Human error, specifically one human's error, is why 145 million of us are worrying about what crooks will do with the data that was stolen earlier this year in a data breach of Equifax.
Richard Smith, the credit reporting bureau's former CEO, in testimony before House Energy and Commerce Committee today blamed the initial failure to patch a known security risk on a specific individual. He did not name that person.
"The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not," Smith told the Congressional panel.
The hearing came on the heels of news that the Equifax breach of personal information, ranging from bank and credit card account numbers to Social Security numbers, affected 2.5 million more Americans than first believed. That pushes those of us whose financial details are at potential risk to more than 145 million.
Potential filing season tax troubles: And the concerns are likely to continue into the 2018 tax filing season.
Part of the reason Equifax will be a tax issue is that the company has a contract with the Internal Revenue Service, which has its own history of data breaches. Equifax will get $7.25 million to "verify taxpayer identity" and "assist in ongoing identity verification and validations" at the IRS.
The main reason for concern, though, is, as Smith testified, the "major cyberattack on Equifax" provided thieves access to not just individuals' names and Social Security numbers, but also birth dates, addresses and, in some instances, driver's license numbers.
Those are all things that are needed to file federal and many states' tax returns.
So just how worried should be we that data stolen from Equifax will find its way into false tax returns filed by crooks seeking fraudulent refunds?
The relatively good news is that while incredibly scary, the Equifax hack is just the latest in a long line of cyberthefts of personals data. In recent years major retailers, banks and even fast-food establishments (yes, I'm looking at you Sonic and Whole Foods) and their customers have been victims of electronic criminals.
And just how is that good news? At least we know what to look for and what we can do to help prevent illicit use of our data.
That was the message last month from an IRS specialist who met with members of the National Association of Tax Professionals (NATP).
IRS filters to fight stolen data use: In NATP's report to its members following that IRS meeting, the tax agency security specialist noted that crooks armed with just a name, Social Security number and mailing address wouldn't get very far in filing a fake tax return since "the meat of the return would be a guessing game."
And to ensure that the guessing game player would come up with the correct answers, the IRS rep pointed to the new processes and 37 data filters created in conjunction with Security Summit. These should catch falsified information and stop the processing of the return.
In addition, the IRS notes that it and its state and tax industry partners continue to update authentication protocols.
Some of the recently implement tax filing security improvements include the 16-digit verification code that this year was part of around 2 million W-2 forms.
In addition, thanks to a provision in the Protecting Americans from Tax Hikes (PATH) Act, employers must file workers' W-2 forms with the Social Security Administration by Jan. 31. This is a month earlier than in prior years and it means the IRS will be able to more quickly verify tax returns' legitimacy by comparing the data on the forms with that on the wage statements.
Another PATH provision means filers who claim the Earned Income Tax Credit or Additional Child Tax Credit won't get their tax refunds until Feb. 15. Crooks often use these credits, which are refundable meaning you get money back from Uncle Sam even if you don't owe taxes, on fake returns. The IRS estimated that it issued almost $17 billion in improper EITC payments in fiscal year 2016.
No word yet on how well the delayed refunds connected to these two tax credits worked this filing season. But if it does show some added success in stopping fraudulent refunds, I wouldn't be surprised to see more similar delays instituted. (Yet another reason to adjust your withholding.)
More ID theft protections on the way? We might learn more of possible new IRS efforts to fight tax ID theft, especially in light of the Equifax debacle, at a House Ways and Means Oversight Subcommittee hearing tomorrow, Oct. 4.
Technically, the session is to examine the IRS' efforts to modernize its information technology infrastructure. But what's happening there could lead to inquiries by Representatives on how the agency's overall system is equipped to deal with cyber threats and tax identity theft.
Of course, no security system, as has been demonstrated repeatedly, is totally hack-proof.
That's why the IRS urges tax professionals and their clients — and all of us who do our taxes on our own, too — to assume that some tax identity thief somewhere has our personal and financial information should continue to monitor our accounts and credit reports.
If you do discover that a crook is trying to use your personal info, you can file Form 14039, Identity Theft Affidavit. However, notes the IRS, don't file this form if you've simply been compromised in the Equifax or another breach.
You also might find these items of interest:
- 4 tax cyber security tips from IRS, NY tax officials
- Cyber crooks are looking to make tax fools out of us all
- Protecting your financial and tax data from Equifax hackers