You probably heard about the massive security breach the IRS disclosed last month that allowed hackers to obtain detailed tax return information on 104,000 taxpayers.
But you might not have connected that event with a procedure encountered by most home buyers seeking a mortgage: Lenders routinely require them to sign an IRS form that allows underwriters to obtain transcripts covering multiple years of past tax returns. The form involved is known as a 4506-T, and it's part of the paper blitz that hits applicants during the loan process.
Although the IRS said that just half of hackers' estimated 200,000 attempts to access tax transcripts were successful, the sobering fact remains: Criminals were able to steal prodigious quantities of private tax information.
Now to the 4506-T system used for mortgage applications. You fill out the form, indicating which years of transcripts you authorize to be pulled. Your mortgage broker or lender then typically provides it to a third-party vendor that has signed up with IRS to access taxpayer transcripts under the Income Verification Express Service.
Some of these vendors are large, well-known corporations, including credit reporting agencies. Others are little-known and small.
To sign up on the IVES system, according to IRS instructions online, vendors must submit basic information about their business and check a box indicating that they agree to comply with an IRS publication spelling out procedures to safeguard taxpayer data.
The IRS provided no comment to my requests for information on the 4506-T program, potential vulnerabilities to data breaches and how many vendors participate in the tax transcript program. Industry sources said the number of vendors is significant.
Critics say that although there have been no reported breaches of taxpayer information to date, the relatively low bars set by the IRS to qualify and monitor participants are troubling. In 2011, the Treasury Department's inspector general for tax administration conducted an investigation of the program and concluded that taxpayer information "is at risk of theft or misuse when taxpayers submit IVES requests for tax return information through third parties because controls are insufficient…."
A key problem, the inspector general said, is that the IRS did not have an adequate screening process nor adequate minimum requirements to ensure security and privacy. In response, the IRS promised to make improvements.
Curtis R. Knuth, executive vice president of one major transcript vendor, New Jersey-based NCS, told me that his firm and others have urged the IRS to "toughen its standards" and security controls for participants, some of whom are subject to "very minimal screening." Without stricter requirements, Knuth said, "there is the potential" for breaches of mortgage applicant tax data.
The head of another large vendor, Nick Lim, CEO of California-based Veri-Tax, said that "there is no system that is bulletproof." But he said his company "prides [itself] on taking security seriously" and that it completes annual audits designed to test data security to the highest standards. NCS also undergoes rigorous audits, Knuth said.
Based on the record so far, your tax data appear to be safe. Then again, the IRS — and thousands of taxpayers — thought the IRS' own in-house tax transcript system was well guarded from theft and fraud. That turned out to be incorrect.
Distributed by Washington Post Writers Group.