As Data Breach News Gets Worse, IRS Scrambles to Give New PINs to Those Affected

IRS Commissioner John Koskinen on July 31, 2014 in Miami, Florida.

Photo by Joe Raedle/Getty Images

On Monday, the Internal Revenue Service released a grim update about a data breach on its systems first disclosed in May. The agency had originally said that hackers successfully compromised data for 114,000 taxpayers and attempted to access the data of 111,000 others. But after “an extensive review,” the IRS concluded that an additional 220,000 taxpayers were directly affected and 170,000 more were at risk.

Taking this into account, the new totals are roughly 334,000 people affected and 281,000 at risk. So, yeah, things are even worse than they seemed in May.

The breach occurred in a system that stored data from old tax returns called Get Transcript. The agency said in a statement, “The IRS takes the security of taxpayer data extremely seriously, and we are working to continue to strengthen security for ‘Get Transcript’, including by enhancing taxpayer-identity authentication protocols.”

The IRS’s outreach efforts include providing free credit protection for people involved in the breach, but the agency is also offering an additional layer of authentication in the form of “Identity Protection PINs.” Even before this data breach, the IRS was dealing with a significant uptick in tax fraud for refunds and had started developing the IP PIN program over the last few years.

Once a year in the lead-up to tax season, the IRS sends a six-digit IP PIN to taxpayers who are dealing with identity theft or may be at risk for it. Along with a social security number or taxpayer ID number, forms have a field for adding an IP PIN, which is required for people who have been issued one. The advantage is that a crook who has your SSN probably doesn’t also have your IP PIN, and the number resets every year so it’s harder to track down. The IRS does allow people to look up their IP PINs online, though, so if that system were compromised, the measure would obviously be less effective. But given government agencies’ overall lack of movement on finding replacements for social security numbers, the IP PIN program seems productive.

Along with the 1.7 million people who already have these additional numeric codes, everyone involved in the data breach will receive them. “While the IRS has made considerable progress in this area, more work remains,” the agency wrote in January. “Fighting identity theft is an ongoing battle as identity thieves continue to create new ways of stealing personal information and using it for their gain.” Ongoing is definitely the key word.