IRS chief: assume your identity has been stolen

You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent.

That’s according to Internal Revenue Service (IRS) Commissioner John Koskinen at a recent briefing to reporters: If you are an American, you should assume that any number of cyber criminals have enough information about you to pose as you.

Koskinen was speaking Tuesday ahead of the agency’s annual Security Summit, about the IRS’s data security efforts heading into the 2018 tax season and, inevitably, was asked if the mammoth, catastrophic breach of big-three credit reporting agency Equifax would have an effect on tax fraud.

Not even enough to notice, was the response, reported in The Hill. “We actually think that it won’t make any significantly or noticeable difference,” he said.

Why? “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals,” he said.

Here are the numbers that matter:

There are about 250 million Americans 18 and older.

An estimated 145.5 million people were affected by the Equifax breach where hackers had access to names and addresses and other personally identifiable information (PII) – including information that’s difficult or impossible to change like Social Security numbers and dates of birth.

Meanwhile the official IRS estimate is that more than 100 million Americans have had their PII stolen by hackers.

There’s wiggle room in both figures but the difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries – almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others.

So, according to Koskinen, the reality could be much worse than the official estimate. He advised all Americans to “assume their data is already in the hands of criminals and ‘act accordingly.’”

He’s not the first one to say so, of course. Star security blogger Brian Krebs said essentially the same thing in more than one of the multiple posts he filed on the Equifax breach. But it came across, at least to some privacy experts, as not only a casual dismissal of one of the most damaging breaches of the year, but also uninformed, as if it were at the same level as a credit card breach.

Rebecca Herold, CEO of The Privacy Professor, called it, “simplistic and naïve.”

He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere – such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more.

To try and minimize a breach of this magnitude is disappointing, to say the least, from him.

Koskinen, in prepared remarks, said the agency does take tax fraud very seriously, and is having some very serious success in reducing it. The Security Summit – a joint project of the IRS, state tax agencies and the private sector launched in 2015 – is a major reason for that he said. Those improvements are in the fraud statistics, he said:

We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.

In the “identity theft” category, Koskinen said the number of reported victims in 2016 was 376,000 – 46% down from 2015. And this year, through August, the number is 189,000, a drop of about 40% from the same time last year.

Kay Bell, self-described “tax geek” and author of the blog Don’t Mess With Taxes, complimented the IRS on 37 relatively new data filters created in conjunction with the Security Summit that she said would easily stop a criminal even if he had a name, address and SSN. The filters, she said, make sure, “the meat of the return would be a guessing game.”

Koskinen, in his statement, said other methods of catching fraudulent returns and refunds include:

  • Stronger password protocols.
  • Working with financial institutions to flag questionable refunds.
  • A pilot program that adds a verification code to W-2 forms.

Of course, Koskinen didn’t go into much detail about what individual citizens can do to “act accordingly” in response to assuming that their PII is already in criminal hands. That may be because, other than putting a credit freeze in place with all the credit bureaus and monitoring their own finances, there isn’t a whole lot they can do.

As Herold put it:

All those people whose personal life data was breached at Equifax did not directly do business with Equifax, as is most often the case with those other breaches he references. There was no way the impacted individuals could have done anything to ensure Equifax had appropriate security controls in place for their associated data – they had no choice.