IRS investigators believe the identity thieves who stole the personal tax information of more than 100,000 taxpayers from an IRS website are part of a sophisticated criminal operation based in Russia, two officials told the Associated Press.
The information was stolen as part of an elaborate scheme to claim fraudulent tax refunds, IRS Commissioner John Koskinen told reporters. Koskinen declined to say where the crime originated.
But two officials briefed on the matter said Wednesday the IRS believes the criminals were in Russia, based on computer data about who accessed the information. The officials spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing criminal investigation.
An IRS spokeswoman said Wednesday the agency couldn’t comment on the investigation.
The revelation highlights the global reach of many cyber criminals. And it’s not the first time the IRS has been targeted by identity thieves based overseas.
In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.
The information was taken from an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address.
The IRS believes the criminals originally obtained this information from other sources. They were accessing the IRS website to get even more information about the taxpayers, which would help them claim fraudulent tax refunds in the future, Koskinen said.
The thieves have already used some of the information to claim as much as $50 million in fraudulent tax refunds, Koskinen said.
“We’re confident that these are not amateurs,” Koskinen said. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”
The IRS believes the thieves started targeting the website in February. Technicians discovered the breach about two weeks ago, when they noticed an increase in the number of taxpayers seeking transcripts. The website was shut down last week.
Congress is demanding answers about how identity thieves were able to steal the information.
The Senate Finance Committee has scheduled a hearing for Tuesday. Koskinen and J. Russell George, the Treasury inspector general for tax administration, are scheduled to testify.
“When the federal government fails to protect private and confidential taxpayer information, Congress must act,” said Sen. Orrin Hatch, R-Utah, chairman of the Finance Committee. “Taxpayers deserve to know what happened at the IRS regarding the data theft, and this hearing will be the first step of many that the committee takes to determine what happened and how the government can prevent such attacks from happening again.”
Hatch also requested a confidential briefing by IRS officials. He said he wants to know where the scheme originated, and whether the IRS can link it to any other breaches at other organizations.
Identity thieves, both foreign and domestic, have stepped up their efforts in recent years to claim fraudulent tax refunds. The agency estimates it paid out $5.8 billion in fraudulent refunds to identity thieves in 2013.
In April, Hatch and Sen. Ron Wyden, the top Democrat on the Finance Committee, quietly launched an investigation into how online tax preparers and prepaid debit card providers screen to prevent identity thieves from stealing tax refunds. Hatch publicly disclosed the investigation Wednesday in a letter to Koskinen.
The IRS said it is notifying taxpayers whose information was accessed, and is providing them with credit monitoring services.
The IRS has launched a criminal investigation, and the inspector general is also investigating.