IRS hack: What to do when your Social Security number is exposed

Internal Revenue Service headquarters

Internal Revenue Service headquarters in Washington. The agency is under fire from Congress for not doing enough to prevent fraudulent tax filings.

(J. David Ake / Associated Press)

Consumers are prodded to reset online passwords after they’re leaked in a cyberattack. But what to do when a Social Security number becomes public?

This week’s revelation that fraudsters accessed archived federal tax filings of 100,000 taxpayers offers the latest reminder that there are a few things people can do, but there’s limitations too — at least for now.

The Internal Revenue Service is sending letters to 200,000 people this week telling them that their old tax returns either ended up or almost fell into the hands of thieves. The fraudsters appeared to have amassed the victims’ personal information, including birthdates, addresses and Social Security numbers, from a source outside the IRS, the agency said.

The data could have come from any one or a combination of recent attacks -- like at Anthem or Sony Pictures Entertainment -- that spilled millions of Social Security numbers onto the Internet.


When affected by one of those big cyberattacks, the easiest protection method is activating a fraud alert through one of the credit reporting bureaus (Experian, Equifax and Transunion). For 90 days, the bureaus must take extra steps to verify the requestor’s identity before new lines of credit can be opened.

A next possible step is paying about $5 to $10 to place a credit freeze, which automatically blocks all attempts to open new credit lines. The account must be unlocked to give, say, a landlord or a lender access to view a credit report.

But when it comes to the IRS, there’s not much consumers can do to block fraudulent tax filings that use their Social Security number. The IRS is testing a system in which filers get a unique code every December by mail that must be submitted with the tax return. The extra security measure would severely curtail online thieves in the same way that some websites now require users to login with a password as well as a code texted to their phones.

The IRS hasn’t said when its program, called Identity Protection PIN, will be extended beyond an invitation-only basis. Until then, the victims being notified this week will get special flags on their accounts. Everyone else is stuck with filing dispute paperwork if their tax refund goes to someone else.


Chat with me on Twitter @peard33

Get our weekly business newsletter