The Internal Revenue Service (IRS) reported on Friday that the total number of taxpayers affected by the incident involving the agency’s Get Transcript application is much higher than previously reported.
The Get Transcript system was launched in January 2014 on IRS.gov to allow users to view and download their tax transcripts, or have them mailed to their address. Users can no longer view and download their transcripts since May 2015, after the IRS discovered that the service had been abused by fraudsters.
The IRS revealed in May 2015 that cybercrooks had used information obtained from other sources to access the Get Transcript accounts of roughly 114,000 taxpayers. In August, the agency reported discovering that there had been an additional 220,000 victims.
In a statement published on Friday, the IRS said it discovered that the accounts of an additional 390,000 people might have been accessed between the launch of the service and until it was shut down. This brings the total number of affected accounts to 724,000.
The agency also revealed that it detected a total of 570,000 failed attempts to abuse the Get Transcript service. The new details come as a result of a nine-month investigation conducted by the Treasury Inspector General for Tax Administration.
As security blogger Brian Krebs pointed out, fraudster could gain access to Get Transcript accounts by knowing the targeted individual’s name, date of birth, social security number and filing status, along with answers to some knowledge-based authentication (KBA) questions from credit bureau Equifax, such as previous address and loan amounts.
The name, date of birth and SSN of victims could have been obtained by the cybercrooks from various sources — this type of information is often exposed in data breaches. Furthermore, the answers to KBA questions can either be guessed or obtained from various free online services.
Get Transcript was not the only IRS service abused by fraudsters using information stolen from other sources. Earlier this month, the agency informed taxpayers that identity thieves had targeted the Electronic Filing PIN application in an effort to generate PINs for stolen SSNs. The IRS said it detected unauthorized attempts using roughly 464,000 unique SSNs, 101,000 of which were successful in generating PINs that can be used to file tax returns online.
The U.S. Federal Trade Commission (FTC) reported in January that the number of identity theft complaints received by the agency in 2015 was more than 490,000, a considerable increase compared to the 332,000 complaints in the previous year.