Posts

3.8 Million South Carolina Taxpayers at Risk for ID Theft

,

South Carolina Governor Nikki Haley blamed an outdated Internal Revenue Service standard (see below) as a source of a massive data breach that exposed the SSNs of 3.8 million South Carolina taxpayers plus credit card and bank account data. The identity information, nearly 75 GB worth, was stolen from computers that belonged to the SC Department of Revenue.

The breach reveals some shocking realizations for the people of South Carolina, and the rest of us:

  • South Carolina is compliant with IRS rules, but the IRS DOES NOT REQUIRE THAT SSNs BE ENCRYPTED. In other words, the keys to your financial buying power (your credit profile via SSN) is protected in no material way by the IRS, and therefore by your state government.
  • Technology isn’t the only source of blame. As is the case in nearly every data breach I’m brought in to help clean up, a HUMAN DECISION is at the heart of the breach.

A report issued by Mandiant (a security company) determined that an employee’s computer became infected with malware after the user opened a phishing email. The hacker captured the employee’s username and password, accessed the agency’s Citrix remote access service and installed malicious tools that captured user account passwords on six servers and gave them access to at least 36 other systems.

So what’s the point?

  1. The IRS needs to update it’s non-encryption policy;
  2. Individual states need to take responsibility too and enact a higher standard  of SSN protection than is required by the federal government
  3. All governmental and corporate organizations need to train their employees on the 15 YEAR OLD PHENOMENON of PHISHING, not to mention ten forms of modern theft detection. If your employees are still falling for phishing, you are way behind the data protection curve.
  4. Businesses can’t ignore this problem, as data belonging to 699,900 businesses was compromised

Now it’s time for South Carolina (and the IRS) to clean up the mess. Unfortunately, a portion of the 3.8 million South Carolina taxpayers are the real ones left with the mess.


John Sileo is the award-winning author of Privacy Means Profit (which provides tools for identity theft prevention and recovery) and keynote speaker on data privacy and reputation protection. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper60 Minutes or Fox Business.

Identity Thieves Score Billions from the IRS and Taxpayers

, ,

Every dollar counts, now more than ever, as the government searches for ways to wisely spend our money. It’s dismaying to learn that an audit report from the Treasury Inspector General for Tax Administration (TIGTA) has found that the impact of identity theft on tax administration is significantly greater than the amount the IRS detects and prevents. Even worse, the “IRS uses little of the data from identity theft cases…to detect and prevent future tax refund fraud” according to Mike Godfrey, Tax-News.

  • The IRS is detecting far fewer fake tax returns than are actually falsely filed. 938,700 were detected in 2011. On the other hand, TIGTA identified 1.5M additional undetected tax returns in 2011 with potentially fraudulent tax refunds totaling in excess of $5.2B.
  • The study predicted that the IRS stands to lose $21B in revenue over the next 5 years with new fraud controls, or $26B without the new controls.
  • Key victims include the deceased, children, or someone who would not normally file a return such as lower income individuals that are not legally required to file.
  • A Postal Inspector in Florida uncovered a tax refund scheme whereby refunds were going into debit-card accounts via thieves using the social security numbers (SSN) of dead people. Direct deposit is preferred as it doesn’t require a mailing address, photo ID, name or a trip to the bank.
  • The IRS allows multiple direct deposits to the same bank account. A key finding in the report showed hundreds of tax returns were filed from a single address. In one case, 2,137 returns resulted in $3.3M in refunds to a home in Lansing, Michigan, and 518 returns resulted in $1.8M in refunds to a home in Tampa, Florida.
  • The IRS lacks access to 3rd party information to verify returns and root out fraud. It is issuing refunds in January before it can verify data from employers and financial institutions in March. This gap provides a huge window of opportunity for thieves.
  • The IRS is not gathering enough information to prevent fraud; i.e., how the return is filed, income information on the W-2, the amount of the refund and where the refund is sent.
  • New screening filters that can identify false tax returns before they are processed have the potential to diminish the number of fraud cases as well as other ongoing anti-fraud procedures employed by the IRS. It is placing a unique identity theft indicator on the accounts of the deceased. As of March, 2012, 164,000 accounts were locked, possibly preventing $1.8M in fraud.

Charles Boustany, the US House of Representatives Oversight Subcommitte Chairman, who sent a letter to the IRS demanding a full accounting for the agency’s continued inability to stop tax fraud related to identity theft, declared that “this report raises serious questions regarding the IRS’s ability to detect tax fraud…”. The lost federal money is extremely troubling but there’s another loss to consider – the potential to erode taxpayer confidence in our system of tax administration.


John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

$10 Buys Thieves Access To A Dead Person's Identity

You may think your deceased loved ones are safe from having their identities stolen. Not true! The Death Master File contains data about millions of deceased people including the full name, Social Security number and other personal information. Though you’d think this would be carefully guarded, the Social Security Administration provides the file to the Department of Commerce’s National Technical Information Service (NTIS). NTIS, in turn, distributes it to more than 450 entities including state and local governments, hospitals, universities, financial institutions, insurance companies and genealogy services. Even worse, anyone can access the information through the NTIS website. The cost? $10 for one person or an annual subscription with unlimited access to all of the files of deceased individuals costs $995.

The Social Security Administration created the file to help financial institutions and businesses prevent identity theft by using the file to cross-reference applicants and customers to verify they’re not using a dead person’s identity. According to CNN Money, Senator Bob Casey, Democrat, Pennsylvania, said the agency is “inadvertently facilitating tax fraud” and has called for restrictions to be placed on access to the Death Master File. The IRS has been adding protections but it’s struggling to keep up with a surge in tax fraud. The Treasury Inspector General said in May that the IRS could end up doling out $26 billion in fraudulent refunds over the next five years. In a congressional hearing in May, IRS deputy commissioner Steven Miller said that as of mid-April, his agency had already flagged 91,000 tax returns that were filed under the names of recently deceased individuals.

About 2.4 million deceased Americans each year get their identities stolen according to ID Analytics. Besides taking revenue from the government, thieves steal the personal information to apply for credit cards, cell phones and anything that requires a credit check. And think of the toll it takes on the families that have just lost a loved one. Their grief is compounded by having to rescue that person’s identity. 

Because of the Freedom of Information Act, it’ll take legislation to restrict access to the file unless the Office of Management and Budget finds a way to limit access and cut down tax fraud. The best action you can take to protect your private information while you’re alive (and that will carry over in death) is to freeze your credit. A credit freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time. Yes, freezing your credit takes a bit of time (maybe an hour of work), can be a little inconvenient when you want to set up a new account (that said, let’s face it, businesses want to make it as easy as possible to unfreeze your credit because they benefit when you set up new accounts and spend more money) and it can cost a few dollars (generally about $10 to unfreeze, a small price compared to the recovery costs of identity theft). And it is worth it! It’s like putting locks on your doors.

Since all states don’t allow you, by law, to freeze your credit, the three credit reporting bureaus have begun to offer credit freezes on a national basis. This is a major step forward in the prevention of identity theft, even if they are offering it for profit reasons (they make money every time you freeze/unfreeze your credit). If your state does not currently offer credit freezes by law, you can now apply with each credit reporting bureau individually. Regardless of where you live, freeze your credit today.A credit freeze doesn’t affect your existing credit – it doesn’t freeze credit cards, bank accounts or loans you already have. It only freezes access to your account unless someone has a password to get in. It’s like having a PIN number on your ATM card. It also doesn’t lower (or raise) your credit score.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742