A cyberattack on the IRS may have been 7 times larger than the agency initially reported


Individual Income Tax Returns IRS 1040 Forms

REUTERS/Mike Segar

A U.S. 1040A Individual Income Tax form.

A cyberattack targeting the Internal Revenue Service (IRS) may have allowed hackers to access 724,000 taxpayer accounts.


When the IRS first reported the attack in May last year, the agency claimed that criminals had used credentials obtained from "non-IRS sources" to successfully access about 114,000 "Get Transcript" accounts.

Attempts on an additional 111,000 attempts were unsuccessful.

The attack was believed to have started in February 2015 and continued into May. Subsequently, the online "Get Transcript" service was shut down "temporarily" at the time and has been available only by mail since then.

In August, the IRS said that further review of the attack, over a "wider time period," revealed an additional 220,000 accounts may have been accessed and that an additional 170,000 were unsuccessfully attacked.


Friday's statement, which comes after a nine-month Treasury Inspector General for Tax Administration investigation of activity in the period from January 2014 (when Get Ranscript was lauched online) to May 2015, revealed that a further 390,000 accounts had been potentially accessed, with an additional 295,000 unsuccessfully attacked. This report marks the second time that the figure has been more than doubled.

The IRS will be contacting those potentially affected by the attack.

While the IRS statements have emphasized that the access is to the agency's transcript service, not its "core taxpayer accounts," transcripts contain information similar to what would be on a tax return, the IRS told Business Insider in a phone call on Friday.

The New York Times reported in May that the IRS paid almost $50 million in fraudulent returns as a result of the attack. That cost estimate reflects only the earliest assessment of the attack. It is unclear if the agency intends to create a new cost estimate for the attack based on the updated figures. The IRS estimates it paid out $5.8 billion in fraudulent returns in 2013.

While the agency claims it prevented $24.2 billion from being paid out in fraudulent returns in 2013, the 2015 figure for the same statistic fell to $8.7 billion.


Earlier this month, the IRS announced a separate attack on its Electronic Filing PIN system, also carried out using "data stolen elsewhere outside the IRS," which was used in at least some cases to file tax returns. Out of 464,000 accounts attacked, roughly 101,000 social security numbers were used to "successfully access an E-file PIN."

NOW WATCH: This is how rapper 50 Cent made millions and then lost it