Tax Chief Says Don't Worry About Equifax: Only 45M of You Could Be Newly Affected

Worried about the massive Equifax breach that likely affected every single American with a credit history? Oh, don’t be—criminals already have all the info they need on you. No biggie. Plus rates of fraud are falling, so…don’t worry be happy?

That was the cheery/not-cheery assessment of the country’s top tax man, Internal Revenue Service (IRS) Commissioner John Koskinen, who said that when it comes to scams during the upcoming 2018 tax season, “we actually think that [Equifax] won’t make any significantly or noticeable difference.”

He explained his rationale in a meeting with reporters in almost dismissive terms: “Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals.” And later: “[Americans] should assume their data is already in the hands of criminals and act accordingly.”

Oh. OK then. Insert cringe-emoji here.

He went on to cite what are meant to be reassuring stats: “We’ve seen the number of identity theft-related tax returns fall by about two-thirds since 2015. Over the past two years, fewer false returns have entered the system, fewer fraudulent refunds have been issued and fewer taxpayers have reported to the IRS that they were victims of identity theft.”

Also, Koskinen said the number of reported identity-theft victims last year stood at 376,000—46% down from the year before; while this year so far has seen a 40% further drop.

The US is home to about 250 million Americans 18 and older, and about 145.5 million of us are affected by the Equifax breach. Koskinen said that IRS estimates put the previous total of those who have had their personal information stolen by hackers at 100 million Americans. If the two estimates are put together, it adds up to almost the entire adult population—but of course, there’s bound to be overlap. And even if that overlap is anywhere close to 100%, it still doesn’t mean that no one should worry: The gap leaves an enormous number of brand-new victims.

“The difference between them is as much as 45 million people, more than the individual populations of the large majority of European countries—almost as much as Spain; more than four times that of Greece, Portugal and Sweden; nearly 10 times that of Norway, Ireland and numerous others,” pointed out Sophos Security analyst Taylor Armerding, in a post.

Further, Rebecca Herold, CEO of The Privacy Professor, told Sophos that what’s missing from the assessment is an awareness that the kind of information lifted from Equifax is far more wide-ranging than the usual financial data breach.

“He apparently doesn’t realize that Equifax, and the other two major US credit reporting agencies (CRAs), possess an amount of data far beyond the other types that have been breached elsewhere—such things as job histories and associated salaries, home addresses, medical information, schools attended, and so much more,” she said.

To point out the issue in a topical way: The IRS recently created 37 data filters that would prevent nefarious types that only had a name, address and Social Security Number (SSN) from being able to file fraudulent returns—they would need much more information to create something believable, like salary totals, debt totals on business lines of credit and the like.

Come to think of it, they would need JUST the sort of information hackers gained access to…in the Equifax breach!

Sure, the IRS is working on stronger password protocols, better ways to flag questionable refunds and testing out verification codes for the W-2 forms that report citizens’ income. But the assessment that the Equifax breach will have negligible effect on tax fraud this season seems specious at best—and dangerous at worst, if people are lulled into a false sense of security. 

What’s Hot on Infosecurity Magazine?