The Internal Revenue Service announced Monday that the data breach of its "Get Transcript" web program allowed hackers to access the tax returns of more than 300,000 people -- far more than the agency initially reported in May.
Back then, the agency said hackers had used stolen personal information to access past tax returns for 114,000 people through the Get Transcript web application, and then used that data to file fraudulent returns, collecting nearly $50 million in refunds.
Over the next few days, the IRS says it will be sending 220,000 letters to affected taxpayers whose returns were likely viewed by hackers and offering them free credit monitoring.
If you receive such a letter, here's what you need to do:
Pick Up More Protection
Once the IRS names you as an identity theft victim, the agency should issue you a personal identification number to use in addition to your Social Security number when submitting future tax forms. This will give you another layer of security, as the IRS will automatically reject any returns filed with an incorrect or missing PIN. You’ll get a new PIN every December.
To get the PIN, respond to the IRS's letter or complete form 14039, the identity theft affidavit.
Alert the Credit Bureaus
“If a thief had enough information about you to file a false tax return, he could have also opened new credit card accounts or taken out a loan in your name,” says CPA Troy Lewis, chairman of the American Institute of CPAs’ tax executive committee.
Set up free fraud alerts with the three major credit reporting bureaus: Equifax, Experian, and TransUnion. These alerts, which last 90 days but can be renewed, warn potential creditors or lenders that you are an identity theft victim and that they must verify your identity before issuing credit.
You can go a step further by placing an indefinite credit freeze on your files, which instructs the credit agencies to prevent new creditors from viewing your credit score and report. It's free if you file a police report detailing the identity theft; without one, it can cost as much $10, depending on your state.
Bear in mind that a freeze will also keep you from accessing instant credit. If you need to apply for a loan, you will need to give the agency permission to thaw your data -- and in some cases you’ll pay a fee to lift the freeze, which can take a few days.
Check Your Credit Report
You are entitled to a free copy of your credit report from each of the three agencies. Check these reports carefully for unauthorized activity, and look at your history as well as recent activity. (Those tax returns may not be your only ID theft problem.)
If you see errors in your report -- such as the wrong personal information, accounts you didn’t open, or debts you didn’t incur -- dispute those errors with each credit agency and the fraud department of the businesses reporting that inaccurate information.
Change Your Passwords
Thieves hacked into the IRS website with enough personal information about their victims that they were able to trump the system's multistep authentication process. That means that before they viewed your return, they already knew a lot about you -- probably because of previous data breaches that exposed your information.
These criminals also know people like to use the same password at multiple websites, so it's a good precaution to change the passwords for your email, online bank accounts, and other sites that contain your personal information. (This holds true any time you've been a hacking victim.) Follow this guide to make your passwords as secure as possible.
The IRS says a typical case of ID theft can take 180 days to resolve. And even after you’ve cleared up this year’s tax mess, tax and credit fraud can be a recurring problem.
If your tax fraud case hasn’t been resolved and you’re experiencing financial difficulties because of a holdup with your refund, contact the agency's taxpayer advocate service at 877-777-4778.