Equifax Security Breach
To all clients:
From: Gust Lenglet
By now, most of you are aware of the security breach at Equifax, one of the three major credit reporting services. Hackers were downloading files for a couple of months before the breach was discovered, and they stole about 143,000,000 individual accounts, containing SSN’s, names, dates of birth, and addresses.
Ironically, three Equifax executives sold their company stock for $1.8 million after the security breach was discovered and long before the public was advised. (Anyone hear insider trading?)
A national tax organization, where I am a member, sent its members the message below regarding a recent meeting they had with the IRS:
“At today’s NPL Practitioner Meeting, an IRS security specialist spoke about the Equifax breach and next steps.
The IRS stressed that the data-breach is no different than the data breaches that occurred at Target, Wells Fargo and Yahoo! It was also noted important things to keep in mind regarding the Equifax breach:
- The understanding right now is that the items obtained were name, SSN and mailing address.
- That information in itself would not file a successful tax return as the meat of the return would be a guessing game.
- The Security Summit’s new processes and 37 data filters would catch the falsified information and stop the processing of the return.
- The Security Summit continues to work closely with the states and private sector to update authentication protocols.
Right now, the IRS requests that only taxpayers who can confirm that someone is trying to use their data should complete the Form 14039, Identity Theft Affidavit. Do not file this form if you’ve simply been compromised in the breach.”
The IRS first bullet point states that ONLY name, SSN, and addresses were taken. I wonder if they read the earlier statement from Equifax where they admitted to the three aforementioned items, PLUS dates of birth. These four items are what is needed to file fake tax returns electronically.
The IRS second bullet point states that “a successful tax return could not be filed”, which in itself, is absurd! During the 2016 tax filing season, with alleged safeguards in place, the IRS issued about one BILLION dollars in refunds on fraudulent tax returns. No estimates are available for the 2017 tax season.
When I read that e-mail, I was upset with the almost lackadaisical attitude conveyed, and that inspired me to write this article. In spite of the IRS claims that they have 37 data filters in place, I’m not very confident this will be the answer. The breach is bad enough, but what they don’t tell you is the hassle that you will have to go through if someone files a return using your personal information.
Even if the IRS catches the fake tax return and stops the refund, that’s not the end. By the time you receive your W-2’s and 1099’s, and other information, and then e-file your return, the hacker has already filed the fake return.
When I e-file your tax return, a notice comes back that a return has already been filed using that SSN. This means that you have to complete the Form 14039, (click to see the form) and file your return by a paper copy. If you have a refund coming, there will be a waiting period.
I don’t want to appear as an alarmist, but this data breach is a very serious matter. Hackers don’t always take this stolen information and file a tax return. There’s a section of the Internet called the “Dark Web”, where personal information and other nefarious activities are bought and sold on a daily basis.
Names, SSN’s, and addresses, and dates of birth, are sold just like any other product or service. At an IRS seminar that I attended last year, they showed us a listing on the Dark Web where a hacker was selling 2,000 names, etc. for $5,000.00. The buyer could use them to file tax returns, obtain credit cards, and various other uses.
We all need to be very careful going forward by guarding personal information. Any information that needs to be discarded should be shredded. Also, get a copy of your credit report, and if you can, put a freeze into effect.
This breach, in my opinion, is a nightmare waiting to happen for many innocent individuals and it will go on for several years. Just imagine some immoral thief having your name, SSN, date of birth, and your home address, deciding how he/she can use it to make a few bucks.
We welcome your comments below and would appreciate your insight.
This has already happened to me. They got $4,000 from an ATM machine in Eastern South Carolina. Have you ever been able to receive this much cash money from an ATM on a single day? Me either! They even sent me a text that had, my SS number. Birthdate mothers maiden name and all pertinent info. Scared the daylights out of me.
Sorry to hear about that Charles. This is just the tip of the iceberg, I’m afraid. You would think that a credit reporting service would have the best security in effect. I understand that their chief of security was a music major in college. She & one other “retired”. Wonder how much their severance package was worth??? Sure hope the other credit bureaus get cleaned up before they get hit.
Thank you, Gust, for your informative comments and warnings. We can always count on you to do the research and get the word out.
Thanks Ginny, glad you enjoyed the article.
Thanks for your update on this situation. I just can’t understand how a firm the size of Equifax would hire security specialists who weren’t educated in security procedures. Hackers today find holes in security long before we can fix them, and are having an easy time of it. It’s going to be an awful mess unless we can find some way to make these hacks not profitable.
Thanks for your comment Meridith. It appears that hackers are taking advantage of our lack of due diligence in many areas. This should be a wake up call for all of us.
It is a sad commentary of these times that the people in whom you should be able to place your trust are untrustworthy. As a brilliant man, with whom I am very well acquainted, says “Trust no one.”
Thanks for your comment. I believe I know the man you are referring to. He also says that trust is earned.
It’s sad to know that our world has resulted to things like this, just for the extra dime they can get. Or maybe they’re just plain evil. My friend has been a victim of something similar to this. His personal details were used to buy on the internet with the use of his credit card. Thankfully, his credit card company agreed to cancel the bogus transaction after he was able to follow through with it. I hope companies can take even more measures to prevent things like these from happening at all….
On another note, thank you so much for the informative article!
Thanks for your comment. It seems that hackers are always one step ahead of security measures. Even the IRS, who preaches to tax practitioners on safeguarding taxpayer data, was hacked about a year ago, and around 800,000 accounts were taken. Right now, there are several foreign countries who train people to become hackers. I guess it’s another form of warfare and we’re coming up short in many ways.