Equifax Security Breach
To all clients:
From: Gust Lenglet
By now, most of you are aware of the security breach at Equifax, one of the three major credit reporting services. Hackers were downloading files for a couple of months before the breach was discovered, and they stole about 143,000,000 individual accounts, containing SSN’s, names, dates of birth, and addresses.
Ironically, three Equifax executives sold their company stock for $1.8 million after the security breach was discovered and long before the public was advised. (Anyone hear insider trading?)
A national tax organization, where I am a member, sent its members the message below regarding a recent meeting they had with the IRS:
“At today’s NPL Practitioner Meeting, an IRS security specialist spoke about the Equifax breach and next steps.
The IRS stressed that the data-breach is no different than the data breaches that occurred at Target, Wells Fargo and Yahoo! It was also noted important things to keep in mind regarding the Equifax breach:
- The understanding right now is that the items obtained were name, SSN and mailing address.
- That information in itself would not file a successful tax return as the meat of the return would be a guessing game.
- The Security Summit’s new processes and 37 data filters would catch the falsified information and stop the processing of the return.
- The Security Summit continues to work closely with the states and private sector to update authentication protocols.
Right now, the IRS requests that only taxpayers who can confirm that someone is trying to use their data should complete the Form 14039, Identity Theft Affidavit. Do not file this form if you’ve simply been compromised in the breach.”
The IRS first bullet point states that ONLY name, SSN, and addresses were taken. I wonder if they read the earlier statement from Equifax where they admitted to the three aforementioned items, PLUS dates of birth. These four items are what is needed to file fake tax returns electronically.
The IRS second bullet point states that “a successful tax return could not be filed”, which in itself, is absurd! During the 2016 tax filing season, with alleged safeguards in place, the IRS issued about one BILLION dollars in refunds on fraudulent tax returns. No estimates are available for the 2017 tax season.
When I read that e-mail, I was upset with the almost lackadaisical attitude conveyed, and that inspired me to write this article. In spite of the IRS claims that they have 37 data filters in place, I’m not very confident this will be the answer. The breach is bad enough, but what they don’t tell you is the hassle that you will have to go through if someone files a return using your personal information.
Even if the IRS catches the fake tax return and stops the refund, that’s not the end. By the time you receive your W-2’s and 1099’s, and other information, and then e-file your return, the hacker has already filed the fake return.
When I e-file your tax return, a notice comes back that a return has already been filed using that SSN. This means that you have to complete the Form 14039, (click to see the form) and file your return by a paper copy. If you have a refund coming, there will be a waiting period.
I don’t want to appear as an alarmist, but this data breach is a very serious matter. Hackers don’t always take this stolen information and file a tax return. There’s a section of the Internet called the “Dark Web”, where personal information and other nefarious activities are bought and sold on a daily basis.
Names, SSN’s, and addresses, and dates of birth, are sold just like any other product or service. At an IRS seminar that I attended last year, they showed us a listing on the Dark Web where a hacker was selling 2,000 names, etc. for $5,000.00. The buyer could use them to file tax returns, obtain credit cards, and various other uses.
We all need to be very careful going forward by guarding personal information. Any information that needs to be discarded should be shredded. Also, get a copy of your credit report, and if you can, put a freeze into effect.
This breach, in my opinion, is a nightmare waiting to happen for many innocent individuals and it will go on for several years. Just imagine some immoral thief having your name, SSN, date of birth, and your home address, deciding how he/she can use it to make a few bucks.
We welcome your comments below and would appreciate your insight.