Criminals that stole personal taxpayer information from an IRS website are based around the world, the agency’s commissioner and a federal watchdog said Tuesday.
John Koskinen, the IRS commissioner, and Russell George, the Treasury inspector general for tax administration, both told a Senate Finance hearing that the hackers who stole previous tax returns for 104,000 taxpayers weren’t based solely in Russia.
{mosads}“Our experience with the criminal syndicates we’re dealing with is that they do not get limited by national boundaries. They are, in fact, operating globally,” Koskinen said. “They are located and headquartered oftentimes in one country or another. But they are not constrained by those geographic locations.”
News outlets had reported that those responsible for the data breach were based in Russia. But George made clear that just some of the criminals were based there, even as he gave few details on the thieves’ other locations.
That discussion came during the first congressional hearing examining the theft of 104,000 taxpayers’ records, through a website that allows people to access records from previous years.
To gain access to the records, the criminals needed so-called “out of wallet” information, like monthly mortgage or car payments, in addition to a taxpayer’s Social Security number and date of birth. That information was used to file around 13,000 fraudulent returns this year, or roughly one-eighth of the number of compromised taxpayers.
During Tuesday’s hearing, Koskinen made sure to note that the criminals had not hacked the IRS’s main systems, which process tax returns.
The IRS chief added that his agency is far from the only government office that has fallen prey to this sort of attack, and that private companies are battling similar issues.
In fact, Koskinen said that the IRS would announce a new partnership with tax software companies this month, aimed at battling identity theft. One of the issues the companies and the IRS were discussing even before the recent breach, Koskinen said, was bolstering authentication processes.
“The criminals continue to become more sophisticated and creative,” Koskinen said. “We all agreed to build on our cooperative efforts of the past and find new ways to leverage this public-private partnership to help battle identity theft.”
Still, George said that the IRS deserved at least some of the blame for not stopping the criminals, noting that the agency hadn’t completed dozens of security upgrades recommended by the inspector general. If the agency had made those upgrades, George said, the criminals would have at least had a more difficult time obtaining the taxpayer information.
“More avenues for online assistance also means more opportunities for exploitation by hackers and greater risk to the IRS and taxpayers,” George said.
Koskinen pushed back on the idea that the IRS would have been in a better position to stop the incident if it had made the changes recommended by George.
The IRS chief also said that the agency is doing the best it can to beef up cybersecurity measures, even as it faces ever-dwindling budgets.
Koskinen noted that budget cuts weren’t the cause of the most recent incident. But both he and George acknowledged that the IRS faced a broader problem of trying to balance taxpayer access to information, and security.
“In many ways, this event is a shot across the bow to remind people the nature of the battle we’re fighting and the sophistication of the enemy,” Koskinen said.