you can get notification of accounts being opened in your name.
Until Congress stops being bought and paid for by big banks, and the credit bureaus, this is the best you can do.
And, maybe someday, the IRS and the rest of American business will find it in their best interest to actually use some real security to protect all of our data.