Skip to content
Drivers license, social security card and cash
Naked Security Naked Security

IRS chief: assume your identity has been stolen

Americans should “assume their data is already in the hands of criminals and ‘act accordingly.’”

You’ve been told privacy is dead? It’s actually worse than that. Your identity has been reanimated as a zombie and it could be roaming about trying to do things without your consent.

That’s according to Internal Revenue Service (IRS) Commissioner John Koskinen at a recent briefing to reporters: If you are an American, you should assume that any number of cyber criminals have enough information about you to pose as you.

Koskinen was speaking Tuesday ahead of the agency’s annual Security Summit, about the IRS’s data security efforts heading into the 2018 tax season and, inevitably, was asked if the mammoth, catastrophic breach of big-three credit reporting agency Equifax would have an effect on tax fraud.

Not even enough to notice, was the response, reported in The Hill. “We actually think that it won’t make any significantly or noticeable difference,” he said.

Why? “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals,” he said.

Here are the numbers that matter:

There are about 250 million Americans 18 and older.

An estimated 145.5 million people were affected by the Equifax breach where hackers had access to names and addresses and other personally identifiable information (PII) – including information that’s difficult or impossible to change like Social Security numbers and dates of birth.

Meanwhile the official IRS estimate is that more than 100 million Americans have had their PII stolen by hackers.

There’s wiggle room in both figures but the difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries – almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others.

So, according to Koskinen, the reality could be much worse than the official estimate. He advised all Americans to “assume their data is already in the hands of criminals and ‘act accordingly.’”

He’s not the first one to say so, of course. Star security blogger Brian Krebs said essentially the same thing in more than one of the multiple posts he filed on the Equifax breach. But it came across, at least to some privacy experts, as not only a casual dismissal of one of the most damaging breaches of the year, but also uninformed, as if it were at the same level as a credit card breach.

Rebecca Herold, CEO of The Privacy Professor, called it, “simplistic and naïve.”

He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere – such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more.

To try and minimize a breach of this magnitude is disappointing, to say the least, from him.

Koskinen, in prepared remarks, said the agency does take tax fraud very seriously, and is having some very serious success in reducing it. The Security Summit – a joint project of the IRS, state tax agencies and the private sector launched in 2015 – is a major reason for that he said. Those improvements are in the fraud statistics, he said:

We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.

In the “identity theft” category, Koskinen said the number of reported victims in 2016 was 376,000 – 46% down from 2015. And this year, through August, the number is 189,000, a drop of about 40% from the same time last year.

Kay Bell, self-described “tax geek” and author of the blog Don’t Mess With Taxes, complimented the IRS on 37 relatively new data filters created in conjunction with the Security Summit that she said would easily stop a criminal even if he had a name, address and SSN. The filters, she said, make sure, “the meat of the return would be a guessing game.”

Koskinen, in his statement, said other methods of catching fraudulent returns and refunds include:

  • Stronger password protocols.
  • Working with financial institutions to flag questionable refunds.
  • A pilot program that adds a verification code to W-2 forms.

Of course, Koskinen didn’t go into much detail about what individual citizens can do to “act accordingly” in response to assuming that their PII is already in criminal hands. That may be because, other than putting a credit freeze in place with all the credit bureaus and monitoring their own finances, there isn’t a whole lot they can do.

As Herold put it:

All those people whose personal life data was breached at Equifax did not directly do business with Equifax, as is most often the case with those other breaches he references. There was no way the impacted individuals could have done anything to ensure Equifax had appropriate security controls in place for their associated data – they had no choice.


The IRS isn’t the only federal agency giving Equifax a free pass. The DOJ seems to be sitting on its hands. Until Equifax is required to give all its victims LIFETIME identity theft insurance and credit monitoring and free reports I will not be satisfied.


The IRS has been a part of the problem and while they have been working on improving upon that it hasn’nt helped the tax payer one bit. This from an organization that should be leading the charge hand in hand with the Treasuey Department. People! Raise up tour voices and demand change. We can do better and we deserve better!


As hard as I’ve tried to keep my info off the web, others have been continuously putting it out there. The fact that this has been rammed down my throat ticks me off to no end!


I read the referenced article and the IRS comments are reasonable given the topic; he’s talking about whether he anticipates if it will result in increased fraud against the IRS and tax payers. Maybe he’s right, and we’ll know for sure in a few months. I have seen nothing to suggest that the Equifax breach included any of the credit information referenced by Herold, so throwing that around seems inappropriate in this context.


Starting with the assumption that everyone’s PII has been leaked, and therefore everyone is vulnerable to identity theft on various fronts regardless of the Equifax breach, then it only makes sense that the system needs to change. It’s not acceptable for this to be acceptable! Governmental agencies responsible for issuing our PII (SS #’s, tax IDs, etc) & credit agencies either need to update the system to fit, at least modern, security standards or replace them with standards that are secure into the foreseeable future.
At this point, any website with 2FA (two factor authentication) is more secure than submitting tax paperwork or establishing credit. That’s unacceptable.


Personally, I think that it should be a criminal offense to lose any person’s SS number, regardless of intent. And the corporate legal shield should not apply. No human at Equifax will have to pay for the damage their company has done. But, some certainly should have to pay.
Credit bureaus should have security as good as any bank does. But, they didn’t seem to care, and now we pay the price.
Time for Congress to act.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!